Popup advert on startup - spyware?

Samfau2 · 1 Feb 2010 at 17:38

Hi, i seem to have some kind of spyware infection. Whenever i start up my computer this comes up in IE.

http://s253.photobucket.com/albums/hh76/samfau2/?action=view&current=Capture.png

I've run spybot S&D, Ad-aware NOD32 and windows defender and none of them have found anything wrong so i'm now stumped as to how to get rid of it. Additionally, when pressing alt tab, windows shows an extra application open that does not appear in task manager and is still there when i close everything i have open (not sure if the two problems are related), here is a picture.

http://i253.photobucket.com/albums/hh76/samfau2/Untitled.jpg

Hope someone can help, cheers.

Samfau2 · 29 Mar 2010 at 17:43

sorry to ressurect this thread but after finally getting round to running spybot and malwarebytes in safe mode i still have the same problem on startup. Any other ideas?

Samfau2 · 29 Mar 2010 at 23:27

HijackThis log as requested.

http://d.cl1p.net/hijackthis/

Samfau2 · 24 Apr 2010 at 01:40

Ran everything in safe mode a while back and nothing found it, then tried spybot again in safe mode and it found something. Restarted and it was gone woohoo!

BUT..

a few days later i did a system restore and it came back. Now nothing, not even spybot will get rid of it...

Samfau2 · 24 Apr 2010 at 15:19

Yeah i know, it was kind of dumb.

It wasn't actually to a time before the rootkit was there. It was only to the previous day because my sister had deleted a bunch of software so I didn't think it would reinfect my PC.

No i don't have msn plus and cheers Macca that's what ill try now.

EDIT: Just to clarify so i don't sound like a complete douche, there was like a month in between me getting rid of the rootkit and doing the system restore.

Samfau2 · 24 Apr 2010 at 16:35

Ok, i tried the business with sys restore and then ran spybot and malwarebytes in safe mode and neither found anything.

Samfau2 · 25 Apr 2010 at 14:47

got it, found a "windows user blah blah" entry in startup in msconfig that executed from a winlogon.exe file that had a path in program files which i thought was a bit odd. I disabled it and rebooted and the popup didnt appear.

So I went to that folder which had a bunch of text files and this winlogon.exe. Worringly one of the text files was called "clipboard" and had everything that i have ctrl+c'd for months back, there was another with my system details, IP's, MAC's etc and a few others that just looked like junk.

So i've deleted that folder and am swiftly on to change all my passwords etc.

Thanks for the help (mostly)