Default URLSearchHook is missing

I've been in several other forums and I think their advice may have caused this problem. It appears that they did help get rid of all the "infections ", but now I can not on the internet using IE6. Below is my HJT log. Notice the "R3 - Default URLSearchHook is missing" line. I have tried many things to resolve this, but none seem to do the trick. Any help is appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 2:11:15 PM, on 2/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\crvs32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\syssu32.exe
C:\WINNT\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - Startup: Shortcut to taskmgr.exe.lnk = C:\WINNT\system32\taskmgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ProService for 8.2C - Progress Software - C:\DLC\bin\ProSrvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\crvs32.exe

 

I just noticed the zeta.exe. This is the first time I have seen this in any of the HJT logs. I'll wait for the advice before I do anything with it. Thanks.

 

Actually in the past few hours there are quite a few more "ugly" entries. This is getting quite out of control. Here is my latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 5:01:30 PM, on 2/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe "
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "
O4 - Startup: Shortcut to taskmgr.exe.lnk = C:\WINNT\system32\taskmgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ProService for 8.2C - Progress Software - C:\DLC\bin\ProSrvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\crvs32.exe

 

Have an appointment so won't be able to help at the moment, but if someone else hasn't already, when I get back later I'll be happy to assist. Hang in there!

 

You should print this out and/or save it to text where you can access it in safe mode.

Download WinsockFixWinAll.exe <<<<< this is a direct download

Download CWShredder 2.0 from here. Save it to the desktop. Double click to install.

Download AboutBuster from one of the following locations.

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip

First unzip all files from the zip folder to a folder on your desktop. Open and double click AboutBuster.exe, click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit. Close for now.

Click here to download cwsserviceremove.zip, unzip it to your desktop and have it ready to run later.

Check for updates to Ad-aware.

Click Start>Programs>Administrative Tools>Computer Management. Under Computer Management (Local), expand Services and Applications, and then click Services. Locate Network Security Service, right click and choose properties. Stop the service, then set to disabled. Click Apply then OK. Do the same for ZESOFT if listed. Close the services window and then the Management Console.

Reboot to safe mode.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Close all windows and double click the cwsserviceemove.reg file you unzipped earlier. Click yes to merge it to the registry.

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "


Open C:\WINNT and delete the file msdl32.dll.
Open C:\WINNT\system32 and delete the files syssu32.exe, tibs3.exe and crvs32.exe.
Open C:\Program Files and delete the folders 180solutions, Internet Optimizer, BullsEye Network and Web_Rebates if present.
Open C:\Temp if present, select all and delete.
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Then open the Java Plug-in, click the cache tab and then clear. This will only apply if you have installed Sun Java.

Open AboutBuster, click start then OK. Exit when finished.

Open CWShredder from the new shortcut on the desktop, close ALL other windows and click fix.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.


Reboot back to Windows. Double click WinsockFixWinAll.exe to run. This should fix your IE connection problem.

Run Housecall. Make sure the box to autoclean is checked.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

I did everything you asked except for running housecall and RAV (still can not connect to internet). I was able to get AboutBuster and AD-Aware updated by running them on another computer and updating it there and then copying the reflist.dll and defs.ref files over to the infected pc. Both def files were read just fine. Something I noticed is when I run hijackthis and remove the entries you suggested then run hijackthis again, the exact same files are there that I just removed. Here is my latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 5:01:30 PM, on 2/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe "
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "
O4 - Startup: Shortcut to taskmgr.exe.lnk = C:\WINNT\system32\taskmgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ProService for 8.2C - Progress Software - C:\DLC\bin\ProSrvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\crvs32.exe

Thanks for your help!

 

Copy this to text and put on the affected machine so you can copy/paste the file paths below into the Killbox.

Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files their own folder. Reboot to safe mode. Logon to the Administrator account.

Open the Killbox folder and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINNT\system32\xbmop.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". DO NOT allow reboot when prompted. Instead, repeat the above steps for the following and close without reboot.

C:\WINNT\msdl32.dll

C:\WINNT\system32\syssu32.exe

C:\WINNT\System32\tibs3.exe

C:\WINNT\zeta.exe

C:\WINNT\crvs32.exe

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\crvs32.exe

Open C:\Program Files and delete the folders 180solutions, Internet Optimizer, BullsEye Network and Web_Rebates.
Open C:\Documents and Settings\JERRYM\Local Settings\temp, select all from edit on the toolbar and delete.
Empty the recycle bin.

Reboot back into Windows and post a new hijackthis log.

Run the WinsockFix again and post the log it creates if the internet connection is not fixed. Might be helpful if I had a link to where you think it might have been broken. Have you tried creating a new connection? What exactly happens when you try using IE?

 

ok, I'm going to be as detailed as possible. I'm going to post the results of each step you wanted me to perform.

killbox was downloaded and the I rebooted into safe mode.

I searched for each file you wanted me to copy into killbox and none of them were found. So I copied the path you specified into killbox anyway and none of them showed up in the "Delete on Reboot" window.

Then I ran hijackthis. This is what I found

These entries were in hijackthis, so I removed them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "


These entries were not in hikackthis:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4277B55C-73D3-C13F-3DD5-B03660716FA5} - C:\WINNT\msdl32.dll
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\crvs32.exe


Then I went into c:\Program Files and none of the folders you wanted me to delete were there.

Then I went into C:\Documents and Settings\JERRYM\Local Settings\temp, selected all and deleted everything in that folder. Then emptied the recycle bin.

Rebooted into normal windows, went into dev mgr and removed my nic and reinstalled it. Went into the properties of IE and changed my home page to www.google.com clicked apply and ok. Immediately went right back into properties of IE and the default home page was once again about:blank.

Then I ran hijackthis again and here is my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 10:08:07 AM, on 2/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xbmop.dll/sp.html#28129
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [syssu32.exe] C:\WINNT\system32\syssu32.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe "
O4 - HKLM\..\Run: [13.tmp.exe] C:\DOCUME~1\JERRYM~1\LOCALS~1\Temp\13.tmp.exe 1 28129
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe "
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ProService for 8.2C - Progress Software - C:\DLC\bin\ProSrvc.exe


Something else, which I'm sure you are aware of but I need to voice it anyway to be sure, when I remove these items from HJT and immediately run another scan, they are right back were they were 5 sec ago. When im in reg path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I see what HJT is finding. I delete them, refresh and they are back. Obviously there is something else running that HJT is not finding. I'm no dummy when it comes to computers. Actually I did everything described in this entire post prior to my first posting. I just needed to go through the steps just in case I missed something. I normally don't say this, but as much time as I've wasted on this I'm wondering if I should just format the dumb thing and be done with it.

Any other ideas noahdfear? Thanks a million for you help thus far too!!

 

Try shutting down Ad-Watch and fixing those entries with HJT, run CWShredder and reboot.