Jump to content

Sysguard / Antivirus System Pro still lingering after scan


Robbie

Recommended Posts

This is my first post here, so bear with me.

I was last night infected with Antivirus System Pro, telling me to buy its phony antivirus program. The malware blocked task manager and McAfee from opening. I worked around it in Firefox to find a solution and it led me to try Malwarebytes.

I downloaded this program, updated it, and ran it. It detected a few items and prompted for a reboot after I removed them. Much to my dismay, the malware was still operating at full strength, still blocking everything. I rebooted again and quickly opened my task manager as things were still loading and saw a strange process called ycslsysguard.exe which I terminated, and the malware did not start. I took the opportunity to perform full scans with both Malwarebytes and McAfee, but they both came up with nothing.

After a few hours of searching around, I decided to check my msconfig settings to see if there was a program booting that was suspicious-looking (I try to game on my laptop, so I keep very close track of the processes running and the programs that boot so I can run at maximum efficiency. The System Config > Startup tab showed that I apparently had "Microsoft

post-24122-1257386957_thumb.jpg

Link to post
Share on other sites

  • Staff

Hi,

Anyway, that's as far as I've gone right now, I have disabled its start-on-reboot permission and the virus won't start up on its own, but I don't know how to get rid of the virus for good.

First of all, navigate to and delete C:\Users\Robert\AppData\Local\hpsrbw <== this folder, which contains the yclsysguard.exe

Since you have disabled it in msconfig, I have to get an export of that key to see how the key is named so we can delete it afterwards.

To do this...

Open notepad and copy and paste next bold in it:

regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

This is how the batch should look after you created it: bat.gif It will look a bit different in Vista.

Rightclick on look.bat and choose to run as administrator (since I see you are using Vista) and post the contents of the log it opens in your next reply.

Link to post
Share on other sites

Easy as pie. It looks like the last one is the pertinent one. I took a look-see at the registry but I lack the confidence to go deleting things all willy-nilly :)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MsnMsgr"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QuickTime Task"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

"YEAR"=dword:000007d7

"MONTH"=dword:00000005

"DAY"=dword:0000000d

"HOUR"=dword:0000000a

"MINUTE"=dword:0000002c

"SECOND"=dword:00000030

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl8]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RemoteControl8"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD8\\PDVD8Serv.exe\""

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SynTPEnh"

"hkey"="HKLM"

"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"inimapping"="0"

"YEAR"=dword:000007d8

"MONTH"=dword:00000009

"DAY"=dword:00000013

"HOUR"=dword:00000013

"MINUTE"=dword:0000000d

"SECOND"=dword:00000038

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="vimfcnox"

"hkey"="HKCU"

"command"="C:\\Users\\Robert\\AppData\\Local\\hpsrbw\\ycslsysguard.exe"

"inimapping"="0"

"YEAR"=dword:000007d9

"MONTH"=dword:0000000b

"DAY"=dword:00000004

"HOUR"=dword:00000014

"MINUTE"=dword:00000032

"SECOND"=dword:0000001a

Link to post
Share on other sites

  • Staff

Hi,

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

I assume you already deleted the C:\Users\Robert\AppData\Local\hpsrbw folder?

How are things now?

Link to post
Share on other sites

  • Staff

Good to hear.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.