"System Alert: Spyware Detected"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mr_Magoo565, Feb 13, 2007.

  1. Mr_Magoo565

    Mr_Magoo565 Private E-2

    I have done the steps for removal in the removal guide.
    I could not do them in safe mode due to this computer using a bluetooth keyboard and mouse.
    I am attaching the log files.
    THanks in advance.
    MT
     

    Attached Files:

    Mr_Magoo565, Feb 13, 2007
    #1
  2. Mr_Magoo565

    Mr_Magoo565 Private E-2

    Here are the rest of my log files.
     

    Attached Files:

    Mr_Magoo565, Feb 13, 2007
    #2
  3. Mr_Magoo565

    Mr_Magoo565 Private E-2

    Found fix in another forum.
    I ran smitfraudfix.exe and it cleaned it up for me.
    http://siri.geekstogo.com/SmitfraudFix.php

    Here is the post from the other forum that i used:
    Title: How do I get rid of the System Alert! System detected virus activities baloon?
    Question: I apparently contracted a virus via an ActiveX download, which also put Antivermins rogue spyware on my computer. I've been into a number of forums, and via their advice have edited the registry, run a number of antispyware programs (including AVG and Spybot S&D), as well as run BitDefender antivirus (which didn't find anything). However, the baloon which reads "System Alert! System detected virus activities...Click this baloon to get all available software" (which of course I'm not clicking) STILL APPEARS ALL THE TIME.

    Can anyone tell me how to get rid of the baloon and be confident that I don't have a virus, spyware, or any hacking tools (which I'm MOST concerned about) on my system any longer?

    Thanks.
    Authored by: Newman2

    * Add to KnowledgeBase
    * Send To Friend
    * Printer Friendly

    12/27/2006 - 12:47PM PST

    kane77573:
    Sounds like you got some bad spyware
    Use this
    Smitrem

    http://noahdfear.geekstogo.com/click counter/click.php?id=1

    Download this
    extract
    reboot into safe mode
    and run "runthis.bat"


    12/27/2006 - 12:47PM PST

    zodiac101:
    Try this solution

    http://www.bleepingcomputer.com/forums/topic47826.html

    12/27/2006 - 01:14PM PST


    Rank: Sage
    younghv:
    Newman2,

    The best 'look' at your computer we can get is through a program called "Hijack This" (HJT).

    I suggest you have one of the folks here take a look at your HJT logs.
    Below is information from the Page Editor at the Virus TA:

    Author: rpggamergirl
    http://www.experts-exchange.com/M_3598771.html

    Get the newest version of HJT:

    (an already renamed hijackthis)
    http://danborg.org/spy/hjt/alternativ.exe

    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

    Then go to the below link and login using your Experts-Exchange username and password.
    http://www.ee-stuff.com
    Click on "Expert Area" tab
    type or paste the link to your Question
    "Browse" your pc to the location of your Hijackthis log and click "Upload"
    Copy the resulting "url" and post it back here.

    OR: paste the log to either of these sites:
    1. http://www.rafb.net/paste/
    then at the bottom left corner click "paste"
    Copy the address/url and post it here.

    2. or at --> http://www.hijackthis.de/
    and click "Analyse", click "Save". Then post the link to the saved list here.


    Post back when you can.
    Vic

    12/27/2006 - 01:33PM PST


    Rank: Sage
    rpggamergirl:
    That is a smitfraud infection.
    You can ALSO just run smitfraudfix and woala it's gone, :)

    Please download SmitfraudFix:
    http://siri.geekstogo.com/SmitfraudFix.php
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
    the options listed.

    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    files.

    You will be prompted : "Registry cleaning - Do you want to clean the
    registry?" answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    infection.

    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    "Enter".

    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.
    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    * Add to Knowledgebase
    * View More Solutions


    12/28/2006 - 12:39AM PST

    Newman2:
    GREAT...IT WORKED. At least the baloon doesn't show anymore (not so far, at least).
    Can I be sure that there are no remnants of this miserable Antivermins problem in my system?
    Also, I had three processes running (isamonitor.exe, isamini.exe, and pmsngr.exe), but they haven't been around since I ran some of the other proposed solutions on the web. Also, there was a notice that the W332Myzor.fk@yf bug was also involved, but BitDefender didn't find it.
    This is all so confusing...do you have a recommendation for the BEST virus protection and Spyware Detection and Cleaning programs. I use BitDefender and AdAware/Spybot, but in this case, none of them did the job!
    Thanks! NORM

    12/28/2006 - 12:42AM PST

    Newman2:
    I forgot...here's the report from SmitfraudFix:

    SmitFraudFix v2.131

    Scan done at 8:48:06.70, Thu 12/28/2006
    Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

    [HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
    @="C:\WINDOWS\system32\cthkpcv.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
    @="C:\WINDOWS\system32\cthkpcv.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\cthkpcv.dll -> Hoax.Win32.Renos.gen.i
    C:\WINDOWS\system32\cthkpcv.dll -> Deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    12/28/2006 - 01:55AM PST


    Rank: Sage
    rpggamergirl:
    1. For antivirus, I'm only using the free Avast, shifted from McAfee and Norton. If you want to buy an antivirus I'd recommend Kaspersky, I think it's the best.

    2. Also run SuperAntispyware to clean up any leftovers, this is slightly better than AVG Antispyware(formerly Ewido) and also better than SpySweeper. Just use it for their free trial and uninstall afterwards when you're done unless you want to buy it after the free trial is over.
    Download and install Superantispyware
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
    Load Superantispyware and click the "check for updates" button.
    Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

    * Start Superantispyware.
    Click the "scan your computer" button.
    Check "Perform Complete Scan" and then next.
    Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
    Make sure that they all have a check next to them and press next.
    Click finish and you will be taken back to the main interface.
    Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.


    3. If you use IE to surf online, then I'd also suggest installing SpywareBlaster from Javacool, it is a very good program that protects you from activex based malware and it doesn't even run in the background. Just download updates and enable all protection and that's it.
    http://www.javacoolsoftware.com/sbdownload.html

    For general cleaning, I'm not so keen on CCleaner(I use TuneUp Utilities) so I use ATF Cleaner for general cleaning, it is good and cleans All Users.
    Download and run ATF Cleaner by Atribune.
    http://www.atribune.org/ccount/click.php?id=1

    Reboot your computer into Safe Mode.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

    (If you use FireFox or the Opera browser,
    To keep saved passwords, click No at the prompt.)
    It's normal after running ATF cleaner that the PC will be slower to boot the first time.


    4. Also, while you still have smitfraudfix, please run smitfraudfix option 3, to clear your trusted zone(some variants of smitfraud inserts entries in your trusted zone to respawn the infection)

    5. Also, we must not forget a good firewall. Free Zone Alarm works very well.
     
    Mr_Magoo565, Feb 14, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    And if you had read the Special Removal Procedure link giving in multiple spots in the READ ME or searched thru the threads here in this forum you would have seen many fixes already exist here too! ;)

    You should attach new logs from GetRunKey, ShowNew and HJT now. You may not be finished.
     
    chaslang, Feb 14, 2007
    #4
  5. Mr_Magoo565

    Mr_Magoo565 Private E-2

    I got ahold of a ps2 keyboard and was able to run the tests in safe mode.
    Here are the new log files.
     

    Attached Files:

    Mr_Magoo565, Feb 15, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    System Alert Popup <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Do you know what the below cab file on you Desktop is for? If not, I would delete it.
    Code:
    "C:\Documents and Settings\Shawn Noppert\Desktop\"
06088888.cab  Dec 16 2006       11370  "06088888.cab"
    Do you know what the below file is for? It just showed up on Feb 14th!
    Code:
    "C:\WINDOWS\system32\"
windrv.sys    Feb 14 2007        1152  "windrv.sys"


    Run HijackThis and select the following lines (some may not be found) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O18 - Protocol: bw+0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {65575320-AF7A-4A25-8DF7-AF508F44651D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.

    Now reboot in normal mode

    Now locate the below folder and delete it if found:
    C:\Program Files\Video ActiveX Object


    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Feb 15, 2007
    #6
  7. Mr_Magoo565

    Mr_Magoo565 Private E-2

    Things seem to be running much faster although I haven't really checked it out completely....

    the cab file on the desktop looks like some sort of plugin for a program on this machine. It is my bosses pc so I will have to ask him about it.

    I also am not sure if he loaded something up that installed the windrv.sys.
    I will ask him.

    Here are the latest log files you asked for.

    I really appreciate the help you are giving me.

    MT
     

    Attached Files:

    Mr_Magoo565, Feb 16, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would like to get some more info on the C:\WINDOWS\system32\windrv.sys file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

    Your logs are clean otherwise. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 16, 2007
    #8
  9. Mr_Magoo565

    Mr_Magoo565 Private E-2

    There is no version tab for the windrv.sys
    The property box has no real info for it.
     
    Mr_Magoo565, Feb 17, 2007
    #9
  10. Mr_Magoo565

    Mr_Magoo565 Private E-2

    Just to let you know.....
    I loaded up Filseclab Personal Firewall Professional Edition from your suggestions of firewall, but had to unload it..... with it loaded I couldn't even start up quickbooks.
    It took over 5 minutes to get past the first splash screen.
    After I unloaded it quickbooks started fine.
     
    Mr_Magoo565, Feb 17, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Anytime you install any firewall, you need to specify to the firewall what applications require access to the internet. Were you blocking Quickbooks? Why does it need access when you startup anyway?

    Did you install a different firewall?
     
    chaslang, Feb 18, 2007
    #11
  12. Mr_Magoo565

    Mr_Magoo565 Private E-2

    I told it to give quickbooks access, but the problem was that it was interfering with the program even opening, not with it getting out to the internet.

    I just have microsoft firewall for now. I will have to do some testing before my boss will let me load up another one on his computer again....
     
    Mr_Magoo565, Feb 18, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but you need to tell your boss that the Windows Firewall does not provide adequate protection so your security is somewhat at risk. This is all covered in this link already given: How to Protect yourself from malware!
     
    chaslang, Feb 18, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds