TechSpot

IE Popups While Using Firefox

By theredlaugh
Jun 5, 2008
  1. Tried fixing my problem of popups and extremely slow computer with CA Internet security, AVG, BitDefender, AVG, Ad-Aware, and NOD32. I am not sure what could be the problem. Logfile attached. Thank you for helping.
     

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Big Log

    Go to Task Manager (Ctrl + Alt + Del)
    And right click on "vbpdtvdp.exe", and select "end task"

    Then locate C:\Windows\system32\vbpdtvdp.exe, and delete it

    Then go to Viruses/Spyware/Malware, preliminary removal instructions
    And complete all steps

    You may also want to remove all the startup stuff, including vbpdtvdp.exe!
    You can use Startup Control Panel and untick everything (just untick)

    I'd also recommend you clean out all temp files, before you start scanning.
    CCleaner will do this for you
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This has some interesting infections in it.

    That file is hooked, leave it till later. Needs special attention using OTMoveit

    do you notice any other special infections in the log? The ones causing popups

    do you notice anything strange about their AV product?
     
  4. theredlaugh

    theredlaugh TS Rookie Topic Starter

    Completely Lost with these popups

    I cannot fix this problem. SpyBot Search & Destroy found many things, but the popups persist. IE popup most often to multi-pops dot com. The IE window always and immediately freezes. Computer often unresponsive. Here is Spybot process log file and new hijackthis report. Thank you for helping, I do appreciate it.
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I will just answer my own questions I suppose. First off all, you have some infections that I have not seen in a while. You have spywareQuake and CWS.


    Step1

    We are going to download the first set of programs we will be using.

    Download:
    • Please download LSPFix from HERE.
    • Download CWShredder from HERE to its own folder.
      Update CWShredder
      * Open CWShredder and click I AGREE
      * Click Check For Update
      * Close CWShredder
    • Download Smitfraudfix by S!ri from HERE


    --------------------------------------------------------------

    Step 2
    ********PRINT OR SAVE THIS SECTION TO A NOTEPAD FILE ON YOUR DESKTOP TO HAVE WHILE IN SAFE MODE**************

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    ------------------------------------------

    Run Smitfraudfix
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt, attach it here at the end.

    -----------------------------------------------------------

    Still in safe mode
    Run CWShredder
    Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

    -----------------------------------------------------------

    Step 3
    Now you are back in normal mode
    LSP fix
    A .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
    1. Run the LSPFix.exe that you downloaded in step 1
    2. Check the I know what I'm doing box.
    3. In the Keep box you should see one or more instances of mdnsnsp.dll
    4. Select every instance of mdnsnsp.dll and move each one to the Remove box by clicking the >> button.
    5. When you are done click Finish>>.

    -------------------------------------------------------

    Run a new scan with Hijackthis and in your reply I want to see:

    1)C:\rapport.txt from smitfraudfix
    2)Fresh Hijackthis after following everything else
     
  6. theredlaugh

    theredlaugh TS Rookie Topic Starter

    Finishing logs.

    I don't know why you took time to find my problem and quickly respond with detailed instructions to fix it, but I am indebted. I hope you get paid. It so happens that the rapport log is 244 KB, and the max is 100. I can e-mail it or...? Hijackthis attached. Thanks so much.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    just break it up into 3 attachments using notepad

    or copy and paste it

    or email it
     
  8. theredlaugh

    theredlaugh TS Rookie Topic Starter

    Rapport.txt #1,2,3

    Here is the Rapport in three text files. Thank you for your patience.
     
  9. theredlaugh

    theredlaugh TS Rookie Topic Starter

    The process did not seem to work. My computer is still all strange and there are still popups. Not sure what to do at this point.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This is a process, not going to fix all your problems in one post. Keep going you are doing good.


    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.

    -------------------------------------------------------------------------------

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\vbpdtvdp.exe,
      O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
      O2 - BHO: (no name) - {B50E4946-7CC3-4083-96BA-4168F0159323} - (no file)
      O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    --------------------------------------------------------------------------

    Run Killbox
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\Windows\system32\vbpdtvdp.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    --------------------------------------------------------------------

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt


    Attach here:
    1)C:\combofix.txt
    2)new hijackthis log ran after
     
  11. theredlaugh

    theredlaugh TS Rookie Topic Starter

    Moving along

    Okay, I followed your instructions with Hijackthis. I asked it to fix the entries:
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {B50E4946-7CC3-4083-96BA-4168F0159323} - (no file).
    When I ran killbox, I did receive the PendingFileRenameOperations prompt. I manually restarted after that, so I am not sure if the program deleted the file. I did not receive the Component MsComCtl.ocx message.
    I ran into a problem while using Combofix. This is what it said:
    "The system cannot find message text for message number 0x8 in the message file for System.

    Please wait.
    ComboFix is preparing to run.
    Access Denied. Administrator permissions are needed to use the selected options.
    Use an administrator command prompt to complete these tasks.
    The system cannot find message text for message number 0x8 in the message file for System.'"

    I am the only user on this computer, and I have full privileges. Not sure...? Attached new Hijackthis report. Thank you again for your help.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Right click combofix and select run as administrator

    or turn off UAC (user account control) through control panel
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...