Tried everything I know... still being hit... HJT Log posted

I got roped into helping a company employee with their home PC. It seems the 19yo son has been playing with P2P and **** movies on Mom's PC. So, as you can imagine, the machine has been pounded with malware.

System: Gateway E500; 256Mb RAM; Windows 2000; DSL to Net

Here's what I've done so far:
1) Deleted all questionable content
2) Uninstalled BearShare, KazaaLite, Gnutella elements, P2P Networking in the OS and a host of pieces-parts installs of other baddies.
3) Installed, updated, configured and ran Ad-Aware (~1,550 items found)
4) Installed, updated, configured and ran Spybot v1.3 (~150 items found)
5) Cleaned all items from #3 & #4 (with the exception of DownloadWare --which wouldn't go away)
6) Verified NAV was up-to-date. Ran full system scan (0 viruses found)
7) Installed IESPYADS files
8) Installed latest HOSTS file from mvps.org
9) Renamed Admin account & added password protection
10) Renamed & disabled Guest acct
11) Used gpedit.msc to restrict certain IE elements
12) Used gpedit.msc to employ (password protected) Content Advisor

After rebooting several times, I couldn't find anything else that was causing trouble. BUT, when I took the PC back to her home and we hooked it up to the DSL connection, a browser hijacker took control -- delivering pop-ups and resetting the home page continually.

Reran Spybot and Ad-aware. Neither found anything new (DownloadWare is still there). NO other problems found on first scan. Without scanning further, rebooted and reran Spybot. This time, it found AdGoblin and one other spyware component (don't recall the name).

I've done all I know to do, so I'm coming back to the faithful WindowsBBS.com forum for assistance. [Even though my ID doesn't show it, I am a contributing member -- primarily because of the awesome help I've received here]

Anyway, here is the HJT log in hopes you folks can help me kill the malware once and (after she gets finished kicking her son't rearend) for all...

Logfile of HijackThis v1.98.0
Scan saved at 11:31:56 AM, on 7/20/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\winhl32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\javaix.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ptmzs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ptmzs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ptmzs.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30DA2D6C-E837-7622-2F99-E5F295F3B511} - C:\WINNT\system32\addmb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [javaix.exe] C:\WINNT\system32\javaix.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\System32\E_SAEE.tmp "
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15db451ed965bac34f01/netzip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.ccrodinternet.org/imw32o40.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/prntpro2.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDF962C-8E9F-4AD2-9210-4B1889E6BD46}: Domain = lorishealthcaresystem.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com,lorishealthcaresystem.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com,lorishealthcaresystem.com

I await your advice (besides installing SP4, which I know she needs to do). THANKS!
CharlieJ

 

Hi Charlie

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=36434 for info on the following process. Oddly enough, I don't see the run entries for it. Delete the named files while in safe mode.
C:\WINNT\system32\winhl32.exe

Download CWShredder version 1.59.1 from the link in my signature.
Check for Ad-aware updates.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ptmzs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ptmzs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptmzs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ptmzs.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {30DA2D6C-E837-7622-2F99-E5F295F3B511} - C:\WINNT\system32\addmb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe <<< not needed at startup
O4 - HKLM\..\Run: [javaix.exe] C:\WINNT\system32\javaix.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15db451ed965ba...ip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.ccrodinternet.org/imw32o40.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/prntpro2.CAB

Reboot to safe mode.

Open CWShredder and click fix.

Open C:\WINNT\system32 and delete the file javaix.exe.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.

Run Ad-aware and delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup.

Reboot back into windows, open Spybot and click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, then resident and check the box for SD Helper. Then click IE tweaks and at least lock the HOSTS file. Close Spybot and reboot.

I'd really like to see you do the Windows Updates at this point. There are vulnerabilities that need to be patched to help protect the machine from becoming reinfected.

Scan the PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

CharlieJ - do I understand the flow of things correctly in that the machine behaved fine while connected to the internet away from the user's house and went nuts again only after hooked back up to their connection?

If so, do they have just the one machine or do they have a home network?

 

Good catch Newt! Some of what I'm seeing in the log suggests a network. Charlie, don't connect this machine to the network until they are all clean, or block ALL network traffic.

 

A home network could certainly do this but that is the more pleasant of the possibilities if, in fact, the machine did get slammed only after connecting back to the user's home setup. Could be the ISP is eaten up and causing the problems.

 

Newt, Dave

Are these what got your attention to possible network?

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

And the four 017's

 

Me? Yes.

 

Me - no. I didn't read the log that carefully but the described behavior made it the most likely possiblity.

Now that you point to those entries, they certainly would have if I'd read carefully.

 

noahdfear
Newt

Thanks

 

First, an answer to other questions -- This is a home PC that uses DSL to connect to the Net. There are no other PCs in the home. VPN is used only for connecting to our company network (thus the reason I was roped into helping with the PC).

As for clarification on behavior -- The PC was brought to me and I worked on it without putting it on our corp network. It looked fine when I finished. The PC began to "act up" (browser hijacker, pop-ups, etc) only after I took it to her home and hooked it back to her DSL connection. FWIW, I opened and closed IE several times while cleaning the PC. There are never any visible attempt to connect to a network nor any pop-ups from the HDD.

I hope this clarifies things. I'll work on the HJT entries and other recommendations this evening. THANKS!

 

The immunization stuff will help protect the machine somewhat if the ISP is infected, but you should also install a firewall, which will at least alert you if something gets in and tries to connect. Not really sure if there is a way to completely protect against an infected ISP though.

 

Progress Report 7/22/04

First, please accept my sincere KUDOs to all who have offered advice. I worked on it 3.5 hours yesterday. Here is a progress report based on your response to the 1st HJT log posted...

Rebooted to Safe Mode
Deleted winhl32.exe
Fixed all HJT entries as requested
Forgot the 2nd reboot into Safe Mode
Ran CWShredder = Found 3 registry entries
Could not find javaix.exe anywhere on HDD, but did kill the running process
Renamed realsched.exe to ~.old
Deleted all temp files for all users
Updated & ran Ad-aware6 = Found 6 items; all cleaned
Ran Disk Cleanup on C:\
Rebooted into Normal Mode
Immunized using Spybot
Installed, updated & cfg'd Spyware Blaster
ODDITY #1: SDHelper would not allow checkmark in Spybot (Checkmark would not stay in box - clicked; the box blinks and then goes blank again)
ODDITY #2: Under IE tweaks, "Lock the HOSTS file" was grayed out (Could not complete this step. Might this be because I am using the mvps.org HOSTS file?)
Ran WindowsUpdate = 42 updates needed including IE6 SP1, W2K SP4, OE6 SP1, among others
Rebooted again
RAV online will not allow full HDD scan, so ran 4 other online scanners instead:
a) TrendMicro = Found 3 viruses (troj_agent.pa in n_aeryo.dat; troj_agent.ar in n_habuuh.dat and torj_strtpage.rn in n_zbcudi.dat) ODDITY #3: Could not find the infected files anywhere on the HDD. Checked the reg entries, as directed by TrendMicro, but they were not as described.
b) Symantec Online Security Scan = Found 0, but did say PC was secure - with the exception of outdated AV software. The ironic part is that she uses NAV with updated def files. Anyway...
c) Panda ActiveScan = Found problem with C:\WINNT\SYSTEM32\0 ODDITY #4: I couldn't find the "0" file/folder that Panda warned about.
d) TrojanScan.com = Found 0 problems

Now, my "added measures ":
Ran Ad-aware (0 found) and Spybot (DSO Exploit found) again.
Then, installed Sygate Personal Firewall (Set to Normal) Q: Should this be set to Block All? She uses VPN to connect to our corp network. Otherwise, regular web surfing is the main use.

Lastly, rebooted PC. At boot, the PC reported that C:\temp\TDECntrl\TDEC.dll & TDE.dll were not present. I forgot to go back and remove these entries from the registry, but that won't break the system. I was working on 4-5 hours sleep, so please forgive me for missing this.

Ran another HJT log. PLEASE help me run through this one more time.

Logfile of HijackThis v1.98.0
Scan saved at 7:29:58 PM, on 7/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winhl32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\javaix.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jhvbq.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jhvbq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jhvbq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jhvbq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jhvbq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jhvbq.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30DA2D6C-E837-7622-2F99-E5F295F3B511} - C:\WINNT\system32\addmb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [javaix.exe] C:\WINNT\system32\javaix.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\System32\E_SAEE.tmp "
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lorishealthcaresystem.com

THANKS again for ALL your help. I appreciate that threads like this one are archived for the next victim. I have never wished physical harm on anyone, but IF I could get my hands on the punks who write malware... @%#&^$!!

Sorry. I gotta get more sleep...

 

Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Unzip to it's own folder.

Scan again with HijackThis and place a check next to the following entries. Close ALL Internet Explorer windows and leave closed until completed with About:Buster. This is a very important step!! Click fix.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {30DA2D6C-E837-7622-2F99-E5F295F3B511} - C:\WINNT\system32\addmb.dll
O4 - HKLM\..\Run: [javaix.exe] C:\WINNT\system32\javaix.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


Open and double click aboutBuster.exe. Click ok, then start, then OK. Wait for it to finish, then copy the report to notepad and save.

Reboot and run another HijackThis scan. Post the log along with the report from About:Buster.

Try the settings for Spybot again. If still no go, uninstall and reinstall, allowing it to load SD helper during installation.

 

Sdhelper can be downloaded here, no need to uninstall/install
http://spywareinfo.com/~merijn/winfiles.html#sdhelper

Rgards

 

I'd also suggest downloading Agent Ransack to use for your searches. Faster and smarter than the native windows search tools.