Sysguard / Antivirus System Pro still lingering after scan

[Robbie]

This is my first post here, so bear with me.

I was last night infected with Antivirus System Pro, telling me to buy its phony antivirus program. The malware blocked task manager and McAfee from opening. I worked around it in Firefox to find a solution and it led me to try Malwarebytes.

I downloaded this program, updated it, and ran it. It detected a few items and prompted for a reboot after I removed them. Much to my dismay, the malware was still operating at full strength, still blocking everything. I rebooted again and quickly opened my task manager as things were still loading and saw a strange process called ycslsysguard.exe which I terminated, and the malware did not start. I took the opportunity to perform full scans with both Malwarebytes and McAfee, but they both came up with nothing.

After a few hours of searching around, I decided to check my msconfig settings to see if there was a program booting that was suspicious-looking (I try to game on my laptop, so I keep very close track of the processes running and the programs that boot so I can run at maximum efficiency. The System Config > Startup tab showed that I apparently had "Microsoft

[miekiemoes]

Hi,

Anyway, that's as far as I've gone right now, I have disabled its start-on-reboot permission and the virus won't start up on its own, but I don't know how to get rid of the virus for good.

First of all, navigate to and delete C:\Users\Robert\AppData\Local\hpsrbw <== this folder, which contains the yclsysguard.exe

Since you have disabled it in msconfig, I have to get an export of that key to see how the key is named so we can delete it afterwards.

To do this...

Open notepad and copy and paste next bold in it:

regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

This is how the batch should look after you created it: It will look a bit different in Vista.

Rightclick on look.bat and choose to run as administrator (since I see you are using Vista) and post the contents of the log it opens in your next reply.

[Robbie]

Easy as pie. It looks like the last one is the pertinent one. I took a look-see at the registry but I lack the confidence to go deleting things all willy-nilly

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MsnMsgr"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QuickTime Task"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

"YEAR"=dword:000007d7

"MONTH"=dword:00000005

"DAY"=dword:0000000d

"HOUR"=dword:0000000a

"MINUTE"=dword:0000002c

"SECOND"=dword:00000030

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl8]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RemoteControl8"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD8\\PDVD8Serv.exe\""

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SynTPEnh"

"hkey"="HKLM"

"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="vimfcnox"

"hkey"="HKCU"

"command"="C:\\Users\\Robert\\AppData\\Local\\hpsrbw\\ycslsysguard.exe"

"inimapping"="0"

"YEAR"=dword:000007d9

"MONTH"=dword:0000000b

"DAY"=dword:00000004

"HOUR"=dword:00000014

"MINUTE"=dword:00000032

"SECOND"=dword:0000001a

[miekiemoes]

Hi,

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

I assume you already deleted the C:\Users\Robert\AppData\Local\hpsrbw folder?

How are things now?

[Robbie]

Hey,

I haven't had any problems since I disabled the startup to be honest, but I just wanted it completely gone, you know? Well that's how my computer's doing. I'm doing well also, but very busy with homework and school. And I did delete that folder.

[miekiemoes]

Good to hear.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.