how can i get rid of lbjei.dll & mshp.dll files that causes "Only the Best" pop-ups?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hank_dunce, Jun 23, 2004.

  1. hank_dunce

    hank_dunce Private E-2

    okay, folks.

    as my name describes, i am a complete and total computer dunce. i cannot get rid of these .dll files that are causing my computer to have porn pop-ups, as well as changing my home page to addresses starting with res://mshp.dll/index.html#37049 or res://lbjei.dll/index.html#37049

    i have already browsed some of the posts regarding this problem at majorgeeks.com, and i have done the following to try and prevent this problem:

    downloaded ad-aware and ran it
    downloaded spybot and ran it
    downloaded spyware blaster and ran it
    downloaded CWSshredder and ran it.

    now...it seems to have worked slightly. but, i downloaded hijackthis and these .dll files are still showing up in the registry. here is what my hijack this log looks like after i ran the spyware programs:

    Logfile of HijackThis v1.97.7

    Scan saved at 1:54:50 PM, on 6/23/2004

    Platform: Windows ME (Win9x 4.90.3000)

    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\WINDOWS\SYSTEM\SSDPSRV.EXE

    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\SYSTEM\SYSTRAY.EXE

    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

    C:\WINDOWS\SYSTEM\USBMMKBD.EXE

    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

    C:\PROGRAM FILES\DAP\DAP.EXE

    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE

    C:\WINDOWS\SYSTEM\APPIS32.EXE

    C:\WINDOWS\RunDLL.exe

    C:\WINDOWS\SYSTEM\HIDSERV.EXE

    C:\WINDOWS\SYSTEM\WMIEXE.EXE

    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET V SERIES\BIN\HPOANT07.EXE

    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE

    C:\WINDOWS\SYSTEM\HPOIPM07.EXE

    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

    C:\WINDOWS\SYSTEM\TAPISRV.EXE

    C:\WINDOWS\SYSTEM\DDHELP.EXE

    C:\WINDOWS\SYSTEM\IPVG32.EXE

    C:\WINDOWS\IEBX32.EXE

    C:\UNZIPPED\AIDA32PE_393\AIDA32.BIN

    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE

    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE

    C:\WINDOWS\SYSTEM\RNAAPP.EXE

    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lbjei.dll/sp.html#37049

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lbjei.dll/index.html#37049

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lbjei.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webfile.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lbjei.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lbjei.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lbjei.dll/sp.html#37049

    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

    O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\SYSNI\SYSNI.DLL (file missing)

    O2 - BHO: (no name) - {01C6CDF5-AA54-D057-9086-211EEA30E063} - C:\WINDOWS\ADDSP.DLL

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe

    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe

    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [APPIS32.EXE] C:\WINDOWS\SYSTEM\APPIS32.EXE

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"

    O4 - HKLM\..\RunServices: [MFCGU32.EXE] C:\WINDOWS\SYSTEM\MFCGU32.EXE

    O4 - HKLM\..\RunServices: [IPVG32.EXE] C:\WINDOWS\SYSTEM\IPVG32.EXE

    O4 - HKLM\..\RunServices: [IEBX32.EXE] C:\WINDOWS\IEBX32.EXE

    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"

    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

    O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

    O9 - Extra button: Real.com (HKLM)

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


    ...so, how do i get rid of these pesky things once and for all? i don't know how to use hijackthis at all, and i only downloaded it to see if these files were still present on my computer (i saw that you can do this with the screenshots of hijack). i did not delete anything in the hijack log. all of the directions that i read on majorgeeks to figure this out said to create a backup registry and i don't even know how to do that.

    the kind of pop-ups i am getting are these "Only the Best" pop-ups, and also pop-ups that begin with the address "search-all-fast.com" that usually are advertising fake spyware blockers.

    please help me, or i will be in big trouble. if you need more information, or if i am not being clear enough, i apologize, and let me know what you need.

    i saw before i even posted that this site wants you to post your computer specifics. here are mine according to AIDA32:

    Computer
    Operating System Microsoft Windows ME
    OS Service Pack None
    Internet Explorer 5.50.4134.0100 (IE 5.5 - Windows Me)
    Computer Name HPPAV

    Motherboard
    CPU Type Intel Pentium IIIE, 850 MHz (8.5 x 100)
    Motherboard Name Asus Pegasus
    Motherboard Chipset VIA VT82C694X Apollo Pro133A
    System Memory 128 MB (PC133 SDRAM)
    BIOS Type Award Medallion (07/26/00)
    Communication Port Communications Port (COM1)
    Communication Port Communications Port (COM2)
    Communication Port Printer Port (LPT1)

    Display
    Video Adapter NVIDIA Vanta (HP)
    3D Accelerator nVIDIA Vanta
    Monitor HP D5259A Pavilion M70 (THTBS04521)

    Multimedia
    Audio Adapter Creative SB PCI128 (Ensoniq ES1371) Sound Card

    Storage
    Floppy Drive GENERIC NEC FLOPPY DISK
    Disk Drive GENERIC IDE DISK TYPE47
    Optical Drive HITACHI DVD-ROM GD-7500 (12x/40x DVD-ROM)

    Partitions
    C: (FAT32) 19525 MB (15679 MB free)

    Input
    Keyboard HID-compliant keyboard
    Keyboard HP USB Multimedia Keyboard/Hub - Keyboard Device
    Keyboard Standard 101/102-Key or Microsoft Natural Keyboard
    Mouse PS/2 Compatible Mouse Port
    Game Controller Microsoft PC-joystick driver

    Network
    Primary IP Address 172.164.164.76
    Primary MAC Address 44-45-53-54-00-00
    Network Adapter AOL Adapter
    Network Adapter AOL Dial-Up Adapter
    Network Adapter PPP Adapter. (172.164.164.76)
    Network Adapter PPP Adapter.
    Modem Lucent Win Modem

    Peripherals
    Printer Canon BJC-4100
    Printer hp officejet v series fax
    Printer hp officejet v series
    Printer QuickLink III
    USB Device Generic USB Hub
    USB Device Generic USB Hub
    USB Device hp officejet v series
    USB Device HP USB Multimedia Keyboard/Hub - Hub Component
    USB Device HP USB Multimedia Keyboard/Hub - Composite Device
    USB Device HP USB Multimedia Keyboard/Hub - HID-type Devices
    USB Device HP USB Multimedia Keyboard/Hub - Keyboard Device

    thank you!
    (hank)
     
    hank_dunce, Jun 23, 2004
    #1
  2. Chappo

    Chappo Private E-2

    OK I had this same problem and it took me about 2 hrs to fix it once I followed what chaslang told svengali to do. Read this thread and follow it to the letter (all three pages).

    http://www.majorgeeks.com/vb/showthread.php?t=35165

    Also check my last entry on

    http://www.majorgeeks.com/vb/showthread.php?p=375305

    for a very quick summary of how I fixed the problem.

    Note that with the svengali thread you need to work out which files to delete as the names will be different on your computer. On your logfile I think the following have to go;

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

    O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\SYSNI\SYSNI.DLL (file missing)

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    O4 - HKLM\..\RunServices: [MFCGU32.EXE] C:\WINDOWS\SYSTEM\MFCGU32.EXE

    O4 - HKLM\..\RunServices: [IPVG32.EXE] C:\WINDOWS\SYSTEM\IPVG32.EXE

    O4 - HKLM\..\RunServices: [IEBX32.EXE] C:\WINDOWS\IEBX32.EXE


    but I'm no expert so you should check everything carefully. I recommend you print out svengali's thread and any links mentioned. Print your logfiles and highlight the files that need to go, use the search function to find them and delete them (there will be more than one copy of some of them and they will be in more than one place).

    DO NOT USE MY THREAD AS YOUR GUIDE IT DOESN'T HAVE ENOUGH INFO!

    The only thing I didn't do that chaslang said was to open the ?????.dll file, delete the content and then save as an empty file. I just deleted everything. I wouldn't recommend leaving out anything else.

    MAKE SURE you have hidden files turned off so you can see everything.
     
    Chappo, Jun 26, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Everything is correct Chappo but this line:

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    That line is okay. It is part HP computers. It keeps track of how many times the system has been recovered and the times of the first and last recoveries done on the system.

    Also the SDHELPER.DLL (file missing) line indicates that this bug has deleted this SpyBot file. Meaning SpyBot will need to be reinstalled at some point.
     
    chaslang, Jun 26, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds