System in bad shape - eaten up with junk

A friend is trying to get some business PCs (small workgroup) running properly. They have been fairly unprotected for quite a while and in some cases are barely limping along.

He found and removed several viri from this PC and let spybot remove all the things it flagged as bad stuff but from the Hijackthis log he emailed me, the system is still in bad shape and I'm over my head trying to spot all the problems and give him specifics on where to go from here.

I have the startup log if it would help but this thing is so eaten up I'm worse than lost and could certainly use some expert advice.

The hijack log pushed the post over the max character limit so it is split into two parts.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.97.7
Scan saved at 5:48:18 PM, on 3/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\Promon.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Windows\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\winh.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\Windows\mwsvm.exe
C:\Windows\System32\keyword.exe
C:\Windows\System32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Windows\System32\HPHipm09.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\olehelp.exe
C:\program files\GlobalDialer\wordi00038\15227656.exe
C:\Windows\System\taskman.exe
C:\PVSW\Bin\W3dbsmgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Webshots\WebshotsTray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\DOCUME~1\Mitch\LOCALS~1\Temp\Rem9.exe
C:\Documents and Settings\Mitch\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freshvideogals.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://list2004.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)

 

Rest of the log is here.

O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\ToolBand.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Soft curb - {4A41D60B-4145-89F6-B2C0-6A9E5C439A24} - C:\PROGRA~1\DRVOKA~1\Shim download.dll
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\Windows\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Online Service] C:\Windows\svchost.exe
O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [Winhost] C:\Windows\winh.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [BHBIOVCIP] C:\WINDOWS\BHBIOVCIP.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\Rydo84km.exe
O4 - HKLM\..\Run: [host] C:\Windows\system32\hosts.vbs
O4 - HKLM\..\Run: [MsCheckout] C:\Windows\System32\fastfind.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\Windows\image.dll,Install
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\Windows\mwsvm.exe
O4 - HKLM\..\Run: [version] C:\Windows\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\Windows\System32\keyword.exe
O4 - HKLM\..\Run: [Belt] C:\Windows\Belt.exe
O4 - HKLM\..\Run: [frsk] C:\Windows\frsk.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [phonecast] C:\PROGRA~1\4scrbone\2 BIN NEW.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [olehelp] C:\Windows\System32\olehelp.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\wordi00038\15227656.exe -remove
O4 - HKCU\..\Run: [System Update] C:\Windows\System\taskman.exe
O4 - HKCU\..\Run: [7an4i5o7jw] C:\Windows\zdr4ul9m3i.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\Windows\image.dll,Install
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} (Search Bar) - http://www.cameup.com/download/ToolBandXP.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\Windows\hh.htt (HKLM)

 

HijackThis Tutorial

Newt, here's a link to a HijackThis tutorial if you have the time to go through it: HijackThis Tutorial

 

This HijackThis log is a very big mess, to say the least. I was wondering if it would be easier to point out what I think is safe to leave.

All the R0 and R1 entries need to go.
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
This can be nasty to remove.
http://www.kephyr.com/spywarescanner/library/targetsoft.inetadpt/index.phtml
or
http://www.pestpatrol.com/pestinfo\n\newtonknows.asp

O1 - Hosts: 213.159.117.235 auto.search.msn.com
The IP resolves to a Russian server, while the url resolves to 12.129.72.224.

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\ToolBand.dll
Pest Patrol seems to recommend the CWShedder on the above.

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Soft curb - {4A41D60B-4145-89F6-B2C0-6A9E5C439A24} - C:\PROGRA~1\DRVOKA~1\Shim download.dll
I would remove these 03's.

O4 - HKLM\..\Run: [Online Service] C:\Windows\svchost.exe
Big alarm bells here ringing, I do not believe this file should be starting while called an Online Service, this could be one of several worms and viruses. The legitimate file would be called from the %SystemRoot%\System32 folder in XP. I would say the McAffee AV is very corrupt.

O4 - HKLM\..\Run: [Winhost] C:\Windows\winh.exe
?

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
ISTBar foistware

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
I would verify Internet Optimizer is actually installed in light of the rest here, else it could be a **** dialer.

04 HKLM\..\Run: [BHBIOVCIP] C:\WINDOWS\BHBIOVCIP.exe
?

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\Rydo84km.exe
?

O4 - HKLM\..\Run: [host] C:\Windows\system32\hosts.vbs
This one I would definitely remove, and delete, although I would be curious as to what is scripted in it. Maybe the 01, but may be more.

O4 - HKLM\..\Run: [WinEssential] C:\Windows\System32\keyword.exe
Jraun.com hijacker

O4 - HKLM\..\Run: [Belt] C:\Windows\Belt.exe
Abetterinternet adware related.

O4 - HKLM\..\Run: [frsk] C:\Windows\frsk.exe
Unidentified adware downloader trojan

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
My Web Search plugin.

O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\wordi00038\15227656.exe -remove

O4 - HKCU\..\Run: [System Update] C:\Windows\System\taskman.exe
I sort of hold this one suspect, it should be the Windows Task Switcher, don't believe it is normal for it to be a startup, should be called when needed.

O4 - HKCU\..\Run: [7an4i5o7jw] C:\Windows\zdr4ul9m3i.exe
?

O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} (Search Bar) - http://www.cameup.com/download/ToolBandXP.cab
O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
I would delete KeyActivex.Ocx

O19 - User stylesheet: C:\Windows\hh.htt (HKLM)
Not so sure about this one.

I hope I got most of them, maybe someone can point out what I missed.

 

Gesh
Un-Coolwebsearch for one first >
Downloadand Unzip and run cwshredder
Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
If you already have it, just download another copy and overwrite the old one.. To ensure its the latest version
http://www.zerosrealm.com/downloads/CWShredder.zip

then post a fresh log, theres tons more

Edit sorry Mark we posted at the same time

PS if you save the cronicles as a text file and merijns domains text
its an easy search,, no need to read the whole thing
http://www.spywareinfo.com/~merijn/junk/cws_domains.txt
http://www.spywareinfo.com/~merijn/cwschronicles.html

O19 - User stylesheet: C:\Windows\hh.htt (HKLM)
Of cource indicats a coolwebsearch infection,,
If SpyBot had been run the item would show as so
O19 - User stylesheet: C:\Windows\file not found or missing

 

YUK!
I would also kill
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Disable auto update
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

And Windows Messenger
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Might want to get a copy of Winsock fix just in case too.

 

Thanks guys. Since this is one of about 8 9X/NT/XP systems (the worst maybe but only by a little) I think if it were me I'd go with Tony's idea. Back up any data, scrub, and start from the beginning.

Note to Johanna and any others wondering if PC Techs are still needed - they friend who asked me about this mess is a networking guy who does a little free-lance work. He was hired by the business to 'fix' their network problems and ran into this disaster.

Note to Terry - if you plan to continue this sort of free-lance work, you really ought to sign up here. We got folks who can answer most any question and troubleshoot most any strange problem.