3 replies to this topic

[Robbie]

This is my first post here, so bear with me.

I was last night infected with Antivirus System Pro, telling me to buy its phony antivirus program. The malware blocked task manager and McAfee from opening. I worked around it in Firefox to find a solution and it led me to try Malwarebytes.

I downloaded this program, updated it, and ran it. It detected a few items and prompted for a reboot after I removed them. Much to my dismay, the malware was still operating at full strength, still blocking everything. I rebooted again and quickly opened my task manager as things were still loading and saw a strange process called ycslsysguard.exe which I terminated, and the malware did not start. I took the opportunity to perform full scans with both Malwarebytes and McAfee, but they both came up with nothing.

After a few hours of searching around, I decided to check my msconfig settings to see if there was a program booting that was suspicious-looking (I try to game on my laptop, so I keep very close track of the processes running and the programs that boot so I can run at maximum efficiency. The System Config > Startup tab showed that I apparently had "Microsoft® Frontpage® 2000" booting up, which I don't own, and I never remembered allowing that to start up. Anyways, in that entry it lists the "command" as "C:\Users\Robert\AppData\Local\hpsrbw\yclsysguard.exe" which has the exact same ending as the malicious process that tries to run at startup.

Anyway, that's as far as I've gone right now, I have disabled its start-on-reboot permission but I have yet to see if that actually works, and I have no clue how to get the virus off of my computer for good.

I'm going to attach a couple of my scan logs as well as a snapshot I took of the process in the task manager.

I am also wondering how I can avoid something happening like this in the future; I was using internet explorer when it happened (normally use Firefox, and it appears to use internet explorer when it opens a window for www.porno.com), and I don't think I was surfing anywhere TOO bad (Encyclopedia Dramatica).

So I hope this information helps people in the future, and I hope that you can help me!

 virusphoto.jpg   49.66K   20 downloads

LOG 1 - INFECTED
 mbam_log_2009_11_04__13_35_44_.txt   2.65K   39 downloads

LOG 2 - CLEAN
 mbam_log_2009_11_04__19_54_50_.txt   855bytes   39 downloads

[mountaintree16]

Hi Robbie, and welcome to the forums here at Malwarebytes.org

Please re-post the information in your post (and paste in the logs instead of attaching them if you are able to) here:
http://www.malwarebytes.org/forums/index.p...ew_post&f=7

as we do not work on malware removal in the general forums or in the False positive forum.

Also, you should check out this topic as well: http://www.malwareby...?showtopic=9573

As soon as one of our expert helpers are available, he or she will be happy to provide you with one-on-one assistance. Please be aware that the forum is quite busy at times, and it may take up to 48 hours or a bit longer before someone will be able to get back to you. If you haven't received a response within 48 hours though, feel free to reply to your post to "bump" it up for a request for review.

Thank you

[nosirrah]

There was an update a few hours ago that may have this handled , this sounds just like what I just worked .

[mountaintree16]

@ Nosirrah

Oops, sounds like it might be a FP, I thought that by the description it might not be. Hopefully Robbie comes back to this thread and sees this

Edit: Maybe I mis-interpreted what you said, sounds like this is actually an infection after all.