popups

Please read the sticky threads (one PP already gave you). Read the other on HijackThis posting: http://forums.majorgeeks.com/showthread.php?t=38752

 

The sticky tells you to post it as a text file attachment. You need to save it to a .txt file instead of a .log file.

 

These must not be running when you run HijackThis:
c:\program files\internet explorer\iexplore.exe
C:\Downloads\AboutBuster\AboutBuster.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

Make sure viewing of hidden files is enabled.
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if found):
winset32.exe
lwpo.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O4 - HKLM\..\Run: [winset16] C:\WINDOWS\System32\winset32.exe
O4 - HKCU\..\Run: [Taru] C:\Documents and Settings\user\Application Data\lwpo.exe
O4 - HKCU\..\Run: [winset16] C:\WINDOWS\System32\winset32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4e2fe0f01d3c952e6d384697f56ea291d476d6a5c3fb7feba963d66d2d60b787f8baff8b35c2c5cfc39ca44b4686764c90ad2d0ea95e2dc68c0c85897c6d99a421:1616f1ee1695779646f1667345607db7
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/tripod/Sidesearch.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab


Boot in safe mode and use Window Explorer to delete:
C:\WINDOWS\System32\winset32.exe
C:\Documents and Settings\user\Application Data\lwpo.exe


Reboot normal mode and post a new HJT log attachment and tell me how things are working.

 

Why are these running when using HijackThis?

C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
c:\program files\internet explorer\iexplore.exe

And personally I would not use anything related to Kazaa!

 

Can you try to disable the messenger service on XP it goes like:


Windows XP

1. Click Start->Settings ->Control Panel
1b.Click Performance and maintanance (Only in XP home)
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services Scroll
5. down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable or Manual in the Startup Type scroll bar
9. Click OK


Also run the below online scans from normal boot mode (save logs or take notes), and report them back here.

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC

 

You should boot in safe mode and manually delete the below:

C:\Documents and Settings\user\Desktop\New Text Document (4).txt
C:\WINDOWS\system32\ayaamon.dll
C:\Program Files\Hijackthis\backups\backup-20041011-114104-854.dll
C:\WINDOWS\system32\tby.dll

What do the popups say? Do they give an address?

Post a new HJT log.

 

Were you able to delete those files from safe mode?

 

Please download todays update to Ad-Aware SE and make sure you run a scan with it. First run it in normal boot mode (not safe mode) and click Scan now and then choose the Perform full system scan option then click next. This may take awhile so be patient. Fix what it finds.

Also make sure you have downloaded, installed and run the Ad-Aware VX2 Cleaner Plug-In.

Let me know if and what these scans find.

If Ad-Aware has problems cleaning/fixing what it finds, make sure you note what files are the problems and boot into safe mode and delete them yourself. Make sure you empty the Recycle Bin afterwards. Then reboot and run the scans again to make sure nothing came back.

 

By the way if you have not already started your Ad-Aware SE scan, after selecting Scan now you should deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. This will save some time. It's okay if you started without changing this selection. Don't worry about it.

 

If those previous steps do not fix this problem, please do the following

Download VX2 finder and save it some place you can find it
http://downloads.subratam.org/VX2Finder9x(126).exe

Then shut down ALL applications especially Internet Explorer and disconnect from the internet. No run VX2finder and select "click to find abetterinternet". Then select "make log" and copy/paste the log back here as an attachment. (you will have to rename the file from a .log to a .txt file)

 

Did you run it with the options set like I asked? Did you run the VX2cleaner plugin for Ad-Aware as I asked?

 

Sorry about that! I posted the wrong link. Use this one VX2 finder and follow the directions I gave before.