Logfile of HijackThis v1.97.7
Scan saved at 1:12:34 AM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\WINDOWS\System32\msbb.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sysupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Amy Clark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\start.html
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Amy Clark\Application Data\Mozilla\Profiles\default\q8hqa5xf.slt\prefs.j s)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\calsdr.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [FMWDKR] C:\WINDOWS\FMWDKR.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Advisor (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F7B83EA-F64A-4753-BE15-724F311CBA32}: NameServer = >MY IP/DNS GOES HERE<

Okay, it was not necessary to start a new thread to post the log.... You have HJT on your Desktop and this means that you will have backups all over your Desktop. If you want to avoid that, follow the instructions I put in the other thread about putting it in its own folder. Also, it wasn't necessary to do this, the info it would have given would have only given the location of the provider of your internet connection, assuming it is legit.... ">MY IP/DNS GOES HERE<"

Please close all open windows and your browser, run HJT and mark/fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\start.html
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\calsdr.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

This looks like a randomly named file and that means it is probably bad. You can find it and check Properties if you would like to be sure. Unless it is clearly legit, I suggest fixing it:

O4 - HKLM\..\Run: [FMWDKR] C:\WINDOWS\FMWDKR.exe

MyWebSearch is not technically malware, but it installs malware and it is just not worth the risk of keeping it around as far as I'm concerned. I suggest fixing and uninstalling it:

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

Once you complete these fixes, please reboot to Safe Mode and find/remove these. Check in Add/Remove Programs first and remove them there if possible. If not, find and delete them. If you can't find them, set WinXP to show all hidden files and search again...

C:\WINDOWS\System32\msbb.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\sysupd.exe

Also look for MyWebSearch (or something similar like MyBar or MyWay) in Add/Remove Programs if you choose to dump it....

When done, reboot again and post a fresh log in this thread....

I have everything deleted for MWS/CWS/SMILEYCENTRAL

except it wont let me delete these two things

F3HTMLMU.DLL & MWSBAR.DLL

-------------
also it keeps putting dpusys.... which when opened (its a notepad file)

puts the following crap on my desktop (automatically. I have deleted it @ least 5 times and it instantly reapears)




 < H „ ]
á
á
 û
   v
 ½~@ H‹@  `ê €î6
ð?UUUUUUµ?
h y '}]fOV[AA:[QUFBF?]f:V}I J y '}]fOV[AA:U?OQnIFV?}:V}I k9N k FI[xOf:U?[aaFVIH:V}I G y U?EVQa?Iy:fIF:]fHf:V}I yh y mOW:FVT:V}I J` y mmm:aFAOnFfU?FW]U}?:V}I N- ! mmm:HVx]FnO:V}I yG-k ! mmm:HVfOV]?FU~f'FOAn:V}I 9` J mmm:?OxFfUO?:V}I yG y mmm:U?OQnIFV?}:V}I !! y Y[nf}:}aaO?}HUFIFMO?:V}I G y Y[nfT:}aaO?}HUFIFMO?:V}I J y YAFIO:}aaO?}HUFIFMO?:V}I ! J $1$$H2IRGAOpmL.v9azinGljL1H‹@ H‹@  {
CAMPAIGN "Search" {
URLS {
"www.yandex.ru"
"www.rambler.ru"
}

RULES {
(AND
(OR
(ANTI "*www.google.com*")
(KEYWORDS
"search"
"find" )
)
(AND
(ANTI "*www.??????.com*")
(KEYWORDS "google")
)
)
}
}
CAMPAIGN "Search" {
URLS {
"www.yandex.ru"
}
RULES {
(OR
(ANTI "*www.google.com")
)
}
}

}
---------------------------

So how can I get it to die the slow miserable death it deserves?

O4 - HKLM\..\Run: [FMWDKR] C:\WINDOWS\FMWDKR.exe



ITS OFF MY SYSTEM!!!!!!!!!!! FINALLY!!!!!!!!!!!!


OH HAPPY DAY!!!!!! (OR NIGHT!)


COOLWEBSEARCH IS GONE!!!!!!!!!!! (FOR NOW!!!)

I'm sorry, but I don't understand what you are talking about... Please explain it again and please post a fresh HJT log with it.

Originally posted by Budfred
I'm sorry, but I don't understand what you are talking about... Please explain it again and please post a fresh HJT log with it.

Dont worry about it!

It's Gone!

Pain in the a** CoolWebSearch/Smiley Central toolbar is gone!!!!

Don't worry about it!
It's Gone!

Some of these replies just amaze me....I said it before Budfred and I'll say it again:
You have a lot more patience than I do. :rolleyes: