Possible bug slowing down my internet?

Ingeniero1 · 2007/04/05

Hello,
I am not sure if this is 'bug' related.
I have run Ad-Aware and SpyBot (both up-to-date) several times over the past three days. Ad-Aware sometimes has not found anything, and other times it finds 25 bad files - which I then 'fix'. SpyBot has not found anything at all.

Access to internet pages (any) is fine when I first start the PC, but after a while it gets really slow.

Here is the Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:37 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vvjicpem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Downloads\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vvjicpem] C:\WINDOWS\system32\vvjicpem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [vvjicpem] C:\WINDOWS\system32\vvjicpem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
----------------------------------------------------------------
Any problems I need to fix?

Thanks!
Alex

Geri · 2007/04/05

Hi Ingeniero1

It looks like you picked up a Vundo infection.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then please rename Hijackthis.exe to Killer.exe
Then Run a new HJT log.

Please post the two logs here.

Thanks
Geri

Ingeniero1 · 2007/04/06

Geri,
Downloaded and ran VundoFix, but it did not find anything.

Should I still rename Hijackthis.exe as Killer.exe and run Killer.exe?

(Just curious: How does changing the file name affect the results of running the program? Is there, perhaps, a line of code within the program itself that detects its own name and executes selected routines according to which name is used?)

Thanks!

Alex

Geri · 2007/04/06

Hi

How does changing the file name affect the results of running the program
Click to expand...

It does not change the running of the program, Some infections are now hiding from HJT, so by changing the exe they do not detect it as HJT and then show up in the log.

I need to know if you ran HJT in safe mode? Your log seems kind of short.

If you did, please run it in normal mode and post the log.
Please remember to rename it first.

Thanks
Geri

Ingeniero1 · 2007/04/07

Geri,
I ran HJT in regular mode the first time.

I renamed HJT as Killer.exe and ran it. Here is the log:
----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:44:16 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vvjicpem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vvjicpem] C:\WINDOWS\system32\vvjicpem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [vvjicpem] C:\WINDOWS\system32\vvjicpem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

============================================

Thanks for your help -

Alex

Geri · 2007/04/07

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks
Geri

Ingeniero1 · 2007/04/08

Geri,
Everything worked exactly as you suggested. Here are the reports:
=================================================
SDFix: Version 1.77
Run by Alex - Sun 04/08/2007 - 15:23:26.03
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Killing PID 136 'smss.exe'
Killing PID 212 'winlogon.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\SYSTEM32\VVJICPEM.EXE - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\WINDOWS\system32\msdrives\BIT10.tmp - Deleted
C:\WINDOWS\system32\msdrives\driverpp.sys - Deleted
C:\WINDOWS\system32\msdrives\iedrives.dll - Deleted
C:\WINDOWS\system32\msdrives\msdrv.exe - Deleted
C:\WINDOWS\system32\msdrives\msdrvctrl.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp5.tmp.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp6.tmp.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp7F.tmp.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp8.tmp.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp80.tmp.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\abc123.pid - Deleted
C:\WINDOWS\iedrives.dll - Deleted
C:\WINDOWS\msdrv.exe - Deleted
C:\WINDOWS\msdrvctrl.exe - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system\bpmtcs32.dll - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\poof - Deleted
C:\WINDOWS\winhp32.exe - Deleted
C:\DOCUME~1\Alex\LOCALS~1\Temp\tmp*.tmp - Deleted

Folder C:\WINDOWS\system32\msdrives - Removed
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe "= "C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax "
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe "= "C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager "
"C:\\WINDOWS\\system32\\vvjicpem.exe "= "C:\\WINDOWS\\system32\\vvjicpem.exe:*isabled:vvjicpem "
-------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:35:07 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

======================================

Appears the SDFIX cleaned up quite a bit. What do you think?

Thanks!

Alex

Geri · 2007/04/08

Hi Alex
Yes SDfix got rid of a lot, There are still a couple that we need to kill.

Lets see if we can do this with HJT.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\SYSTEM32\mbpimbp.dll <<This File

After that, Reboot.

Please post a New HJT Log into this Thread.

Thanks
Geri

Ingeniero1 · 2007/04/10

Geri,
Did everything OK (*) EXCEPT for the last step in Safe Mode.
When I tried to delete C:\WINDOWS\SYSTEM32\mbpimbp.dll, it said "Access denied, file in use of protected, cannot delete" (or something like that).

(*) After I clicked for HJT to fix the two selected items, the HJT box went blank and nothing else happened. So I closed HJT and rebooted in safe mode.

Here is the new log anyway...
=========================
Logfile of HijackThis v1.99.1
Scan saved at 11:11:02 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
===================================
What should I do next?
Thanks
Alex

Geri · 2007/04/11

Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please double-click Killbox.exe to run it.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\system32\mbpimbp.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new HJT log.
Thanks
Geri

Ingeniero1 · 2007/04/13

Geri,
DIi as you recommended with Killbox and it appeared to have worked OK.
However, I checked C:\Windows\System32, and the file "mbpimbp.dll" is still there with a date of 4/12/2007 as well as "mbpimbp.bak" with a date of 4/10/2007!

Here is the HJT log:
=======================
Logfile of HijackThis v1.99.1
Scan saved at 3:41:58 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
==================================

Just let me know what to do next...

Thanks!
Alex

Geri · 2007/04/13

Hi
OK Lets try this one.

Unlocker
Download Unlocker
Once installed:
Locate the file mbpimbp.dll (In your system32 folder)
Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

Do the BAK file also.
Look for a file with this name also,and if it's there delete it.
sxkmkffj

Let me know if it deletes.

Then reboot and post a new HJT log.

Thanks
Geri

Ingeniero1 · 2007/04/17

Geri,
Downloaded and installed Unlocker, and successfully deleted mbpimbp.bak, but not mbpimbp.dll. Unlocker asked if it should deleted upon reboot, and said yes, but mbpimbp.dll is still there.

BTW, the computer 'seems' to be running OK, but I still would prefer to get rid of any 'bugs' as mbpimbp.dll may be.
Thanks

Alex

Geri · 2007/04/18

Hi
Was a file with this sxkmkffj in your system32 folder? Please look and let me know, if it is there try unlocker on it, then the mbpimbp.dll file then reboot.

Ok if that don't work then lets try this tool.
moveonboot

Either way, please post a new HJT log.

Thanks
Geri

Ingeniero1 · 2007/04/24

Geri,
1) No, sxkmkffj did not exist (or does not now anyway)
2) Loaded and ran moveonboot, but after selecting c:\windows\system32\mbpimbp.dll, and clicking on the delete option button followed by [Next], it said that it was going to start deleting the file, but when I press [Start] to do so, it says it cannot access the file to delete it!

The options to the "Start delete action" were [<Back] [Start] and [Cancel]. I thought perhaps there would be one that offered to delete on next reboot.

Here is the HJT log:
===================
Logfile of HijackThis v1.99.1
Scan saved at 5:44:35 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

==========================

Let me know what next (that is, unless your patience has been exhausted)-
Thanks!
Alex

Geri · 2007/04/24

Hi

I thought perhaps there would be one that offered to delete on next reboot.
Click to expand...

Once you click start it should show a succeeded window and the next time you reboot it will/should delete the file.

So try a reboot.

If that does not work then we will try this.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Delete Files on Reboot(multiple files)

* Open HiJackThis
* Click on the tab "Misc Tools "
* Click on "Delete File on Reboot "
* Navigate to this file - C:\WINDOWS\SYSTEM32\mbpimbp.dll
* Double click on that file.
* HJT asks you if you want to reboot, now. Click No

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT

Reboot your computer now.

Please post a new HJT log.

Thanks
Geri

Log in or Sign up

Possible bug slowing down my internet?

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Possible bug slowing down my internet?

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches