markzz

Can someone take a look at this log and point me in the direction of getting some spyware off my computer please......

Logfile of HijackThis v1.98.2
Scan saved at 1050 AM, on 10/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system\k9nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\WINNT\system32\hxrudslw.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\WinMessenger\WinMesgr.exe
C:\Documents and Settings\Mark Zender\Desktop\HJT\HijackThis.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/wp-dyn/print/a1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/wp-dyn/print/a1
R3 - Default URLSearchHook is missing
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [whexubuz] C:\WINNT\whexubuz.exe
O4 - HKLM\..\Run: [njxcwruaffx] C:\WINNT\system32\hxrudslw.exe
O4 - HKLM\..\Run: [PrvDef3.0] C:\Program Files\PrvDef3.0\PrvDef3.0.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Shortcut to gmw4.exe.lnk = C:\Program Files\goldmine\gmw4.exe
O4 - Startup: Wmail32.exe
O4 - Global Startup: WinMessenger StartUp.lnk = C:\Program Files\WinMessenger\WinMesgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

Detah

Hello and welcome to TSF-

I am reviewing on your log. I will have some instructions for you shortly.

Detah

You have several problems that we need to address. We will be using several anti-spyware, anti-adware and anti-hijack programs. I recommend that you keep these programs on your system permanently.
Only use HiJackThis under the guidance of an expert! Accidentally deleting something can disable your operating system. Print out these instructions so you may reference them without any programs open. It is very important that no programs (especially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscanner running.]
----------------------------------------------------------------
* Your HiJackThis program is in a temporary folder or on the Desktop. It is important that this program reside in a permanent folder. I recommend c:/program files/HJT/. You should save each log with a name that you can recognize, like HJT 9-20-04a.log. The 'a' is in case we make multiple logs in one day.

* When running HiJackThis scans or fixes, it is imperative that you close all programs especially internet browsers. HiJackThis, Spybot, AdAware and CWShredder cannot repair the badguys when these programs are open. So close them all now. Leave your virusscanner and firewall on.
----------------------------------------------------------------
To show hidden files instructions
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Config | Misc Tools | Open process manager. Select the following and click <Kill process> for each one if they are still listed (they may not be, and that's ok):

WinComm.exe
hxrudslw.exe
WinLock.exe

----------------------------------------------------------------
Uninstall the following (from Start | Settings | Control Panel | Add/Remove Programs) if they exist:

Win Comm

Do you know what PrvDef3.0 is? I cannot find any info on it. If you know what it is and want it, keep it. If you do not know what it is, I recommend Removing it. Whatever you decide, checking/fixing it below will not hurt your system or the program. It just removes it from starting during boot.

----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/wp-dyn/print/a1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/wp-dyn/print/a1
R3 - Default URLSearchHook is missing
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [whexubuz] C:\WINNT\whexubuz.exe
O4 - HKLM\..\Run: [njxcwruaffx] C:\WINNT\system32\hxrudslw.exe
O4 - HKLM\..\Run: [PrvDef3.0] C:\Program Files\PrvDef3.0\PrvDef3.0.exe
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/ins...ll/pinstall.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab


Confirm that you have only the ones above checked, then press <Fix checked>
Close HJT
----------------------------------------------------------------
Open Windows Explorer
Now delete the following files (or delete the whole folder if no specific file is given):

C:\Program Files\Win Comm\
C:\WINNT\system32\hxrudslw.exe
C:\WINNT\multimpp.dll
C:\WINNT\whexubuz.exe

If you chose to remove PrvDef3.0, then delete this folder also:
C:\Program Files\PrvDef3.0\

----------------------------------------------------------------
* Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot in Normal Mode.
----------------------------------------------------------------
You should run an online virus scan. Select one or more of the following. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner. Select Autoclean if you use TrendMicro's Housecall.
Panda at http://www.pandasoftware.com/actives..._principal.htm
Housecall at http://housecall.trendmicro.com/
RAV Antivirus at http://www.ravantivirus.com/scan
Reboot.
----------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly. Run them now.

Spybot Search & Destroy instructions (~3.5MB)

• Download Spybot (written by Patrick Kolla). Click <download> from
  http://www.safer-networking.org/
  Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
  I recommend c:/program files/spybot/
• Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
• Open Spybot from Start | Programs | Spybot | Spybot S&D
• Select <Search for Updates>. Let it install all updates. This is very important!
• Select <Immunize>
• Select <Check for Problems>
• Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
• Select <Fix Selected Problems>
• Close Spybot//

Ad-Aware instructions (2563 kB)

• Download Ad-Aware SE build 1.05 (written by Lavasoft) from
  http://www.lavasoft.de/
  If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
• Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
• Open AdAware from Start | Programs | Lavasoft | AdAware.
• Select <Check for updates now>, <Proceed>
• Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
  
  • By default you begin in the <General> section. The following should be checked:
    
    • Automatically save logfile
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation - change to "7 days"
  • Click <Scanning>
    
    • Check Scan within Archives
    • Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
    • Under Memory & Registry, select all options
  • Click <Advanced>
    
    • Under Shell Integration, select "Move deleted files to Recycle Bin"
    • Under Logfile detail, select all options
  • Click <Defaults>
    
    • Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com
      
  • Click <Tweak>
    
    • Expand Scanning Engine and make sure the following are selected:
      
      • Unload recognized processes during scanning
      • Obtain command line of scanned processes
      • Scan registry for all users instead of current user only
    • Expand Cleaning Engine and make sure the following are selected:
      
      • Always try to unload modules before deletion
      • During removal, unload explorer and IE if necessary
      • Let Windows remove files in use at next reboot
      • Delete quarantined objects after restoring
    • Expand Safety Settings and make sure the following are selected:
      
      • Write-protect system files after repair (Hosts file, etc)
        
• Click <Proceed> | <Start> | select Use custom scanning options | <Next>
• When the scan is finished, rightclick on any entry and choose <Select All Objects>.
• Select <Clean>
• Close AdAware//

Reboot and post a new HJT log.