Hijack This log from my In-Laws

I'm looking for advice on correcting the hijacked homepage from my in-law's computer. Below is a Hijack This log. They run Windows 98.

Logfile of HijackThis v1.98.2
Scan saved at 8:32:42 PM, on 11/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\TEMP\SALM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS19802.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\umclq.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\umclq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.find-now.info/
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [kejnqivcxw] C:\WINDOWS\SYSTEM\dknojm.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [wnupmj] c:\windows\wnupmj.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCSJ.EXE] C:\WINDOWS\SYSTEM\MFCSJ.EXE
O4 - HKLM\..\RunServices: [MFCQA32.EXE] C:\WINDOWS\MFCQA32.EXE
O4 - HKLM\..\RunServices: [APPUB.EXE] C:\WINDOWS\SYSTEM\APPUB.EXE
O4 - HKLM\..\RunServices: [NETOC.EXE] C:\WINDOWS\SYSTEM\NETOC.EXE
O4 - HKLM\..\RunServices: [SDKRA.EXE] C:\WINDOWS\SYSTEM\SDKRA.EXE
O4 - HKLM\..\RunServices: [SDKPR.EXE] C:\WINDOWS\SDKPR.EXE
O4 - HKLM\..\RunServices: [SYSUW32.EXE] C:\WINDOWS\SYSTEM\SYSUW32.EXE
O4 - HKLM\..\RunServices: [APPOW32.EXE] C:\WINDOWS\SYSTEM\APPOW32.EXE
O4 - HKLM\..\RunServices: [JAVAFU.EXE] C:\WINDOWS\JAVAFU.EXE
O4 - HKLM\..\RunServices: [CRZL32.EXE] C:\WINDOWS\CRZL32.EXE
O4 - HKLM\..\RunServices: [WINWT32.EXE] C:\WINDOWS\SYSTEM\WINWT32.EXE
O4 - HKLM\..\RunServices: [SYSUR32.EXE] C:\WINDOWS\SYSTEM\SYSUR32.EXE
O4 - HKLM\..\RunServices: [ATLMA.EXE] C:\WINDOWS\ATLMA.EXE
O4 - HKLM\..\RunServices: [ADDTL.EXE] C:\WINDOWS\SYSTEM\ADDTL.EXE
O4 - HKLM\..\RunServices: [MSGZ32.EXE] C:\WINDOWS\MSGZ32.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ADDWD32.EXE] C:\WINDOWS\SYSTEM\ADDWD32.EXE
O4 - HKLM\..\RunServices: [CRNW32.EXE] C:\WINDOWS\CRNW32.EXE
O4 - HKLM\..\RunServices: [MSLG32.EXE] C:\WINDOWS\SYSTEM\MSLG32.EXE
O4 - HKLM\..\RunServices: [IPZT.EXE] C:\WINDOWS\SYSTEM\IPZT.EXE
O4 - HKLM\..\RunServices: [WINYA32.EXE] C:\WINDOWS\SYSTEM\WINYA32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {63F62C5B-C3AB-720E-E227-3F0459133A93} - http://82.179.166.72/1/rdgUS208.exe
O19 - User stylesheet: (file missing)
O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Thanks for any help.

 

Major league CoolWebSearch infection and probably at least one or two other virus infections.

Print a copy of this page before you start the cleaning process.

C:\WINDOWS\DESKTOP\HIJACKTHIS19802.EXE
This needs to be in a folder of it's own before we start removing stuff. Maybe c:\hjt or any other folder of your choice as long as it's not a temp folder and not the desktop.

Download CWShredder 2.0 but don't do anything with it just yet. You'll need it to remove CoolWebSearch after we stop all the running junk.

Download LSPfix but don't do anything with it just yet. May not need it but probably will - if the browser won't connect to the internet when we are done, this utility should fix things so it will.

Download and install Agent Ransack

Disconnect from the internet.

Run HJT again, scan, and remove the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\umclq.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\umclq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\umclq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.find-now.info/
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6\WEBDLG32.DLL
O4 - HKLM\..\Run: [kejnqivcxw] C:\WINDOWS\SYSTEM\dknojm.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wnupmj] c:\windows\wnupmj.exe
O4 - HKLM\..\RunServices: [MFCSJ.EXE] C:\WINDOWS\SYSTEM\MFCSJ.EXE
O4 - HKLM\..\RunServices: [MFCQA32.EXE] C:\WINDOWS\MFCQA32.EXE
O4 - HKLM\..\RunServices: [APPUB.EXE] C:\WINDOWS\SYSTEM\APPUB.EXE
O4 - HKLM\..\RunServices: [NETOC.EXE] C:\WINDOWS\SYSTEM\NETOC.EXE
O4 - HKLM\..\RunServices: [SDKRA.EXE] C:\WINDOWS\SYSTEM\SDKRA.EXE
O4 - HKLM\..\RunServices: [SDKPR.EXE] C:\WINDOWS\SDKPR.EXE
O4 - HKLM\..\RunServices: [SYSUW32.EXE] C:\WINDOWS\SYSTEM\SYSUW32.EXE
O4 - HKLM\..\RunServices: [APPOW32.EXE] C:\WINDOWS\SYSTEM\APPOW32.EXE
O4 - HKLM\..\RunServices: [JAVAFU.EXE] C:\WINDOWS\JAVAFU.EXE
O4 - HKLM\..\RunServices: [CRZL32.EXE] C:\WINDOWS\CRZL32.EXE
O4 - HKLM\..\RunServices: [WINWT32.EXE] C:\WINDOWS\SYSTEM\WINWT32.EXE
O4 - HKLM\..\RunServices: [SYSUR32.EXE] C:\WINDOWS\SYSTEM\SYSUR32.EXE
O4 - HKLM\..\RunServices: [ATLMA.EXE] C:\WINDOWS\ATLMA.EXE
O4 - HKLM\..\RunServices: [ADDTL.EXE] C:\WINDOWS\SYSTEM\ADDTL.EXE
O4 - HKLM\..\RunServices: [MSGZ32.EXE] C:\WINDOWS\MSGZ32.EXE
O4 - HKLM\..\RunServices: [ADDWD32.EXE] C:\WINDOWS\SYSTEM\ADDWD32.EXE
O4 - HKLM\..\RunServices: [CRNW32.EXE] C:\WINDOWS\CRNW32.EXE
O4 - HKLM\..\RunServices: [MSLG32.EXE] C:\WINDOWS\SYSTEM\MSLG32.EXE
O4 - HKLM\..\RunServices: [IPZT.EXE] C:\WINDOWS\SYSTEM\IPZT.EXE
O4 - HKLM\..\RunServices: [WINYA32.EXE] C:\WINDOWS\SYSTEM\WINYA32.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/...wave/wtinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/...IL/PhPSetup.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {63F62C5B-C3AB-720E-E227-3F0459133A93} - http://82.179.166.72/1/rdgUS208.exe
O19 - User stylesheet: (file missing)
O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Use Agent Ransack and delete the following
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.6 (the entire folder)
C:\TEMP\*.* (all files but not the folder)
C:\WINDOWS\SYSTEM\dknojm.exe
c:\windows\wnupmj.exe
C:\WINDOWS\SYSTEM\MFCSJ.EXE
C:\WINDOWS\MFCQA32.EXE
C:\WINDOWS\SYSTEM\APPUB.EXE
C:\WINDOWS\SYSTEM\NETOC.EXE
C:\WINDOWS\SYSTEM\SDKRA.EXE
C:\WINDOWS\SDKPR.EXE
C:\WINDOWS\SYSTEM\SYSUW32.EXE
C:\WINDOWS\SYSTEM\APPOW32.EXE
C:\WINDOWS\JAVAFU.EXE
C:\WINDOWS\CRZL32.EXE
C:\WINDOWS\SYSTEM\WINWT32.EXE
C:\WINDOWS\SYSTEM\SYSUR32.EXE
C:\WINDOWS\ATLMA.EXE
C:\WINDOWS\SYSTEM\ADDTL.EXE
C:\WINDOWS\MSGZ32.EXE
C:\WINDOWS\SYSTEM\ADDWD32.EXE
C:\WINDOWS\CRNW32.EXE
C:\WINDOWS\SYSTEM\MSLG32.EXE
C:\WINDOWS\SYSTEM\IPZT.EXE
C:\WINDOWS\SYSTEM\WINYA32.EXE

Run CWShredder and click on the Fix button.

Reconnect to the internet and run at least one online AV scan. Two sites and a scan from each would be better.
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Download, install, update, and run
Ad-aware (fix all it finds)
Spybot (fix all it flags as baddies)
Spywareblaster (nothing to fix - passive protection)

Disconnect from the internet again and use the following 98 general cleanup instructions:

General clean-up instructions for Win95/98/ME

• Open a browser window and dump all TIF (temporary internet files) and cookies. Close.
• Open windows explorer and
  .. delete the contents of all temp folders
  .. delete any files in c:\ with a name filennnn.chk (where nnnn is any number so file0001.chk, file1034.chk, etc)
• verify that you have fewer than 500 files & folders directly under c:\. If you are close to that number, remove or move some files.
• empty the recycle bin
• boot to DOS
• from the command prompt do the following
  .. scanreg /fix <ENTER> (press the ENTER key)
  .. scanreg /opt <ENTER>
  ****note that 95 does not have scanreg.exe but a copy from 98 or ME will run fine if you can get one
  .. scandisk c:\ /nosave /autofix /surface <ENTER>
  .. Win /D:M (forces a safe mode windows start)
• Run another scandisk (start~programs~accessories~system tools) and check for a standard scan and to fix all errors found. The DOS scan couldn't check for long file name issues.
• Run a defrag
• Reboot to normal Windows.

 

Just to be polite, I wanted to post this to alert those helping me that I'm not ignoring their suggestions. Since the problem is on my in-laws' computer, I have to wait to get back over to their house to follow the suggested fixes. When I do so, I'll update this thread. Thanks for the help so far.

 

Logfile of HijackThis v1.98.2
Scan saved at 5:16:18 PM, on 12/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS19802.EXE

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Above is a Hijack This log from after making the corrections/fixes suggested by Newt. It looks good to my untrained eye, but I defer to the experts here.

A few notes that I made while making the fixes.

I didn't need to use the LSPfix, as I was able to reconnect to the Internet without problem.

There were a few entries I was instructed to remove from the Hijack This log that weren't present when I ran the scan to do so. Referring to the list supplied by Newt, these not-present items were:
the first RO item
the R1 item referring to teen-biz.com
the R3 item
the 02 item
the 03 item
the 04 item referring to wnupmj.exe
the 021 item

When I ran Agent Ransack, there were only two of the suggested corrections present to delete. These were the CONFLICT.6 item and the wnupmj.exe item.

I ran both online AV scans. The Pandasoft scan detected 6 infected items. There were two it couldn't disinfect. They were C:\WINDOWS\TEMP\TH177FS.TMP\polall1l.exe and C:\WINDOWS\TEMP\TH1030.TMP\polall1l.exe

I then proceeded to the general clean-up instructions. In Windows Explorer, I clicked on C: and was only able to locate one file listed on the right side of the window of the filennnn.chk type, which I deleted. I wasn't sure how to verify that there were fewer than 500 files and folders directly under c:\.
When in DOS, I ran into a problem following the instructions regarding scandisk c:\/nosave/autofix/surface. I got a response of "is not a valid name for a DriveSpace volume file.

That's all of my notes. I and my in-laws say thank you for all of the help. I've spent the afternoon here at their house (got a good lunch out of it!), so any further suggestions or instructions will have to wait until the next time I'm here to be implemented.

 

Well, it looks one heck of a lot cleaner to me. I think you got it all for the moment.

You might want to have them set up a new home page though. I'm not sure but I think the lack of one indicated in the last log you posted might leave things a little more open to having a bad one put in. Maybe not but .....

Did you load any spyware blockers on there like spywareblaster for passive blocking or Ad-Aware SE / Spybot for them to run for periodic cleaning?

 

I have google.com set as the home page on their computer. I like it because it is a simple page that loads fast.
I have Spywareblaster, Ad-Aware, and Spybot on their computer as well. I will make sure I get over there more often to run the last two, as I don't think having them do it is a good idea. They're doing good if they can remember to have their computer turned on during the time period that Norton runs its weekly scan.

Thanks once more, Newt, for all of your help.

 

Sounds like they are great canidates for an upgrade to XP since there is no good scheduler feature for 9X and with XP, you could set the cleaning routines to auto-run.