Hi,

I have a major spyware problem. Seems that my adaware is unable to clean the my pc of the spywares. Sometimes it even hangs there. I tried hijack this and the below is the log i get. Can any expert advise me what to fix here. Thanks a lot


Logfile of HijackThis v1.99.1
Scan saved at 4:29:30 PM, on 4/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADALT.EXE
C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
C:\WINDOWS\SYSTEM\RK.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [OSS] c:\windows\system\rk.exe -boot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\DNSCLEANER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
O4 - Startup: RouteIp.lnk = C:\WINDOWS\ROUTE.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYMY
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdspl ay.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF3 2.dll
O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdspl ay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdspl ay.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = xxxxxxx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.5.120.21

As far as I know Letgohome is a cws infection. Download CWShredder (just been updated to version 1.4) from the link below onto your desktop and run it. (Runs from the desktop without installing) Then wait until others more capable of helping out come along.

http://www.soft32.com/download_19014.html

I notice that [like me] you have "HP CD-Writer" installed ["DirectCD" is running].
Do you also have "Simple Backup" and have you made any [clean & recent] backups of the C: partition?
If so, you could re-format the C: partition and restore to eliminate any nasties.

In addition to running CWshredder, uninstall Newnet/Newdotnet, from Add/Remove Programs. If it is not listed there, and uninstaller can be found on the newnet website (http://www.newdotnet.com/removal.html).

Then please post a fresh Hijack this log.

I notice that [like me] you have "HP CD-Writer" installed ["DirectCD" is running].
Do you also have "Simple Backup" and have you made any [clean & recent] backups of the C: partition?
If so, you could re-format the C: partition and restore to eliminate any nasties.

...while we are waiting for the new log...

Hi Sylvander. Good point and I often proudly preach the same 'always make backups' message myself, which I incidentally was lucky enough to learn from you. My question in this case is "how would rollinpark know when a good point in time to roll back to would be (i.e. when/if his system was ever clean)?"

After looking through this HJT log and finding all sorts of garbage (which you will also see as David Eaton works his magic), why would restoring a backup be easier, in this particular case, than simply letting CWShredder and HJT fix a CoolWebSearch infection (and a few other nasties)? (My point is...) At least by just deleting the malware no data would be lost.

In a perfect world, the user would have backups from each and every day and finding a good one would be plausible, but in most cases, restoring a backup for most people (unless they follow the strategy that we use - programs on one partition, data on another) can not always be proven to be the best option.

Sure, I agree wholeheartedly that the first thing rollinpark should do after his computer has been cleaned out here is to make a backup image (that he knows for sure is clean) so that he always has a good restore alternative in the future, but I think it may be a little premature to assume that he has a clean backup already. (

(well, actually the first thing would be to install some service packs and/or a more secure OS, but you see what I mean, I think.)

What are your comments?

I have this idea [that generally works for me] that as you move forward in time [beginning at some point with an orderly system of software], then the only thing that can happen is that chaos creeps in. [The physical law of increasing Entropy. Things naturaly become more chaotic with time unless work is input to halt or reverse that trend.]
So you keep your wits about you, make backups at points along the way where you think all's well, then:
If you think/suspect that something nasty may have happened to the software, you take no chances, and restore a backup to "jump back" to one of those clean points.
By this means, nasty chaos doesn't get much of a chance to creep in and hide.
This is my first line of defense.
If it works, and it usually does, then there's no need to resort to other methods.
I normally keep 3 backups, one of which is about 6 months old and considered reliably clean.
Should anything get past and get into the backups [all 3 of them corrupted!? (not likely)], only then am I forced to resort to other methods.
I don't remember that ever happening.

Now, I don't know whether rollinpark has a clean backup, or any backup at all, but if he has a backup, surely he only made it because he thought his PC was clean at the time. So it must be a better starting point than his present circumstances.

Hi Sylvander.

I cannot argue with anything you're saying as it really makes a bunch of sense. Heck, I do the same thing (since I learned from you, as I mentioned before). I have approximately 15 backups on-hand ranging from when I first installed Windows ; and I made new backups with the addition of almost every additional software package.

I feel pretty safe!

The only catch that I can see is...

If I do need to resort to restoring a backup, then I am going to lose data - and depending on how far back in time I need to "jump back," this amount of data could be significant. Depending on a bunch of circumstances outside of our control (i.e. how important his data really is to him), this may or may not be the most feasible solution.

To combat this I have recently started making weekly backups of my D: drive (which only contains my personal files, and no programs). The Windows Backup utility works fine for this purpose (it's pretty fast). This way if disaster does strike (and according to your law, it will eventually), I can restore an ideal backup image of my system and software without losing any data. Can't ask for much more than that...:D

What I do is to keep all my data off the C: partition. :cool:

1. Only the Windows and Program Files Folders are kept on the [3,000MB] C: partition [4kB clusters].
2. Stuff like "My Documents", emails for all identities, address book, Temporary Internet Files & Favourites are all kept on a [2,000MB] D: partition [4 kB clusters].
3. Large data files like wave & MP3 are kept on a 20,000MB E: partition [larger clusters (32 kB?)].
4. I made a 45,000 MB partitiion with 64 kB clusters that's empty, but may one day hold even larger files like videos.
5. The remainder of my 80GB HDD [about 7,500MB] was allocated to backups and things that should never need backed up [Windows installation files etc].

I backup the whole of the C: partition quite often; the others not so often.
When I restore the C: partition, all the data remains untouched and up to date.