Solved Internet not running right...

Ingeniero1 · 2007/07/19

[Resolved] Internet not running right...

Hello,
I believe I may have contracted a virus or ad bug. While viewing some websites (news, etc.) I get a message that something is wrong, the session ends, and I am asked whether to send a report to Microsoft - I usually don't. This happens very frequently together with a few pops ups the likes of which I have not seen in months.

After updating them, I ran Adaware and it found 100+ bugs and cleaned them up, Spybot found done. Then I ran them again, and Adaware found 50+ and Spybot none, but the problem persists.

Here is my HJT log:
===========================================
Logfile of HijackThis v1.99.1
Scan saved at 10:46:23 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

========================================

Your suggestions wil be greatly appreciated.
Alex

Geri · 2007/07/21

Hi Ingeniero1

Was HJT run in safe mode? If so please post one in normal mode.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

I see no Anti-Virus or FireWall running on your system. Do you have them?

Thanks
Geri

Ingeniero1 · 2007/07/22

Geri,
Downloaded and ran VundoFix. When done, it said it had found no files.
Here is vundofix.txt: (I deleted the empty lines to make the listing shorter...)
-----------------------------------
VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 9:15:01 AM 4/6/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 8:20:51 AM 7/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
------------------------------------
Here is the new HJT log:
==============================
Logfile of HijackThis v1.99.1
Scan saved at 8:25:54 AM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
=====================================
As far as the firewall and anti-virus, I am a bit confused.

Firewall: Don't my modem and router have a built-in firewall?

Anti-virus: Over the past 2+ years the good people here at BBS have helped me fix a number of problems, and I thought I had installed anti-virus such as 'killer.exe', 'kllbox.exe', and several others as recommended. I have even sent $15 twice to contribute to the sites that provided the software; I don't expect to get stuff for free.

Previosuly, I had bought a Norton program and that was a disaster to installl and run, and then it didn't do any good.

Maybe I need to start from scratch for protection sake?

Thanks for your help!

Alex
=======================

Geri · 2007/07/22

Hi Ingeniero1

Double-click VundoFix.exe to run it.
Right click in the white box
Click on add more files
* Copy&Paste the entries below into the top boxes

c:\windows\system32\dmdiuzey.dll
c:\windows\system32\mbpimbp.dll

* Click Add Files and Click Close Window

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Don't my modem and router have a built-in firewall?
Click to expand...

They probabily do, but they are basic and do hot give the protection of a stand alone firewall.

I thought I had installed anti-virus such as 'killer.exe', 'kllbox.exe'
Click to expand...

These are tools to help remove nasties from your machine, Anti-Virus programs help protect you from getting them in the first place.

Both these are needed, and there are good free ones.

Here is a good Free AV, Download it, update it and run a scan on your computer, delete anything it finds. (On the right side you will see "Free ")
AVG Free

Here are two free good Firewalls, Pick One and install it.

Comodo
zonealarm firewall

I would suggest you read this.
Understanding Firewalls

Please post the new Vundo log and a new HJT log.

Thanks
Geri

Ingeniero1 · 2007/07/22

Hi Geri,
Added the two files, but received the same message: No files found.
VunduFix.txt as of 7/22/2007 2:43 PM
=====================================
(Complete file listing sans empty lines)

VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 9:15:01 AM 4/6/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 8:20:51 AM 7/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...

VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 2:39:25 PM 7/22/2007
Listing files found while scanning....
No infected files were found.
======================================
HJT log:
======================================
Logfile of HijackThis v1.99.1
Scan saved at 2:44:43 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
======================================

I will do/try the AV and firewall you recommended later today. (Have to do work stuff now - Sunday!!!)

Thanks
Alex

Geri · 2007/07/22

Hi Ingeniero1

Ok Vundo should have added those to delete?

Lets do it this way.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please double-click Killbox.exe to run it.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\system32\dmdiuzey.dll
c:\windows\system32\mbpimbp.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

After that, Reboot.

Please post a New HJT Log into this Thread.

Thanks
Geri

Ingeniero1 · 2007/07/24

Geri,

Geri said:

Hi Ingeniero1
Lets do it this way.

Please download the Killbox by Option^Explicit. DONE

[*] Please double-click Killbox.exe to run it.DONE
[*] Select:

Delete on Reboot

then Click on the All Files button.

DONE
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\system32\dmdiuzey.dll
c:\windows\system32\mbpimbp.dll
DONE, but I am not sure if both files were copied; I could see only dmdiuzey

[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.DONE

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).[/list]DONE - no messages

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.No problems

Now Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
DONE, but I believe the first one had a 'file not found' message, but I could not read all of it
Now close all windows other than HiJackThis, then click Fix Checked.
DONE
Close HJT.

After that, Reboot.DONE

Please post a New HJT Log into this Thread.DONE - see below

Thanks
Geri
Click to expand...

Thank you!
======== HJT Log ==========================
Logfile of HijackThis v1.99.1
Scan saved at 8:31:21 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\HIJACK\Killer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

===================================================

Geri · 2007/07/25

Hi Ingeniero1

Well that got rid of one, we need to kill this one.

sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

We need to find the file path for this, sxkmkffj,

To do this
Click on Start "“ Search "“ All Files and Folders "“ Put, sxkmkffj in "All or part of the file name" spot. Scroll down and click on "More advanced options" Put a check on "Search system foldersâ€, Search hidden files and Folder" Search SubFolders. Click Search.
Write down the file path that is given on the right side so we can find it and delete it.

Thanks
Geri

Ingeniero1 · 2007/07/26

Geri,
(1) Ran the search (everywhere) for sxkmkffj, but it was not found.

(2) Downloaded, updated and ran AVG free. It found c:\windows\system32\mbpimbp.dll, which it said was a Trojan Horse BHO.BQ (?), and said had to restart the computer to heal. Restarted the computer, but the message repeated.

(3) Ran the search again (everywhere) for sxkmkffj, but it was not found.

(4) Ran AVG scan and it found 24 bad items, healed, and restarted. AVG again found mbpimbp and said to restart the computer. I did. Same result (found mbpimbp), so I cancelled that, ran HJT and started Windows BBS.

================== HJT ====================
Logfile of HijackThis v1.99.1
Scan saved at 7:13:42 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
=================================

Suggestions?
Thanks -

Geri - The AVG notices keep appearing - they themselves are a nuisance!
How do I stop them???
http://smg.photobucket.com/albums/0903/bonifacio7/?action=view&current=AVGnotice1.jpg

Geri - What a pain!!!

I have tried [Ignore], [Heal]& restart, and [Move to Vault] & restart, but everytimeI do something, the annoying notice pops up again!!!

Alex

Geri · 2007/07/26

Hi Alex

Please double-click Killbox.exe to run it.

Select:

Replace on Reboot

then Put a Check on the Use Dummy box.

Please copy the file path below to the clipboard one at a time by highlighting them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\mbpimbp.dll
c:\windows\system32\dmdiuzey.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white button button. Click Yes at the Delete on Reboot prompt.

Please post a new HJT log.

Thanks
Geri

Ingeniero1 · 2007/07/27

Geri,

[SIZE= "4"]GOT IT!!![/SIZE]

I think.....
At least I did not get the AVG message.
Good job (on your part)!!! But let me know what you think anyway...
I believe the problem was how I was (improperly) running Killbox.
=========== HJT ================================
Logfile of HijackThis v1.99.1
Scan saved at 7:56:32 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

=================================

Quick question:
In the past, we had to get rid of the bugs in 'protected mode' and do a lot of gyrations. Perhaps with the new Killbox and AVG that is not, or will no longer be needed?

THANKS!!!
Alex

Geri · 2007/07/27

Hi Alex

OK please double click on KillBox again, when it opens click on "File" then "CleanUp" Delete all backup files and Delete all dummy files

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

After that, Reboot.

Please post a New HJT Log into this Thread.

In the past, we had to get rid of the bugs in 'protected mode' and do a lot of gyrations. Perhaps with the new Killbox and AVG that is not, or will no longer be needed?
Click to expand...

Sometimes it is still needed, and sometimes it makes it easier to remove a bad file. It depends on the situation and the tool being used.

Geri

Ingeniero1 · 2007/07/28

Geri said:

Hi Alex

OK please double click on KillBox again, when it opens click on "File" then "CleanUp" Delete all backup files and Delete all dummy files
<< DONE >>

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {38F6C068-D427-423A-A4D4-FCBA02FCA142} - c:\windows\system32\dmdiuzey.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
<< DONE >>

Now close all windows other than HiJackThis, then click Fix Checked.
<< DONE >>
Close HJT.

After that, Reboot.
<< DONE >>
Please post a New HJT Log into this Thread.

<< BELOW >>

Sometimes it is still needed, and sometimes it makes it easier to remove a bad file. It depends on the situation and the tool being used.

Geri
Click to expand...

============== HJT ======
Logfile of HijackThis v1.99.1
Scan saved at 8:25:06 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

===================================================
Sorry Geri; looks like those files are still there! But AVG is not 'saying' anything. Maybe I am doing something wrong?
Thanks -
Alex
==================
I ran HJT again, twice, to try to get rid of the "02...mbpimbp.dll" and "020...mbpimbp.dll" but to no avail. Even when running HJT immediately after it 'fixed' the files, they were still there, the same as after rebooting!
That "mbpimbp.dll" sure is a sticky bug!

Geri · 2007/07/28

Hi Alex

OK I see you have "Unlocker ".

First do this.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Locate the file

C:\WINDOWS\SYSTEM32\mbpimbp.dll

Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

Reboot your computer, do a scan with HJT and post the log.

If you can't find the file let me know and we will use a tougher tool.

Thanks
Geri

Ingeniero1 · 2007/07/29

Geri said:

Hi Alex
OK I see you have "Unlocker ".
First do this.
Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. DONE
Uncheck the Hide protected operating system files (recommended) option. DONE
Click Yes to confirm. DONE
Click OK.DONE

Locate the file

C:\WINDOWS\SYSTEM32\mbpimbp.dllDONE

Right-click and select 'Unlocker'DONE
It said: "No Locking Handle Found... Select Action" I selected "Delete "
In the window that appears select 'Unlock All' Did not appear
In the drop down menu select 'delete'. DONE

Reboot your computer, do a scan with HJT and post the log.DONE - Below
If you can't find the file let me know and we will use a tougher tool.
Went directly to it with Internet Explorer. There was also one called 'mbpimbp.dll.bak', but Unlocker deleted it.

Thanks
Geri
Click to expand...

========== HJT =====================
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
=================================
Sorry to take so much of your time!!!

Alex

noahdfear · 2007/07/29

Hi Alex,

I'd like to get a copy of that C:\WINDOWS\SYSTEM32\mbpimbp.dll file. Please upload it to here. Leave a link back to this topic please.

Thanks!

Geri · 2007/07/29

Hi Alex

Sorry to take so much of your time!!!
Click to expand...

Hey, not a problem, that's what I do here, spend time.

Before doing the below fix, make sure you send noahdfear that file. He will pick it apart and It will help us better understand the infection and how to kill it.
Thanks.

After you do that, here is what we are going to do.

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete
C:\WINDOWS\SYSTEM32\mbpimbp.dll
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually ".

Now click on the Magnifying Glass icon which will open a new window titled "View/edit script "

Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Click Done

Now click on the Green Light to begin execution of the script

Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload ", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

After the reboot Run HJT again (Scan Only) and fix these two entries,

O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Then reboot again and post The Avenger log and new HJT log.

Thanks
Geri

Ingeniero1 · 2007/07/29

Geri said:

Hi Alex

Hey, not a problem, that's what I do here, spend time. I appreciate that...

Before doing the below fix, make sure you send noahdfear that file. He will pick it apart and It will help us better understand the infection and how to kill it.
Thanks.
DONE (At least, I think I did...
After you do that, here is what we are going to do.

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger.exe to your desktop

DONE

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Copied:
"Files to delete
C:\WINDOWS\SYSTEM32\mbpimbp.dll "

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

DONE

Under "Script file to execute" choose "Input Script Manually ". DONE

Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" DONE

Paste the text copied to clipboard into this window by pressing (Ctrl+V). DONE

Click Done DONE

Now click on the Green Light to begin execution of the script DONE

Answer "Yes" twice when prompted.

Couldn't do it - Messages from Avenger:

1st: "Error - selected file does not appear to be a valid script" - [OK]
2nd: "Press OK to log error and Continue or Cancel to abort" - [OK]
3rd: "Error COde: 0 "

This is as far as I went...

Click to expand...

Alex

noahdfear · 2007/07/29

Alex,

Follow Geri's instructions again, but this time do not copy the quotation marks. The text to be pasted should appear exactly as below in bold.

Files to delete:
C:\WINDOWS\SYSTEM32\mbpimbp.dll

Ingeniero1 · 2007/07/31

noahdfear said:

Alex,

Follow Geri's instructions again, but this time do not copy the quotation marks. The text to be pasted should appear exactly as below in bold.

Files to delete:
C:\WINDOWS\SYSTEM32\mbpimbp.dll
Click to expand...

Oh, I did not include the quotation marks - I just added those in my text to let you know what I had copied; that is, two lines of text with the contents as shown within the quotes.

Anyway, I tried it again, twice - once by copying and pasting the lines of text, and once by typing the text by hand (in case there was a hidden character), but got the same results.

Should I reinstall Avenger?

Alex

Log in or Sign up

Solved Internet not running right...

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

noahdfear Inactive

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

noahdfear Inactive

Ingeniero1 Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Internet not running right...

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

noahdfear Inactive

Geri Inactive Alumni

Ingeniero1 Inactive Thread Starter

noahdfear Inactive

Ingeniero1 Inactive Thread Starter

Share This Page

Useful Searches