WIN X Sp2 IE8.0 killed by CPXRSYSGUARD.EXE and or ? Cant get IE8 to access the web

[Rudy]

Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:

ROGUE.AGENT/GEN in my Registry

HKUS\S-1-5-21 (see below) etc (in 39 different file endings) and

TROJAN.AGENT/GEN-FakeSpy[Broad] 3 copies

1. in
HKUS\S-1-5-21-2952124706-32014773-2762605872-1007Software\Microsoft\Windows\CurrentVersion\Run(jdfecxfs-
C:\Documentsand
Settings\Alan\LocalSettings\ApplicationData\ubqllk\cpxrsysguard.exe and

The other two in C:\ DocSettings\Alan\LocalSettings\ApplicationData where
it again opened a Folder named UBQLLK and inserted 2 copies of
CPXRSYSGUARD.EXE

It began opening copy after copy of its version of an Anti Virus etc
demanding that I let it search and fix my problems.

At the same time, it was busy repeatedly opening WEBPAGES: VIAGRA.COM,
PORNO.COM and ADULTSEX (or something) .com

** I'm running AVG free Ver 8.5 and SuperAnti spyware** but neither saw
this thing coming.

My SecurityCenter settings said that my AV wasnt working ( it looked like
this thing shut down AVG) while this thing did its 70+ attempts to start and
run while I tried to stop it. I managed to get SuperAntiSpyware up and
running and it finally found all the above after fighting with the JUNK for
an hour..

Once finished, I got SAS to quarantine all those entries (42) and
restarted. I found a STARTUP line in MSCONFIG/startup for CPRXSYSGUARD so I
unchecked that and restarted in SAFE MODE. I then ran a full AVG scan which
found nothing.

I restarted again but was unable to get IE8 to go to my HOME website. I
tried several sites, no luck, just Windows "advice" page to try again or
retype etc.

I did a regular SEARCH (Left menu) for CPXRSYSGUARD and it revealed 3
copies in something called:

[Explorer Icon]
kaka://C:\DocumentsandSettings\Alan\LocalSettings\AppData\ubqllk\cpxrsysguard.exe/alert.htm
and in Explorer]kaka://C:\ SAME
..exe/mtmlMain.htm
and Explorer] kaka://C:\ SAME .exe/netalert.htm

I deleted these directly from SEARCH but all to no avail.
I can't get IE8 to bring up any webpage. I tried my OUTLOOK thru the same
connection and went to Newsgroups just fine..but no internet.

I found more similar copies/pieces of this thing in odd places in my
Registry so I ran a Registry Scan With REG Cleaner WINASO Ver 3.0
I ve run it before with no problems. All the pieces I could find, in
Registry, I removed. It did also find another piece of EVIL in
C:/Windows/Temp/ named 3812937264.exe which may have been the start of all
this. It was removed also but still no luck.

Everything LOOKS ok and seems to RUN OK, but cannot get IE8 to go online.

I figured WTH, and went to SYSTEM RESTORE.. I tried 4 "restores" going back
Dec 12, 10 8 and Nov 25..No luck, simply:

Computer CANNOT be restored to...the various dates..

I just recently U/G to IE8 from IE6. It seems that this significantly
SLOWED my USENET /newsgroups responses but I may be dreaming.

Any advice on how to try and get this problem fixed would be much
appreciated...I ve been at it for 4+ hours now

 

[David H. Lipman]

From: "Rudy" <[email protected]>

| Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:

| ROGUE.AGENT/GEN in my Registry

http://www.malwarebytes.org/forums

 

[Elmo]

Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:

ROGUE.AGENT/GEN in my Registry

HKUS\S-1-5-21 (see below) etc (in 39 different file endings) and

TROJAN.AGENT/GEN-FakeSpy[Broad] 3 copies

1. in
HKUS\S-1-5-21-2952124706-32014773-2762605872-1007Software\Microsoft\Windows\CurrentVersion\Run(jdfecxfs-
C:\Documents and
Settings\Alan\Local Settings\Application Data\ubqllk\cpxrsysguard.exe and

The other two in C:\ Doc Settings\Alan\Local Settings\Application Data where
it again opened a Folder named UBQLLK and inserted 2 copies of
CPXRSYSGUARD.EXE

It began opening copy after copy of its version of an Anti Virus etc
demanding that I let it search and fix my problems.

At the same time, it was busy repeatedly opening WEBPAGES: VIAGRA.COM,
PORNO.COM and ADULTSEX (or something) .com

** I'm running AVG free Ver 8.5 and SuperAntiSpyware** but neither saw
this thing coming.

My SecurityCenter settings said that my AV wasn't working (It looked like
this thing shut down AVG) while this thing did its 70+ attempts to start and
run while I tried to stop it. I managed to get SuperAntiSpyware up and
running and it finally found all the above after fighting with the JUNKfor
an hour..

Once finished, I got SAS to quarantine all those entries (42) and
restarted. I found a STARTUP line in MSCONFIG/startup for CPRXSYSGUARDso I
unchecked that and restarted in SAFE MODE. I then ran a full AVG scan which
found nothing.

I restarted again but was unable to get IE8 to go to my HOME website. I
tried several sites, no luck, just Windows "advice" page to try again or
retype, etc.

I did a regular SEARCH (Left menu) for CPXRSYSGUARD and it revealed 3
copies in something called:

[Explorer Icon]
kaka://C:\DocumentsandSettings\Alan\LocalSettings\AppData\ubqllk\cpxrsysguard.exe/alert.htm
and in Explorer]kaka://C:\ SAME
.exe/mtmlMain.htm
and Explorer] kaka://C:\ SAME .exe/netalert.htm

I deleted these directly from SEARCH but all to no avail.
I can't get IE8 to bring up any web page. I tried my OUTLOOK thru thesame
connection and went to Newsgroups just fine..but no internet.

I found more similar copies/pieces of this thing in odd places in my
Registry so I ran a Registry Scan With REG Cleaner WINASO Ver 3.0
I've run it before with no problems. All the pieces I could find, in
Registry, I removed. It did also find another piece of EVIL in
C:/Windows/Temp/ named 3812937264.exe which may have been the start ofall
this. It was removed also but still no luck.

Everything LOOKS ok and seems to RUN OK, but cannot get IE8 to go online.

I figured WTH, and went to SYSTEM RESTORE.. I tried 4 "restores" going back
Dec 12, 10 8 and Nov 25..No luck, simply:

Computer CANNOT be restored to.. the various dates..

I just recently U/G to IE8 from IE6. It seems that this significantly
SLOWED my USENET /newsgroups responses but I may be dreaming.

Any advice on how to try and get this problem fixed would be much
appreciated...I've been at it for 4+ hours now

Two suggestions:

- Open Internet Options, Connections tab, click "Lan Settings" button,
deselect all.

- To get control before any Rootkit or other malware, burn BitDefender,
or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is available,
(though no .exe is available for BitDefender).

After the scan is run, if you elect to quarantine files, they're
quarantined to RAM and lost after you reboot. You'll need to copy any
quarantined files to the hard drive, a thumb drive or elsewhere before
exiting.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[Leonard Grey]

Malware is not merely a bother or an inconvenience, as it was up to a
few years ago. Most malware today is written by highly competent
individuals. It will resist attempts at removal, and often a successful
removal will damage a computer or leave it in an unstable state.

In my opinion, unless you are comfortable with performing highly
technical operations on their computer, you should not attempt to fix a
seriously compromised computer on your own.

Otherwise, you should restore a known-good backup, if you have one, hand
the computer over to a professional, or erase your hard disk and start over.

---
Leonard Grey
Errare humanum est

Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:

ROGUE.AGENT/GEN in my Registry

HKUS\S-1-5-21 (see below) etc (in 39 different file endings) and

TROJAN.AGENT/GEN-FakeSpy[Broad] 3 copies

1. in
HKUS\S-1-5-21-2952124706-32014773-2762605872-1007Software\Microsoft\Windows\CurrentVersion\Run(jdfecxfs-
C:\Documentsand
Settings\Alan\LocalSettings\ApplicationData\ubqllk\cpxrsysguard.exe and

The other two in C:\ DocSettings\Alan\LocalSettings\ApplicationData where
it again opened a Folder named UBQLLK and inserted 2 copies of
CPXRSYSGUARD.EXE

It began opening copy after copy of its version of an Anti Virus etc
demanding that I let it search and fix my problems.

At the same time, it was busy repeatedly opening WEBPAGES: VIAGRA.COM,
PORNO.COM and ADULTSEX (or something) .com

** I'm running AVG free Ver 8.5 and SuperAnti spyware** but neither saw
this thing coming.

My SecurityCenter settings said that my AV wasnt working ( it looked like
this thing shut down AVG) while this thing did its 70+ attempts to start and
run while I tried to stop it. I managed to get SuperAntiSpyware up and
running and it finally found all the above after fighting with the JUNK for
an hour..

Once finished, I got SAS to quarantine all those entries (42) and
restarted. I found a STARTUP line in MSCONFIG/startup for CPRXSYSGUARD so I
unchecked that and restarted in SAFE MODE. I then ran a full AVG scan which
found nothing.

I restarted again but was unable to get IE8 to go to my HOME website. I
tried several sites, no luck, just Windows "advice" page to try again or
retype etc.

I did a regular SEARCH (Left menu) for CPXRSYSGUARD and it revealed 3
copies in something called:

[Explorer Icon]
kaka://C:\DocumentsandSettings\Alan\LocalSettings\AppData\ubqllk\cpxrsysguard.exe/alert.htm
and in Explorer]kaka://C:\ SAME
.exe/mtmlMain.htm
and Explorer] kaka://C:\ SAME .exe/netalert.htm

I deleted these directly from SEARCH but all to no avail.
I can't get IE8 to bring up any webpage. I tried my OUTLOOK thru the same
connection and went to Newsgroups just fine..but no internet.

I found more similar copies/pieces of this thing in odd places in my
Registry so I ran a Registry Scan With REG Cleaner WINASO Ver 3.0
I ve run it before with no problems. All the pieces I could find, in
Registry, I removed. It did also find another piece of EVIL in
C:/Windows/Temp/ named 3812937264.exe which may have been the start of all
this. It was removed also but still no luck.

Everything LOOKS ok and seems to RUN OK, but cannot get IE8 to go online.

I figured WTH, and went to SYSTEM RESTORE.. I tried 4 "restores" going back
Dec 12, 10 8 and Nov 25..No luck, simply:

Computer CANNOT be restored to...the various dates..

I just recently U/G to IE8 from IE6. It seems that this significantly
SLOWED my USENET /newsgroups responses but I may be dreaming.

Any advice on how to try and get this problem fixed would be much
appreciated...I ve been at it for 4+ hours now

 

[Rudy]

Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:
ROGUE.AGENT/GEN in my Registry
HKUS\S-1-5-21 (see below) etc (in 39 different file endings) and
TROJAN.AGENT/GEN-FakeSpy[Broad] 3 copies
1. in
HKUS\S-1-5-21-2952124706-32014773-2762605872-1007Software\Microsoft\Windows\CurrentVersion\Run(jdfecxfs-
C:\Documents and Settings\Alan\Local Settings\Application
Data\ubqllk\cpxrsysguard.exe and

The other two in C:\ Doc Settings\Alan\Local Settings\Application Data
where
it again opened a Folder named UBQLLK and inserted 2 copies of
CPXRSYSGUARD.EXE

It began opening copy after copy of its version of an Anti Virus etc
demanding that I let it search and fix my problems.
At the same time, it was busy repeatedly opening WEBPAGES: VIAGRA.COM,
PORNO.COM and ADULTSEX (or something) .com

** I'm running AVG free Ver 8.5 and SuperAntiSpyware** but neither saw
this thing coming.
My SecurityCenter settings said that my AV wasn't working (It looked like
this thing shut down AVG) while this thing did its 70+ attempts to start
and
run while I tried to stop it. I managed to get SuperAntiSpyware up and
running and it finally found all the above after fighting with the JUNK
for
an hour..

Once finished, I got SAS to quarantine all those entries (42) and
restarted. I found a STARTUP line in MSCONFIG/startup for CPRXSYSGUARD so
I
unchecked that and restarted in SAFE MODE. I then ran a full AVG scan
which
found nothing. I restarted again but was unable to get IE8 to go to my
HOME website. I
tried several sites, no luck, just Windows "advice" page to try again or
retype, etc.

I did a regular SEARCH (Left menu) for CPXRSYSGUARD and it revealed 3
copies in something called:

[Explorer Icon]
kaka://C:\DocumentsandSettings\Alan\LocalSettings\AppData\ubqllk\cpxrsysguard.exe/alert.htm
and in Explorer]kaka://C:\ SAME
.exe/mtmlMain.htm
and Explorer] kaka://C:\ SAME .exe/netalert.htm

I deleted these directly from SEARCH but all to no avail.
I can't get IE8 to bring up any web page. I tried my OUTLOOK thru the
same
connection and went to Newsgroups just fine..but no internet.

I found more similar copies/pieces of this thing in odd places in my
Registry so I ran a Registry Scan With REG Cleaner WINASO Ver 3.0
I've run it before with no problems. All the pieces I could find, in
Registry, I removed. It did also find another piece of EVIL in
C:/Windows/Temp/ named 3812937264.exe which may have been the start of
all
this. It was removed also but still no luck.

Everything LOOKS ok and seems to RUN OK, but cannot get IE8 to go online.
I figured WTH, and went to SYSTEM RESTORE.. I tried 4 "restores" going
back
Dec 12, 10 8 and Nov 25..No luck, simply:
"Computer CANNOT be restored to.." the various dates..
Any advice on how to try and get this problem fixed would be much
appreciated...I've been at it for 4+ hours now

Two suggestions:

- Open Internet Options, Connections tab, click "Lan Settings" button,
deselect all.<

THAT DID IT ELMO !
Under LAN Settings, somehow the USE PROXY SERVER box had become "Checked"
I "unchecked" that box and IE8 seems to be connecting fine now.

I Updated SuperAntiSpyware, MalWareBytes and AVG and ran them all for a
FULL SCAN. No traces of anything amiss turned up.
I did a couple of thorough searches for the EVIL "CPXRSYSGUARD.EXE" and no
trace found.

- To get control before any Rootkit or other malware, burn BitDefender,

or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.<

So, do you think I need to do this BIT DEFENDER portion of your "cure" ?

How about the fact that SYSTEM RESTORE wouldn't work (trying 4 different
"dates") last night ?

Is there a way to check and see if its back "working" without actually
'restoring' back to a prior date ?
Should I try to RESTORE again anyway ? If so, would I try One of the 4
dates that wouldnt work, or one prior to those ?

THANKS VERY MUCH for your help so far !
R

 

[Elmo]

Tonite, I Contracted 39 versions of what SuperAntiSpyware calls:
ROGUE.AGENT/GEN in my Registry
HKUS\S-1-5-21 (see below) etc (in 39 different file endings) and
TROJAN.AGENT/GEN-FakeSpy[Broad] 3 copies
1. in
HKUS\S-1-5-21-2952124706-32014773-2762605872-1007Software\Microsoft\Windows\CurrentVersion\Run(jdfecxfs-
C:\Documents and Settings\Alan\Local Settings\Application
Data\ubqllk\cpxrsysguard.exe and

The other two in C:\ Doc Settings\Alan\Local Settings\Application Data
where
it again opened a Folder named UBQLLK and inserted 2 copies of
CPXRSYSGUARD.EXE

It began opening copy after copy of its version of an Anti Virus etc
demanding that I let it search and fix my problems.
At the same time, it was busy repeatedly opening WEBPAGES: VIAGRA.COM,
PORNO.COM and ADULTSEX (or something) .com

** I'm running AVG free Ver 8.5 and SuperAntiSpyware** but neither saw
this thing coming.
My SecurityCenter settings said that my AV wasn't working (It looked like
this thing shut down AVG) while this thing did its 70+ attempts to start
and
run while I tried to stop it. I managed to get SuperAntiSpyware up and
running and it finally found all the above after fighting with the JUNK
for
an hour..

Once finished, I got SAS to quarantine all those entries (42) and
restarted. I found a STARTUP line in MSCONFIG/startup for CPRXSYSGUARD so
I
unchecked that and restarted in SAFE MODE. I then ran a full AVG scan
which
found nothing. I restarted again but was unable to get IE8 to go to my
HOME website. I
tried several sites, no luck, just Windows "advice" page to try again or
retype, etc.

I did a regular SEARCH (Left menu) for CPXRSYSGUARD and it revealed 3
copies in something called:

[Explorer Icon]
kaka://C:\DocumentsandSettings\Alan\LocalSettings\AppData\ubqllk\cpxrsysguard.exe/alert.htm
and in Explorer]kaka://C:\ SAME
.exe/mtmlMain.htm
and Explorer] kaka://C:\ SAME .exe/netalert.htm

I deleted these directly from SEARCH but all to no avail.
I can't get IE8 to bring up any web page. I tried my OUTLOOK thru the
same
connection and went to Newsgroups just fine..but no internet.

I found more similar copies/pieces of this thing in odd places in my
Registry so I ran a Registry Scan With REG Cleaner WINASO Ver 3.0
I've run it before with no problems. All the pieces I could find, in
Registry, I removed. It did also find another piece of EVIL in
C:/Windows/Temp/ named 3812937264.exe which may have been the start of
all
this. It was removed also but still no luck.

Everything LOOKS ok and seems to RUN OK, but cannot get IE8 to go online.
I figured WTH, and went to SYSTEM RESTORE.. I tried 4 "restores" going
back
Dec 12, 10 8 and Nov 25..No luck, simply:
"Computer CANNOT be restored to.." the various dates..
Any advice on how to try and get this problem fixed would be much
appreciated...I've been at it for 4+ hours now

Two suggestions:

- Open Internet Options, Connections tab, click "Lan Settings" button,
deselect all.<

THAT DID IT ELMO !
Under LAN Settings, somehow the USE PROXY SERVER box had become "Checked"
I "unchecked" that box and IE8 seems to be connecting fine now.

That's great news!

I Updated SuperAntiSpyware, MalWareBytes and AVG and ran them all for a
FULL SCAN. No traces of anything amiss turned up.
I did a couple of thorough searches for the EVIL "CPXRSYSGUARD.EXE" and no
trace found.

or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.<

So, do you think I need to do this BIT DEFENDER portion of your "cure" ?

If you think there's a problem, that's the way around it. If not, save
the CD to use on friends' computers.

How about the fact that SYSTEM RESTORE wouldn't work (trying 4 different
"dates") last night ?

SR won't get you around malware; you would think it would go back to a
good registry, but the malware is too smart for that easy cure. The
restore points are probably all bad now.

Is there a way to check and see if it's back "working" without actually
'restoring' back to a prior date ?
Should I try to RESTORE again anyway ? If so, would I try One of the 4
dates that wouldn't work, or one prior to those ?

THANKS VERY MUCH for your help so far !
R

You can do that as a test, if you want. If you've removed ALL the
corrupted files, there's no reference in an old registry entry to an
existing file.. right?

 

[Rudy]

That's great news!

I don't "think" there are any problems now.

good registry, but the malware is too smart for that easy cure. The
restore points are probably all bad now.

I assumed that as well. After 2 days of several SAFE MODE runs of SAS,
MalwareBytes, AVG and WINASO Reg Cleaner, my system seems to come up CLEAN,
Joe.

Following advice that said to shut down SYS RES, prior to the SAFEMODE runs,
I did that and when clicking APPLY, I was told that would dump ALL the OLD
SYSREST points. Since they didnt seem to work anyway, I let er rip and
dumped them all. After the 3 (X3)CLEAN scans in SAFEMODE, I set a NEW
System Restore point and all seems well so far for the last 2 days.

THX for all your help

R