Pop-Up windows keep re-appearing

[Marvin]

I picked up something from a torrent download, thought I'd got rid of it but it keeps coming back.

Problem 1) on booting up I get an error message pop up that says "RUNDLL

Error loading F:\windows.o\System 32\opcwdpht.dll

The specified module could not be found"

Problem 2) in my active icon tray there is an invisible icon(!?!) that on mouseover says "Deliveries : 1 New" double clicking it opens an Internet Explore browser error page that has a title of "Internet Explorer cannot display the webpage"

Problem 3) The infection or? Without warning sometimes when I'm using the computer and sometimes when it's idle windows start opening up in Internet Explorer, for the most part they're empty one or two go to spam advertising websites, if I'm active in Firefox a new tab will open, again it's empty. When this happens I get an error message telling me the computer is unable to delete the file, all I can do is close the error message. These can repeat a dozen or more times over, all I can do is close them.

Then it goes quiet for a period of time.

I deleted zone alarm pro and installed avg 8.0 I've also been running a trial copy of a-squared anti-malware.

Hopefully having gone through the 15 stage pre-posting process my problem has been fixed, I don't know.

 

[Blind Dragon]

Welcome to TS,

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop Messager
sc delete Messager
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

--------------------------------------------------------------------------------

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\windows\system32\blank.htm
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F:\windows\system32\blank.htm
  O2 - BHO: (no name) - {463AD6E4-E165-4479-AD03-93E0DA6F0370} - F:\WINDOWS.0\system32\xxyxYsRI.dll (file missing)
  O2 - BHO: {acaa086a-a1bd-e448-3234-0b0f0b8301cd} - {dc1038b0-f0b0-4323-844e-db1aa680aaca} - F:\WINDOWS.0\system32\jmmmmuwe.dll (file missing)
  O4 - HKLM\..\Run: [BMcf1e83b4] Rundll32.exe "F:\WINDOWS.0\system32\opcwdpht.dll",s
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS.0\system32\WPDShServiceObj.dll

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

---------------------------------------------------------------------------

OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]F:\windows\system32\blank.htm
  c:\temp\svchost.exe
  F:\WINDOWS.0\system32\xxyxYsRI.dll
  F:\WINDOWS.0\system32\jmmmmuwe.dll
  F:\WINDOWS.0\system32\opcwdpht.dll
  F:\WINDOWS.0\system32\WPDShServiceObj.dll[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-----------------------------------------------------------------------

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

-------------------------------------------------------------------------------

CWShredder
Download CWShredder here to its own folder.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

-------------------------------------------------------------------------------------

Run a fresh Hijackthis log


Attach here:
1) OTMoveit2! log
2) MBAM log
3) Fresh Hijackthis

 

[Marvin]

Oh Wow! That's going to keep me amused this evening when I get home.

Thank you.

 

[Blind Dragon]

Not as bad as it looks - just very detailed

and sorry for the welcome to TS bit - I just read the date you joined here

 

[Marvin]

Well that was interesting (I guess). I really wish I understood a fraction of what was going on ....

Logs attached ....

 

[zipperman]

Explorer add on

Have you tried a popupstopper ?
I think this comes with IEX 7.Sorry i don't recall how i added it.
Maybe someone else does.

 

[Marvin]

I don't use internet explorer, I'm a convert to Firefox, which has it's own version of a pop-up stopper built in.:wave:.

 

[Blind Dragon]

Good work - blocking pop ups is one thing, but blocking popups from an infection is just covering up an underlying problem.

Is the rundll error gone from startup? how is the computer running?

Paste this into OTMoveit2! just like before and click Moveit!

F:\temp\svchost.exe

----------------------------------------------------------------

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 7) Follow the on screen instructions (uncheck the yahoo toolbar option)
• After it installs the newest version Go back to Control Panel -> Add/remove programs (programs and features in vista)
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 7
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_07 folder

------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Marvin]

The rundll error has gone and the computer is running fine, I've not had any infection generated pop up windows or multiple error messages since Saturday, so hopefully they're dead and cremated once and for all. The invisible icon is still showing up in the active programmes list in the bottom right-hand corner of the screen.

Firefox 3.0 has an "internet explorer" mode that seems to work in IE environments only (worked okay in House Doctor where Firefox wouldn't), is it okay to use that for the Kaspersky scan? (EDIT - it seems to be happy doing so so far)

 

[Blind Dragon]

I think it works but have never tried it - so I am interested to know if it does, I would rather recommend that to people

 

[Marvin]

Kaspersky is open and running in an IE tab within Firefox 3.0 quite happily.

However I'm not sure of how long the scan should take, as of this morning after 13+ hours it had completed around 17% of the scan ....

 

[Marvin]

The scan has finished at last .... just under 24 hours of it!

New symptoms - Google Mail will now only open in basic HTML and drop down menus on another site wont drop down any more ....

 

[Marvin]

Have I missed something?

 

[Blind Dragon]

I just don't see where the issue is, can you run me a fresh combofix

 

[Marvin]

that hidden tray icon with the Internet Explore message has reappeared, drop down menus on some sites don't work plus Google mail will only work in basic html mode.

Here's the combofix log.

 

[Marvin]

drop down menus on some sites don't work plus Google mail will only work in basic html mode.

the solution to that was to clear the Firefox cache and the problem simply went away. :grinthumb

 

[Blind Dragon]

ATF cleaner should have done that though

 

[radalv]

Hello Blind Dragon;
I am having similar issues.
I use firefox, and now an IE popup shows up. Mostly when I open a new tab in FF.
I have done what you said on your first post.
I have the logs, could you please take a look at them?
Thank you
radalv

 

[Blind Dragon]

Ok, uninstall hijackthis. That version is out of date.

then please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in YOUR OWN THREAD with the requested logs. There should be at least 3.

1)MBAM log
2)SAS log
3)Hijackthis log (last step)


This thread was for the use of the original poster and the instruction contained in this thread were specific to that users needs, not to mention some of the tools used have been updated since then and now use a different set of commands

Start your own thread -> https://www.techspot.com/vb/menu28.html

I will be happy to help you