Ikeep gettin adds!

bumpidy bump dump bump

bumpidy bump dump bump

After less than 3 hours from your first post?? :rolleyes:
Please try to be a bit more patient in the future...

First- you're running an older version of HijackThis. Please download the latest version (1.99.0) using the "HijackThis" link in my sig below, run that version, and post the new log it generates.

Also- since your current log shows no indication of any running anti-virus software, go to the following two sites and run their free online virus scans. They'll probably be able to clean up some of the nasties:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You can also download the free anti-virus program from this site if you don't currently own an AV program:

http://free.grisoft.com/freeweb.php/doc/2/

every time i run the new version, it crashes....cant you just use the old one please?I dont wanna go through the trouble of fixing it..

Are there any error messages generated from the crash? If so, tell us exactly what they are.

We could probably at least start to work from the old version of HJT, but the newest version has an enhanced range of detection, and as such can find/fix a wider range of problems.

1. Did you do the online anti-virus scans I suggested? If not, please do those and let us know that you have done so before we proceed.

2. A few other things you should do to help clean things up before posting a new HJT log:

A) Run a full anti-virus scan, as I mentioned earlier.

B) Download and run Ad Aware and SpyBot Search & Destroy. The download links are in my sig below.

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file

3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT

4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only

Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window. Rightt-click on any of the entries and choose the "Select all items" option.

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

* Run SpyBot.

When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.).

1. Perform all of the Wizard's tasks.
2. Run the program. Once it completes, have it fix everything it finds.
3. Reboot.

C) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)

- Empty your Recycle Bin.

- Reboot normally.

D) Run HijackThis again and post a fresh log.

All of the above might sound complex and/or time-consuming, but doing it will help.

ok i did that. But i couldnt get into my user in documents and sttings, it said access denied. Also , i did not get an error message when tryin to run HJT, i just got the windows error reporting and it crashed. Since i dont have my old version anymore, i cant post a new log! Can you tell me where to find the old one?

ok i did that. But i couldnt get into my user in documents and sttings, it said access denied.

What user account were you logged in under?

Since i dont have my old version anymore, i cant post a new log! Can you tell me where to find the old one?

I've got a copy of v1.98.2 on my FTP site; you can get it from there:

http://www.stevewolfonline.com/Downloads/DMR/DMRCA/Malware%20Utilities/

my account was AKRAM....and heres my log:
Logfile of HijackThis v1.98.2
Scan saved at 2:32:39 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\System32\nkjchid.exe
C:\WINDOWS\system32\wdpjdydm\gcrrwl.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\system32\jspdx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ragheb\Desktop\My Crap\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\nkjchid.exe
O4 - HKLM\..\Run: [pebmfr] C:\WINDOWS\dpdfswlcp.exe
O4 - HKLM\..\Run: [towfezv] C:\WINDOWS\Lbczxs.exe
O4 - HKLM\..\Run: [lpqmqgvt] C:\WINDOWS\system32\qarbpvmc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cddjoay] C:\WINDOWS\system32\bawmfx\cddjoay.exe
O4 - HKLM\..\Run: [fubpqp] C:\WINDOWS\system32\oprryht\fubpqp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [gcrrwl] C:\WINDOWS\system32\wdpjdydm\gcrrwl.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [s7nV32g] jspdx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Flxv] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {E64E4E60-EF13-4C79-A159-119762E18181} - C:\WINDOWS\system32\lmf32.dll

bumpidy bump bumpidy bump bump bump bump

bump yet again.

bump yet again.

I'm not sure if you got idea of what I meant by " Please try to be a bit more patient in the future..." in my first post, but if not, here it is:

1. Those of us who troubleshoot problems here do so on our own spare time, and on a volunteer basis.

2. We all have "real-life" jobs and family lives which might prevent us from participating here for any given amount of time.

3. Your problem is no more pressing that those of our other 20,000+ members'. We haven't forgeotten you, but we might not be able to get to your particular question as soon as you would like.

4. It's the week between christmas and New Years; many of us have other commitments right now.

Given the above; enough with the "bumpidy bump bumpidy bump bump bump bump"s please.

Please post a new hijackthis log if you still require help.

that one is new! Also, the newest version doesnt work on my computer so please just use the old one!

It's 3 days old now :).

i lost the file again, please just USE IT. its no big deal

its no big deal

It can be, actually- the newer version probes more possibly problematic areas of you system than version 1.98.2 did, so it can identify more possible "nasties".

But... since you can't seem to get version 1.99.0 running, let's work with what you have:

1. If you ran Ad Aware and SpyBot (after getting their most current updates), and also ran the online virus scans I linked to earlier, they should have gotten rid of more than they did. Please let us know specifically if you have followed each and every suggestion we've posted. If there are any of the steps that you have not performed yet, please do them now and post a new log from your current version of HijackThis.

2. In terms of this: "my account was AKRAM"; try logging in as Administrator instead when booted into Safe Mode. That should then give you access to the folders in question.

3. The log entries:

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Those entries indicate that you had 2 instances of Internet Explorer running (which could possibly the doings of the spyware). HijackThis cannot fully perform all of its fixes while any instances of IE are running, so before having HJT fix anything:

a) Press the Ctrl, Alt, and Delete keys simultaneously to open Windows Task Manager.
b) In Task Manager, click on the "Processes" tab.
c) In the resulting list of running processes, click on each entry for "iexplore.exe" and click the "End Task" button.
d) Once you've done that, look through the list again and double-check that you see no further entries for iexplore.exe.

4. Once you've verified that IE is no longer running:

- Have HJT fix the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\nkjchid.exe
O4 - HKLM\..\Run: [pebmfr] C:\WINDOWS\dpdfswlcp.exe
O4 - HKLM\..\Run: [towfezv] C:\WINDOWS\Lbczxs.exe
O4 - HKLM\..\Run: [lpqmqgvt] C:\WINDOWS\system32\qarbpvmc.exe
O4 - HKLM\..\Run: [cddjoay] C:\WINDOWS\system32\bawmfx\cddjoay.exe
O4 - HKLM\..\Run: [fubpqp] C:\WINDOWS\system32\oprryht\fubpqp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [gcrrwl] C:\WINDOWS\system32\wdpjdydm\gcrrwl.exe
O4 - HKLM\..\Run: [s7nV32g] jspdx.exe
O4 - HKCU\..\Run: [Flxv] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O18 - Filter: text/html - {E64E4E60-EF13-4C79-A159-119762E18181} - C:\WINDOWS\system32\lmf32.dll

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Find and delete the following folders entirely:

C:\Program Files\Common Files\WinTools
C:\Program Files\Common Files\tsa

- Find and delete the following files:

C:\WINDOWS\System32\nkjchid.exe
C:\WINDOWS\dpdfswlcp.exe
C:\WINDOWS\Lbczxs.exe
C:\WINDOWS\system32\qarbpvmc.exe
C:\WINDOWS\system32\bawmfx\cddjoay.exe
C:\WINDOWS\system32\oprryht\fubpqp.exe
C:\WINDOWS\system32\wdpjdydm\gcrrwl.exe
jspdx.exe
C:\WINDOWS\system32\d?dplay.exe

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.