This is my first post here, so bear with me.
I was last night infected with Antivirus System Pro, telling me to buy its phony antivirus program. The malware blocked task manager and McAfee from opening. I worked around it in Firefox to find a solution and it led me to try Malwarebytes.
I downloaded this program, updated it, and ran it. It detected a few items and prompted for a reboot after I removed them. Much to my dismay, the malware was still operating at full strength, still blocking everything. I rebooted again and quickly opened my task manager as things were still loading and saw a strange process called ycslsysguard.exe which I terminated, and the malware did not start. I took the opportunity to perform full scans with both Malwarebytes and McAfee, but they both came up with nothing.
After a few hours of searching around, I decided to check my msconfig settings to see if there was a program booting that was suspicious-looking (I try to game on my laptop, so I keep very close track of the processes running and the programs that boot so I can run at maximum efficiency. The System Config > Startup tab showed that I apparently had "Microsoft® Frontpage® 2000" booting up, which I don't own, and I never remembered allowing that to start up. Anyways, in that entry it lists the "command" as "C:\Users\Robert\AppData\Local\hpsrbw\yclsysguard.exe" which has the exact same ending as the malicious process that tries to run at startup.
Anyway, that's as far as I've gone right now, I have disabled its start-on-reboot permission and the virus won't start up on its own, but I don't know how to get rid of the virus for good.
I'm going to attach a couple of my scan logs as well as a snapshot I took of the process in the task manager.
I am also wondering how I can avoid something happening like this in the future; I was using internet explorer when it happened (normally use Firefox, and it appears to use internet explorer when it opens a window for www.porno.com), and I don't think I was surfing anywhere TOO bad (Encyclopedia Dramatica).
So I hope this information helps people in the future, and I hope that you can help me!
Click to view attachment
LOG 1 - INFECTED
Malwarebytes' Anti-Malware 1.41
Database version: 3098
Windows 6.0.6002 Service Pack 2
11/4/2009 1:35:44 PM
mbam-log-2009-11-04 (13-35-44).txt
Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 277908
Time elapsed: 1 hour(s), 45 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{006c2f9b-122d-438f-bac0-de3c620d2ec6} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{010653e4-75ec-4d9b-ae49-f64fc810770d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d2cc793-b043-4dd2-a52c-3d9ade61bbbd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7be6b643-6201-4cf7-b8b1-d79ffae57cba} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a93a1ba9-9ee8-469f-a9fe-fd1c26700bda} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{58696980-c6b3-4ad2-ab53-718f1c3c57ca} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{97641909-2311-4513-8581-f5c84b3f05f2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{01417316-4620-43c7-b635-f4f381596978} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100009000004} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a75e294e-c047-4d29-b07e-37b792881bef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AleWinSecure.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Robert\AppData\Local\VirtualStore\Program Files\PKL\inst.bin (Keylogger.PerfectKeylogger) -> Quarantined and deleted successfully.
LOG 2 - CLEAN
Malwarebytes' Anti-Malware 1.41
Database version: 3100
Windows 6.0.6002 Service Pack 2
11/4/2009 7:54:50 PM
mbam-log-2009-11-04 (19-54-50).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 276765
Time elapsed: 1 hour(s), 49 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi,
First of all, navigate to and delete C:\Users\Robert\AppData\Local\hpsrbw <== this folder, which contains the yclsysguard.exe
Since you have disabled it in msconfig, I have to get an export of that key to see how the key is named so we can delete it afterwards.
To do this...
Open notepad and copy and paste next bold in it:
regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
start notepad look.txt
Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch should look after you created it:
It will look a bit different in Vista.
Rightclick on look.bat and choose to run as administrator (since I see you are using Vista) and post the contents of the log it opens in your next reply.
QUOTE
Anyway, that's as far as I've gone right now, I have disabled its start-on-reboot permission and the virus won't start up on its own, but I don't know how to get rid of the virus for good.
First of all, navigate to and delete C:\Users\Robert\AppData\Local\hpsrbw <== this folder, which contains the yclsysguard.exe
Since you have disabled it in msconfig, I have to get an export of that key to see how the key is named so we can delete it afterwards.
To do this...
Open notepad and copy and paste next bold in it:
regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
start notepad look.txt
Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch should look after you created it:
It will look a bit different in Vista.Rightclick on look.bat and choose to run as administrator (since I see you are using Vista) and post the contents of the log it opens in your next reply.
Easy as pie. It looks like the last one is the pertinent one. I took a look-see at the registry but I lack the confidence to go deleting things all willy-nilly 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:0000000d
"HOUR"=dword:0000000a
"MINUTE"=dword:0000002c
"SECOND"=dword:00000030
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl8]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RemoteControl8"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD8\\PDVD8Serv.exe\""
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vimfcnox"
"hkey"="HKCU"
"command"="C:\\Users\\Robert\\AppData\\Local\\hpsrbw\\ycslsysguard.exe"
"inimapping"="0"
"YEAR"=dword:000007d9
"MONTH"=dword:0000000b
"DAY"=dword:00000004
"HOUR"=dword:00000014
"MINUTE"=dword:00000032
"SECOND"=dword:0000001a
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:0000000d
"HOUR"=dword:0000000a
"MINUTE"=dword:0000002c
"SECOND"=dword:00000030
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl8]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RemoteControl8"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD8\\PDVD8Serv.exe\""
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"
"YEAR"=dword:000007d8
"MONTH"=dword:00000009
"DAY"=dword:00000013
"HOUR"=dword:00000013
"MINUTE"=dword:0000000d
"SECOND"=dword:00000038
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vimfcnox"
"hkey"="HKCU"
"command"="C:\\Users\\Robert\\AppData\\Local\\hpsrbw\\ycslsysguard.exe"
"inimapping"="0"
"YEAR"=dword:000007d9
"MONTH"=dword:0000000b
"DAY"=dword:00000004
"HOUR"=dword:00000014
"MINUTE"=dword:00000032
"SECOND"=dword:0000001a
Hi,
Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
I assume you already deleted the C:\Users\Robert\AppData\Local\hpsrbw folder?
How are things now?
Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
QUOTE
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vimfcnox]
Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
I assume you already deleted the C:\Users\Robert\AppData\Local\hpsrbw folder?
How are things now?
Hey,
I haven't had any problems since I disabled the startup to be honest, but I just wanted it completely gone, you know? Well that's how my computer's doing. I'm doing well also, but very busy with homework and school. And I did delete that folder.
I haven't had any problems since I disabled the startup to be honest, but I just wanted it completely gone, you know? Well that's how my computer's doing. I'm doing well also, but very busy with homework and school. And I did delete that folder.
Good to hear.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.