Sysprotect Keeps Installing on my computer

Question

Every time I use the internet, Sysprotect keeps popping up on my computer and trying to download.  It keeps downloading, I keep uninstalling.   I went to HijackThis, scanned, and copied the file.   Logfile of HijackThis v1.99.1 Scan saved at 9:29:45 AM, on 5/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\WINDOWS\system32\wltray.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Karyn Wilkinson\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\cbxxv.dll O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\system32\qommn.dll O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd1.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] 'C:\WINDOWS\system32\PRISMSVR.EXE' /APPLY O4 - HKLM\..\Run: [SpybotSnD] 'C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe' /autoclose O4 - HKLM\..\Run: [SysProtect] C:\Program Files\SysProtect\syp.exe /scan O4 - HKLM\..\Run: [mmtask] 'C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe' O4 - HKLM\..\Run: [Ad-Aware] 'C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe' +c O4 - HKCU\..\Run: [AWMON] 'C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe' O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Yahoo! Pager] 'C:\Program Files\Yahoo!\Messenger\ypager.exe' -quiet O20 - Winlogon Notify: cbxxv - C:\WINDOWS\system32\cbxxv.dll O20 - Winlogon Notify: qommn - C:\WINDOWS\SYSTEM32\qommn.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

ky331 · Answer

you have multiple versio ns of SysProtect.     for starters, i see two vundo trojans in your log... let's go after these first, and see how much of a difference it makes.... afterwards, either I (or more likely, someone else) will continue to help you with the remaining forms of SysProtect:    download and run Atribune's VundoFix, per directions here:   http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=29584   then upgrade your java, from 1.4.2_05 to 1.5.0_06, per directions lower-down in the same link.   **************   next, you should move the HJT program from your Desktop: C:\Documents and Settings\Karyn Wilkinson\Desktop\HijackThis.exeinto a separate folder of its own... We recommend using folder C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exe [if you prefer, it's okay to have an HJT folder on your desktop, move the HJT program into this folder, and run it from there] This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just 'clutter-up' your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to 'undo' [restore] some of the things you 'FIX' incorrectly.   **************   when you're done, generate a brand-new HiJackThis log.  REPLY to this thread, and post the HJT log.   please also post a copy of your VundoFix.txt log, which you should find in your ROOT directory, C:\   and be sure to let us know what impact (if any) it had on your sysprotect problem.... as well as any system changes you note after running vundofix.    again, be advised that we've only removed a part of the problem so far, so don't be surprised if it's still there.

Virus & Spyware

Was this post helpful?