TechSpot

Persistant Adware/Spyware Plz Help

By spikeyhale
Feb 8, 2007
  1. For some reason there is a adware/spyware program that i cant get rid of. I've run adaware, spybot, and avast virus scan and none of them has fixed the problem. I've also noticed that in task manager IE has 2 to 3 programs running and im not even on IE so ive concluded thats my problem, i just dont kno what to do to fix it. I've attached HJT log and startup list.
    thanks
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your HJT log is clean. However, I`d like you to do the following.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Regards Howard :wave: :wave:

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. spikeyhale

    spikeyhale TS Rookie Topic Starter

    Heres the log you asked for.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hmm, that`s strange. It seems your WinPortrait programme has a hidden autostart.

    I`d like you to uninstall WinPortrait from add remove programmes in your control panel, then post a fresh Combofix log.

    I`d also like you to run the Blacklight programme and let me know the results.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. spikeyhale

    spikeyhale TS Rookie Topic Starter

    The blacklight program found nothing, but i couldnt find an unistall program for winportrait in the add/remove programs or in the folder its in. Should i just delete the folder?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wpctrl.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O16 - DPF: {0A50726E-51A2-42BB-8392-98F050C40A10} (SkillJamLoader Class) - http://cashgames.skilljam.com/ssp/SkillJamLoader.cab

    O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://cashgames.skilljam.com/ssp/SSP.cab

    O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://193.242.125.31/player/kdreg.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\WinPortrait<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. spikeyhale

    spikeyhale TS Rookie Topic Starter

    Ok i did everything, heres the logs.
    Thanks

    I think that fixed the problem with IE running when im not using it. If i encounter anymore problems I'll let you know. Thanks for all the help.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Now that`s very interesting. Your HJT log now contains a lop infection, that definitely wasn`t there before.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HJT log

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. spikeyhale

    spikeyhale TS Rookie Topic Starter

    New logs attached.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    License Second.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [warnobj] C:\DOCUME~1\user\APPLIC~1\1VCTIME\License Second.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\user\APPLIC~1\1VCTIME<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. spikeyhale

    spikeyhale TS Rookie Topic Starter

    Fresh HJT logs. Also IE has 2 programs running in the task manager when im not using IE.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Open the Control Panel, and then Add/Remove Programs, look for any of these items there and use the Uninstall/Remove for them:

    Download Plugin for Internet Explorer
    Bar888
    Netpumper
    Bitroll
    Bitgrabber (These all can install Lop)
    Zone Media" or "CiD Help" or "CiD
    Manager"

    Then, go HERE and follow the instructions exactly. Please install one of the firewall programmes in the above thread.

    Post fresh HJT, Combofix, Nolop and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. spikeyhale

    spikeyhale TS Rookie Topic Starter

    Heres the fresh logs, for some reason the avg file wont attach.

    AVG spyware log
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean and there`s now no sign of IEXPLORE.EXE.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    usersecond.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Application Data\heck drive link move\usersecond.exe

    Reboot into normal mode and rehide your protected OS files.

    Run a fresh AVG scan and see if it finds anything. If it doesn`t, you should be good to go.

    Regards Howard :)

    This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. spikeyhale

    spikeyhale TS Rookie Topic Starter

    Thanks so much for your help and time its greatly appreciated. Hopefully this has taken care of the problem for good, but if not i'll you know.
    Thanks Again
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...