I have been experiencing a nasty infection of some sort (computer and bodily but I doubt they are connected) It comes up as a fake antivirus program with lots of warning about how everything is infected. It disables files manager, trend micro, control panel, malwarebytes etc…
My computer:
Windows xp
ie7
(have most recent updates for all below)
trendmicro av
malwarebytes
spyware terminator
cc cleaner
(none of which have found anything except for cc cleaner)
I have run trend micro anf spyware terminator in safe mode with system restore turned off (could’t find malwarebytes or cc cleaner in safe mode - do they run there???) nuthin
I have an entry in cc cleaners startup manager for ahvusysguard.exe and I cannot find out any info on what it is - I suspect it is part of the nastyness.
Anyone have a clue.
I downloaded process explorer and ended any process I didn’t recognise and the nastyness seems to be temporarily stopped but I suspect it will come back next time I restart my computer.
Dunno about trend micro, but you can stop viruses from disabling malwarebytes by simply renaming the .exe file (and the directory it’s in, for good measure). I would assume the same would work with any antivirus.
As for ahvusysguard.exe, a google search turns up absolutely nothing (only this very thread, in fact) and it’s definitely not a system file. Nuke away.
Since it doesn’t show up in Google (the only hit is this thread), it’s a virus.
You might want to see if hijackthis shows it among the startup items. If so, you can find where the program is and can disable its registry entry (hijackthis – once the best antispyware tool out there – is of limited use these days, since spyware is aware of it. However, I recently was able to clean a badly infected computer because the software did show up, so it’s worth a shot).
I just got rid of that nasty little monster a couple of day ago, go to www.geekradio.com (run by local public radio on-air computer help guru and newspaper columist Jay Lee (KPFT 90.1 FM)) and look for the link “Spyware”, here is a direct link to his “jay-lees-patented-spyware-removal-system” Technology Bytes » 2006 » June » 26 . You can try ad-aware, spybot and malware bytes but they did not kill the pest, the one that worked is called combofix.exe its the atom bomb of anti-spy/malware. Expect a phishing atempt, the software redirected my attempts at logging on to my online banking to a fake site that tried to get me reveal my personal info.
Good Luck
A strong caveat re Combofix; it really is the nuclear option - never use it unless someone who has seen your HJT log and is qualified in its reading (like people on the official HJT forums, or BleepingComputer) has recommended it. You can seriously mess up your computer (so much so that it won’t start) if you use it blind.
I got a virus with a similar name shortly after visiting the “Guidos” link in this thread. BItDefender didn’t recognize the virus. I found a process named yxafsysguard.exe and killed it. I then searched my hard drive for “yxafsysguard.exe” and found and renamed the following files:
C:\WINDOWS\Prefetch\YXFASYSGUARD.EXE-399CFF6F.pf
C:\Documents and Settings\Owner\Local Settings\Application Data\bhvwxy\yxafsysguard.exe
I added “.bad” to the ends of both filenames, making them non-executable. I then rebooted.
The virus did something to IE to disable the http: protocol - IE wouldn’t work even after installing the latest version. I fixed this by resetting the internet options using the following menu tree:
Tools Menu
Internet Options
Advanced tab
Click Reset
In “Reset Internet Explorer” dialog box, click Reset to confirm
I should warn that this last step will clobber a bunch of settings, including toolbars.
That’s weird. I just checked my processes and system for this and couldn’t find it, despite having visited that link (I posted it, after all). I’m running Windows 7 and AVG as my virus scanner, and went to the link in Firefox, so perhaps one of those factors had something to do with it? Though AVG didn’t pop up any warnings or anything.
I went there too and don’t have that process running. I’m on Vista and using Avast, and normally I get warnings upon starting to load a page or even mousing over a link if it’s a known iffy site. Using Firefox, as well. I’ll check my system but I haven’t seen any signs of problems.
I’m willing to bet this is an IE/ActiveX thing. A pretty poorly designed one if it doesn’t even attempt to stealth itself, but I’d wager Firefox users (and non-Windows users) won’t get infected.