Getting popups .. Can someone help with this hijackthis log

Discussion in 'Computer Support' started by maks71, Dec 11, 2005.

  1. maks71

    maks71 Guest

    I'm getting lots of popups lately.. tries lots of this but still
    getting nowhere... Here is the hijackthis log... can someone help....

    Logfile of HijackThis v1.99.1
    Scan saved at 12:08:44 AM, on 12/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    Antivirus\ISafe.exe
    C:\WINDOWS\RGR1Y2s\command.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    Antivirus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    Antivirus\CAVRID.exe
    C:\Program Files\System Files\System.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
    hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} -
    C:\WINDOWS\System32\bho.dll
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -
    C:\WINDOWS\System32\nsv36.dll
    O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} -
    C:\WINDOWS\System32\irashavz.dll
    O2 - BHO: (no name) - {CDD819A0-1D4C-9901-CE31-1C2DE23583C5} -
    C:\WINDOWS\Ljwpqeyf.dll
    O3 - Toolbar: Search - {5270B34E-7718-FB6B-CCE4-1B624183E337} -
    C:\WINDOWS\Ljwpqeyf.dll
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program
    Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program
    Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet
    Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet
    Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\RunOnce: [SpySweeper_BT01] "C:\Webroot\Spy
    Sweeper\Bt01.exe" /SpySweeper_BT01
    O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: remote.schwab.com
    O15 - Trusted Zone: remote2.schwab.com
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    Advantage Validation Tool) -
    http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    -
    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134233542687
    O23 - Service: CAISafe - Computer Associates International, Inc. -
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    Antivirus\ISafe.exe
    O23 - Service: Command Service (cmdService) - Unknown owner -
    C:\WINDOWS\RGR1Y2s\command.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
    International, Inc. - C:\Program Files\CA\eTrust Internet Security
    Suite\eTrust EZ Antivirus\VetMsg.exe
     
    maks71, Dec 11, 2005
    #1
    1. Advertisements

  2. maks71

    Trax Guest

    wrote:

    |>I'm getting lots of popups lately.. tries lots of this but still
    |>getting nowhere... Here is the hijackthis log... can someone help....

    Well if you ran a firewall you would be warn'd each time the
    Troj/Bdoor-S worm called out. http://hijackthis.de/en
     
    Trax, Dec 11, 2005
    #2
    1. Advertisements

  3. maks71

    Plato Guest

    Plato, Dec 11, 2005
    #3
  4. maks71

    Stickems. Guest

    C:\WINDOWS\RGR1Y2s\command.exe
    Nasty running process. (command.exe)
    Added as a result of the BUDDY VIRUS!
    This is a nasty process! You should fix it and try to delete it
    manually!

    C:\Program Files\System Files\System.exe
    Nasty running process. (System.exe)
    Added as result of a Troj/Bdoor-S worm infection
    This is a nasty process! You should fix it and try to delete it
    manually!
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    Nasty If you did not add these pages to your trusted pages, they
    should be fixed.

    WINDOWS\RGR1Y2s\command.exe
    Nasty running process. (command.exe)
    Added as a result of the BUDDY VIRUS!
    This is a nasty process! You should fix it and try to delete it
    manually!





    | I'm getting lots of popups lately.. tries lots of this but still
    | getting nowhere... Here is the hijackthis log... can someone help....
    |
    | Logfile of HijackThis v1.99.1
    | Scan saved at 12:08:44 AM, on 12/11/2005
    | Platform: Windows XP SP2 (WinNT 5.01.2600)
    | MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    |
    | Running processes:
    | C:\WINDOWS\System32\smss.exe
    | C:\WINDOWS\system32\csrss.exe
    | C:\WINDOWS\System32\winlogon.exe
    | C:\WINDOWS\system32\services.exe
    | C:\WINDOWS\system32\lsass.exe
    | C:\WINDOWS\system32\svchost.exe
    | C:\WINDOWS\system32\svchost.exe
    | C:\WINDOWS\System32\svchost.exe
    | C:\WINDOWS\System32\svchost.exe
    | C:\WINDOWS\System32\svchost.exe
    | C:\WINDOWS\system32\spoolsv.exe
    | C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    | Antivirus\ISafe.exe
    | C:\WINDOWS\RGR1Y2s\command.exe
    | C:\WINDOWS\System32\svchost.exe
    | C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    | Antivirus\VetMsg.exe
    | C:\WINDOWS\Explorer.EXE
    | C:\WINDOWS\System32\LVCOMSX.EXE
    | C:\Program Files\Logitech\Video\LogiTray.exe
    | C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    | Antivirus\CAVTray.exe
    | C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    | Antivirus\CAVRID.exe
    | C:\Program Files\System Files\System.exe
    | C:\Program Files\Logitech\Video\FxSvr2.exe
    | C:\Program Files\Internet Explorer\IEXPLORE.EXE
    | C:\Program Files\Internet Explorer\IEXPLORE.EXE
    | C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
    | hijackthis[1].zip\HijackThis.exe
    |
    | R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    |
    http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    | O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    | - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    | O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} -
    | C:\WINDOWS\System32\bho.dll
    | O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -
    | C:\WINDOWS\System32\nsv36.dll
    | O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} -
    | C:\WINDOWS\System32\irashavz.dll
    | O2 - BHO: (no name) - {CDD819A0-1D4C-9901-CE31-1C2DE23583C5} -
    | C:\WINDOWS\Ljwpqeyf.dll
    | O3 - Toolbar: Search - {5270B34E-7718-FB6B-CCE4-1B624183E337} -
    | C:\WINDOWS\Ljwpqeyf.dll
    | O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    | O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program
    | Files\Logitech\Video\ISStart.exe
    | O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program
    | Files\Logitech\Video\LogiTray.exe
    | O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet
    | Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    | O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet
    | Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    | O4 - HKLM\..\RunOnce: [SpySweeper_BT01] "C:\Webroot\Spy
    | Sweeper\Bt01.exe" /SpySweeper_BT01
    | O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    | O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    | Files\Microsoft Works\WkDetect.exe
    | O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    | C:\Program Files\Messenger\msmsgs.exe
    | O9 - Extra 'Tools' menuitem: Windows Messenger -
    | {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    | Files\Messenger\msmsgs.exe
    | O15 - Trusted Zone: remote.schwab.com
    | O15 - Trusted Zone: remote2.schwab.com
    | O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    | O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    | Advantage Validation Tool) -
    | http://go.microsoft.com/fwlink/?linkid=39204
    | O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    |
    http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    | O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    | -
    |
    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134233542687
    | O23 - Service: CAISafe - Computer Associates International, Inc. -
    | C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ
    | Antivirus\ISafe.exe
    | O23 - Service: Command Service (cmdService) - Unknown owner -
    | C:\WINDOWS\RGR1Y2s\command.exe
    | O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    | C:\Program Files\iPod\bin\iPodService.exe
    | O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    | O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
    | International, Inc. - C:\Program Files\CA\eTrust Internet Security
    | Suite\eTrust EZ Antivirus\VetMsg.exe
    |
     
    Stickems., Dec 11, 2005
    #4
  5. maks71

    pcbutts1 Guest

    Have hjt fix the following lines by placing a check in the box next to each
    line then clicking on the fix checked button on the bottom.


    O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} -
    C:\WINDOWS\System32\bho.dll
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -
    C:\WINDOWS\System32\nsv36.dll
    O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} -
    C:\WINDOWS\System32\irashavz.dll
    O2 - BHO: (no name) - {CDD819A0-1D4C-9901-CE31-1C2DE23583C5} -
    C:\WINDOWS\Ljwpqeyf.dll
    O3 - Toolbar: Search - {5270B34E-7718-FB6B-CCE4-1B624183E337} -
    C:\WINDOWS\Ljwpqeyf.dll
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O23 - Service: Command Service (cmdService) - Unknown owner -
    C:\WINDOWS\RGR1Y2s\command.exe


    Once that is done then you have to disble a windows service then delete it.
    Click start>run in the run box type services.msc /s then click ok. Look for
    this entry, Command Service (cmdService), when you find it double click on
    it and in the startup type menu choose disable. Then open hjt again and
    choose the config button listed under other stuff in the lower right hand
    corner, then misc tools, then delete an NT service.... type in the box
    exactly as shown cmdService then click ok. reboot into safe mode then
    delete this folder C:\WINDOWS\RGR1Y2s


    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com



     
    pcbutts1, Dec 11, 2005
    #5
  6. maks71

    maks71 Guest

    Thanks to all of you... I did the suggested clean up and pop-up stopped
     
    maks71, Dec 13, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.