Persistant Adware/Spyware Plz Help

[spikeyhale]

For some reason there is a adware/spyware program that i cant get rid of. I've run adaware, spybot, and avast virus scan and none of them has fixed the problem. I've also noticed that in task manager IE has 2 to 3 programs running and im not even on IE so ive concluded thats my problem, i just dont kno what to do to fix it. I've attached HJT log and startup list.
thanks

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your HJT log is clean. However, I`d like you to do the following.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Regards Howard :wave: :wave:

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

Heres the log you asked for.

 

[howard_hopkinso]

Hmm, that`s strange. It seems your WinPortrait programme has a hidden autostart.

I`d like you to uninstall WinPortrait from add remove programmes in your control panel, then post a fresh Combofix log.

I`d also like you to run the Blacklight programme and let me know the results.

Download and run the Blacklight programme. follow all the instructions carefully.

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

The blacklight program found nothing, but i couldnt find an unistall program for winportrait in the add/remove programs or in the folder its in. Should i just delete the folder?

 

[howard_hopkinso]

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

wpctrl.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: {0A50726E-51A2-42BB-8392-98F050C40A10} (SkillJamLoader Class) - http://cashgames.skilljam.com/ssp/SkillJamLoader.cab

O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://cashgames.skilljam.com/ssp/SSP.cab

O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://193.242.125.31/player/kdreg.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\WinPortrait<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

Ok i did everything, heres the logs.
Thanks

I think that fixed the problem with IE running when im not using it. If i encounter anymore problems I'll let you know. Thanks for all the help.

 

[howard_hopkinso]

Now that`s very interesting. Your HJT log now contains a lop infection, that definitely wasn`t there before.

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/...pmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HJT log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

New logs attached.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

License Second.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [warnobj] C:\DOCUME~1\user\APPLIC~1\1VCTIME\License Second.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\user\APPLIC~1\1VCTIME<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

Fresh HJT logs. Also IE has 2 programs running in the task manager when im not using IE.

 

[howard_hopkinso]

Open the Control Panel, and then Add/Remove Programs, look for any of these items there and use the Uninstall/Remove for them:

Download Plugin for Internet Explorer
Bar888
Netpumper
Bitroll
Bitgrabber (These all can install Lop)
Zone Media" or "CiD Help" or "CiD
Manager"

Then, go HERE and follow the instructions exactly. Please install one of the firewall programmes in the above thread.

Post fresh HJT, Combofix, Nolop and AVG Antispyware logs.

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

Heres the fresh logs, for some reason the avg file wont attach.

AVG spyware log

 

[howard_hopkinso]

Your HJT log is clean and there`s now no sign of IEXPLORE.EXE.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

usersecond.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Application Data\heck drive link move\usersecond.exe

Reboot into normal mode and rehide your protected OS files.

Run a fresh AVG scan and see if it finds anything. If it doesn`t, you should be good to go.

Regards Howard

This thread is for the use of spikeyhale only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spikeyhale]

Thanks so much for your help and time its greatly appreciated. Hopefully this has taken care of the problem for good, but if not i'll you know.
Thanks Again