major browser hijack/popup prob

hi, i've gone through the whole read me file and done everything it says, in safe mode, 3 times and it's still just as bad as ever.
Attached is my hijack this log
any help would be very greatly appreciated, it's driving me mad!
thansk

-moose

 

Hi Moose,

Your Windows XP is Waaaay out of date. You should visit Windows Updates and address that IMMEDIATELY AFTER your machine is cleaned up!


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

Pay Close Attention to the SPELLING When Ending and Deleting These as these are very similar to legitimate entries!!

CTFMONSS.EXE
CSRSSW.EXE

Now scan with HijackThis and Check the Boxes for the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll

O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

(Again, do not delete anything other than these EXACT SPELLINGS!!)

C:\WINDOWS\wtlbass32.dll
C:\WINDOWS\System32\CSRSSW.EXE
C:\WINDOWS\System32\CTFMONSS.EXE

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

thanks for that.
i thought it had fixed things, but i still get these search engine popups and warnings saying that my ntoskrnl.exe has changed and my firewall keeps saying that it wants access to the network (which i deny). any further ideas? thanks a bunch. (at least my home page stays normal now)

-moose

 

Hi Moose,

Is this log from Normal Windows Boot?

Suggest Uninstalling this C:\Program Files\Stop-the-Pop-Up
Try the Google toolbar - Its popup killer does a great job.

Fix these in HJT:
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll (file missing)
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE

Then, delete these in safe mode if they remain:
C:\WINDOWS\System32\CTFMONSS.EXE
C:\WINDOWS\System32\CSRSSW.EXE

Please refer to my previous instructions as to how to address the above.

PP

 

ok cheers for that

i have deleted what was left in the hijack this.
all seems to be ok except i keep getting this message saying that ntoskrl.exe has changed and is trying to access the network. is this something i should worry about? thanks.

-craig

i've tried attaching the log again but it keeps saying i have already attached it in this thread, this is despite changing the name and the extension. do you want me to copy the contents into this area?

 

Hi Moose,

Go ahead and Copy and paste your new HJT log into your post and I'll deal with it.

For the ntoskrnl.exe question, try running SpybotSD and do the Online Virus Scans as prescribed in the tutorial - If this is Viral, they should catch it.

Also, take a look at this link: NT Kernel System has changed

Let me know how you fare with the above.

PP