Syssecuritysite Malware Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by runningmom, Jun 25, 2006.

  1. runningmom

    runningmom Private E-2

    Hope someone can help me with this annoying problem. Everytime I open IE, my home page goes to "www.syssecuritysite.com".

    I have gone through the procedure at http://forums.majorgeeks.com/showthread.php?t=35407

    I'm attaching my Highjack this log and the one from the Panda Activescan and Bitdefender Everything else that could be cleaned was cleaned per the instructions (I think I got them all - I'm so frustrated with these kinds of problems, its hard to think straight sometimes).

    Thanks in advance.
     

    Attached Files:

    runningmom, Jun 25, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Let's start with the below procedure:

    SpywareQuake & SpyFalcon Removal Procedure

    After running this, attach the smitfiles.txt log and continue on to the below.

    Then attach a new HJT log too and also tell me how things are working.

    You forgot to attach the log from CounterSpy as requested in the READ ME.
     
    chaslang, Jun 25, 2006
    #2
  3. runningmom

    runningmom Private E-2

    Thanks for the reply.

    Here are the logs from Counter Spy, Smitfiles and highjackthis. I followed your procedures for the Spyware quake and spyfalcon removal. Neither of these showed in the "Add/remove programs" options and none of the .dll files listed in the procedure showed up in my windows\system32\ folder.

    It appears that the problem is solved - my home page on IE and for the other users is back to where it should be. I'm not sure what actually solved it so I'm a little leery about saying its positively fixed.
     

    Attached Files:

    runningmom, Jun 26, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Running the procedure I gave you fixed it. There is more to it then the step where you delete files. The registry patch fixes over 200 items and running SmitRem also fixes a bunch of problems and it already removed some of the files I listed at the end.

    Now let's fix the rest of your problems!

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18 - Protocol: bw+0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {7D8416F9-E966-4A70-A0FC-9BB11E341896} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.:

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 26, 2006
    #4
  5. runningmom

    runningmom Private E-2

    Things seem to be running okay although I keep getting a message from my Norton antivirus (I have Norton Internet security running) that it has blocked an attempt to change my IE home page. When I view the detail it says the process name is "sunprotectionserver.exe", location is C:\program files\sunprotectionserver.exe. I don't know why I keep getting this.
     

    Attached Files:

    runningmom, Jun 26, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you run the Now we need to Reset Web Settings: directions I gave, you need to allow the changes thru Norton or they will not work. It should be obvious at that time that we are the ones trying to make the changes to your start page and that it should be okay to allow it.

    sunprotectionserver.exe is for CounterSpy which I'm not sure why you have located in C\Program Files. You already have a copy installed at C:\Program Files\Sunbelt Software\CounterSpy\Consumer\ Did you install it more than once and to different locations each time.

    Since CounterSpy is only a demo the expires in 15 days, uninstall it now. Basically what was happening is that CounterSPy and Norton are fighting against each other.

    You should also uninstall LogitechDesktopMessenger which was the cause of all that clutter in your HijackThis log that we just removed.
     
    chaslang, Jun 27, 2006
    #6
  7. runningmom

    runningmom Private E-2

    Thanks for all your help. Things are still running okay and I've gotten rid of the things that you said to.

    How does that "syssecuritysite" get on the PC to start with? I'm running Norton Internet Security 2006 and am always current with its updates.
     
    runningmom, Jun 29, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Typically many of these types of problems arrive due to sites that you have been surfing at and due to things you have clicked on (possible without reading what the messages say. Sometime when a yes or no question is posed, it is worded in a negative fashion. Like, Click No if you do not want this to be installed.

    The below will provide you with many useful tips.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 30, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds