Need Help With Popups and Spyware

What file was it that About:Buster got stuck on? Give fullpath with filename.

If you have run ALL the steps of the READ ME FIRST, then:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
then click OK. If a dialog box confirming this action appears, click OK.


Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\system32\Dnl7v0Ua.exe
C:\WINDOWS\system32\Jlmcq.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {DE0D8AF6-4D2D-440A-AA1C-6BCBEE785B6C} - (no file)
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\system32\Elq0i.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\Dnl7v0Ua.exe
C:\WINDOWS\system32\Jlmcq.exe
C:\Program Files\MyWay <--- the whole folder
C:\Program Files\Common Files\WinTools <--- the whole folder
C:\Program Files\Common Files\Hyperbar <--- the whole folder

Now reboot in normal mode and post a new HJT log. And tell us how things are working.


By any chance did you delete spoolsv.exe from your system32 folder when trying to deal with the problem about:Buster was reporting with ??oolsv.exe? They are not the same thing. spoolsv.exe is a required Windows file. The below line from HJT shows that your system cannot find the file to run the service.
O23 - Service: Print Spooler - Unknown - C:\WINDOWS\system32\spoolsv.exe (file missing)

You need to locate the c:\i386 or c:\windows\i386 folder on your hard disk. In that folder, locate the spoolsv.exe file and copy it to c:\windows\system32.

 

You're welcome. But some of the items I asked you to fix last time are still there. Did you miss some of them.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - (no file)
O2 - BHO: (no name) - {DE0D8AF6-4D2D-440A-AA1C-6BCBEE785B6C} - (no file)
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -

After clicking Fix exit HJT and reboot.
Now get a new HJT log and post it.

 

Okay! Something is blocking the removal. Please disable all of the protection features of Spybot, especially TeaTimer.

Make sure the below is not running:
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

And then fix those O2 lines again with HJT. See if that works.

 

Your log is basically clean other than the below two lines which can be fixed since the files are missing.


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)