Hijack This Log- Help Eliminating Spyware

I hope you have up to date anti-virus. I am not sure how Chaslang does this now, but my successes have been by going into safe mode and deleting the files you know are bad. Since you say anti-virus and trojan scanning found nothing, we have to go manual.

AVG and most anti-virus programs should notify you if you go to the c:\Windows\system32\ folder with windows explorer. As you said, examples of these, and the only fishy ones I see are:

C:\WINDOWS\System32\QwyRa.exe
C:\WINDOWS\System32\XfyH.exe

So, try browsing the Windows\system32 folder and see if your antivurus tags files and write them down in case there are more. Hidden files should be enabled per step 4 of the tutorial. You need to exact file names so you dont delete anything by mistake.

Boot into safe mode and delete the files you know are bad.

Still in safe mode... look to see if they are running in startup. Getting a startup tool from our admin section like StartupCPL would be helpful, otherwise, go to Start, run and type in msconfig and head to the startup tab.

Still in safe mode.... Hijack This delete:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Wjdi.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

What is Spyware stormer? Get rid of it, never heard of it. While your at it, check add\remove programs for anything else like Web Rebates... Hell, check it for anything suspicious, web rebates, shopping, porn sounding crap, whatever you may not have installed.

Still removing:
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab

Cross your fingers, pray if appropriate, reboot and shout back at us so we know how it went.

 

They failed because you never completed doing what you were supposed to do in the thread you already started on this problem. http://forums.majorgeeks.com/showthread.php?t=40598

You had additional items to complete that you said you started. You never came back with results. Also I had request a few other steps to be done and then to follow up with a HJT log in that thread. A new thread was not necessary we were getting there. You just never completed what you had started and never did what I asked.

I was not looking for a new thread to be posted by you, I was looking for one I already had been working in. Thus, I never saw this thread which I would have deleted with a message telling you to stay in your previous thread. Had MA not answered you already, I still would have deleted it.

 

Never saw it bro, sorry. Maybe my steps will help hopefully.

 

Not a problem. And yes they will, if system restore is still disabled and the problem files should also be deleted while in safe mode.

Also should look in Add/Remove programs for Web_Rebates to see if it can be uninstalled.

I was getting there in the other thread. I was just working thru the process first and as I said there were things still not completed and I asked for an HJT log too.

 

No one got flustered! You just left me hanging in the other thread. But lesson to be learned....once you start a thread for a particular problem stay within that thread (no matter how long it takes) until the problem is resolved. New problem, new thread. Same problem, same thread.

Okay! So complete those steps MA gave you and post your HJT log (as an attachment).

 

No problem! Your log looks clean! You should now work on getting your system updated. Your WinXP is not updated (at least get to SP1) and IE is old too. You really should try to get the Critical Updates (called High Priority now).

Also you should get rid of the unsupported MS Java and switch to Sun Java. See this thread:
http://forums.majorgeeks.com/showthread.php?t=25834

 

Wait I have a question and I missed one:

What is NetSurf? ----> C:\Program Files\Internet CD\Netsurf.exe
I think I have seen it sometimes related to Optimum Online.


Fix the below line with HJT:
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab

 

Okay! Now check out the other stuff I gave you on Java and Windows Updates!