Please check my in-laws's HJT log

My in-law's computer has been attacked again. I've managed to correct some of the problems, but I've run out of time and knowledge to correct the rest.
What I have corrected is I've re-installed their Norton Anti-Virus and re-enabled their Zone Alarm. How those keep getting corrupted I don't know.
I ran Ad-Aware and deleted about 75 problems. I updated and re-enabled Spyware Blaster to see if that helps.
Their homepage has been hijacked. Below is a Hijack This log. We would be most appreciative if somebody could review it for us.
Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:30 PM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\ADDWA32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\NETGX.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\CFGWIZ.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lywac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.find-now.info/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {D6D1D346-7057-F52B-A543-62788D0CC38F} - C:\WINDOWS\SYSTEM\NETUR32.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [kejnqivcxw] C:\WINDOWS\SYSTEM\dknojm.exe
O4 - HKLM\..\Run: [ct3216v] C:\WINDOWS\SYSTEM\ct3216v.exe
O4 - HKLM\..\Run: [NETGX.EXE] C:\WINDOWS\SYSTEM\NETGX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE "
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [BootWarn] c:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADDWA32.EXE] C:\WINDOWS\ADDWA32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

 

Hello

Download About:Buster version (version 4) and unzip it to a new folder.
Run it and check for updates, then exit the tool for now
http://downloads.subratam.org/AboutBuster.zip


Familiarize yourself with how to start in safe mode and how to show hidden files and folders, if you don't already know how to, links below.
Set windows to show hidden file's, folder and extensions
>click here for instructions<.

Boot into Safe Mode.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;180902

Now run aboutbuster let it scan twice, save the log to somewhere handy when its done, post it when back.

ensure these files were deleted
C:\WINDOWS\system\lywac.dll
C:\WINDOWS\SYSTEM\NETUR32.DLL
C:\WINDOWS\SYSTEM\dknojm.exe
C:\WINDOWS\SYSTEM\ct3216v.exe
C:\WINDOWS\SYSTEM\NETGX.EXE
C:\WINDOWS\ADDWA32.EXE
C:\WINDOWS\temp < delete the entire contents

Run Hijackthis place a check next to these items

all those unwanted R1's and R0's and any with aboutblank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D6D1D346-7057-F52B-A543-62788D0CC38F} - C:\WINDOWS\SYSTEM\NETUR32.DLL
O4 - HKLM\..\Run: [kejnqivcxw] C:\WINDOWS\SYSTEM\dknojm.exe
O4 - HKLM\..\Run: [ct3216v] C:\WINDOWS\SYSTEM\ct3216v.exe
O4 - HKLM\..\Run: [NETGX.EXE] C:\WINDOWS\SYSTEM\NETGX.EXE
O4 - HKLM\..\RunServices: [ADDWA32.EXE] C:\WINDOWS\ADDWA32.EXE
=http://www.wildtangent.com/install/...wave/wtinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - h=ttp://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - =http://dl.filekicker.com/send/file/...IL/PhPSetup.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no fi
====================
Hit fix checked, exit hiajckthis

Run Ad-Aware again

Reboot back to a normal windows session, download the text attachment rename to fixme.REG then run the registry script to put back the normal windows startups scanregw and taskmon.

Then make and Post a fresh Hiajackthis Log and that aboutbuster log.

 

I forgot to mention, my in-laws are running Windows 98SE, if that makes a difference to the instructions given so far.
Also, bear with me, please, if I'm not prompt in posting back. Since this is on their computer, I'll have to wait until the next time I go over to their house to work on their computer.

 

OK, Keep in mind those startups and BHO might be changed,

So keep a record, example everything besides what we marked for deleting is a good thing, all else needs to go, unless they have been uninstalling or installing new programs.

Plus that reg file will restore these two
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe