Avast WEBforum
Other => General Topics => Topic started by: chargers on September 23, 2008, 08:26:56 PM
-
xlg is on my computer can anyonr please help me remove it
-
***
You have been here long enough to know we need more information.
Where was it found on your computer? (file name)
***
-
With the little information you've provided, I can only suggest the general cleaning procedure...
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Is this what your talking about?
http://www.bleepingcomputer.com/malware-removal/remove-xlg-security-center
If so, it also has instructions on removal.
If that doesn't work, here's a site with Manual Removal Instructions.
http://www.removal-instructions.com/removeXLGSecurityCenter.html
-
Yes thats it marc57
-
at first when i restarted my computer,and instead of getting my desktop i would get a black screen and in the middle of the screen would be the xlg security center telling me that i was infected with like 10 different virus's.i took some advice from you guy's and downloaded dr web cureit,it found 2 and i quarantined them,i did the avast boot time scanning with archive turned on and that found nothing,i also did a scan with mbam an that found nothing i did a superantispyware scan as well an that found just what they call adware,what im trying to get at is that i think drweb cureit found the xlg virurs cause now that i restart my computer i no longer get that black screen with xlg telling me that i have a virus my computer starts up normal now.have i rermoved it?an if i did why when i go to msconfig on the start up tab i still see tipguard.exe,i unchecked it
-
I assume there is no tipguard.exe file to be found on your system ?
http://www.google.co.uk/search?q=tipguard.exe (http://www.google.co.uk/search?q=tipguard.exe)
Or was there a task manager entry for tipguard.exe ?
If it isn't there it just looks like DrWeb CureIt just didn't clean all the registry entries for the infection.
-
yes at first there was an entry in my task manager and i ended the process and now it is no longer there but when i go to msconfig to my start up programs tipguard.exe is there
-
A startup entry without an associated file is inert, which is why I asked if the file was gone from the original location.
You can use msconfig to remove/delete the entry not just uncheck it fon starting.
-
drweb cure it did find the xlg virus as you can tell here this is a screen shot of windows defender i ran a scan and it found one threat it found what i have quarantined in drweb cureit so what should i do can someone please help should i remove what windows defender found or quarantine it as well?i was thinking if i remove it from windows defender will it remove it from drweb quarantine as well?or should i delete from drweb an windows defender?trying to post the image but it keeps telling me its to big i have the virus quarantined in drweb and windows defender is that a good thing is it better off quarantined than removed?
-
Since we don't know what windows defender found we can't give any advice on what to do.
We thrive on information and without it we are pretty much guessing and that really is a waste of time for all concerned.
windows and drweb quarantines ate seperate and independent of each other, the whole point of a quarantine is that other things can't work inside it other wise it is of no use.
-
here it is...i have the virus quarantined in drweb and windows defender is that a good thing is it better off quarantined than removed?
-
davidr how can i delete it from my start up?
-
see post 8 from davidr
-
davidr how can i delete it from my start up?
Well I thought there was an option by right clicking the entry where you could select delete, however, on checking with XP Pro SP3 that doesn't seem to be available any longer. So I don't know if that is also the case with your OS.
If you uncheck the option it won't try to run it, so that empty/disabled run command would still be there but you wouldn't have to worry about it. Unless you are saying that when you go back to msconfig it is checked again ?
If you ran hijack this you would see this registry entry and you could completely remove it from there.
There is no rush to delete anything from quarantine, assuming it is as good as the avast chest, but in this case when we have positively identified the file as malicious it could also be deleted.
Your image doesn't show anything about tipguard.exe (the whole point in question from your post, reply #5) so I still don't have an answer if you have physically checked your system to ensure it has gone ???
-
well davidr i have it quarantined in drwebs cureit quarantine,does that mean that i have removed it from my computer?and no when i go back to my start up programs it's still unchecked.but yes it has been identified as malicious cause i googled it and this is what it said it is...."XLG Security Center, also known as XLG SecurityCenter or XL Guarder, is a rogue anti-spyware program. XLG Security Center may have entered your system through manual means or through a trojan-infected video codec, usually bundled with the Trojan Zlob, found on adult websites. "
-
In quarantine is a good short term solution, but as it has been pretty much confirmed as a part of the xlg it could be deleted from the quarantine. I'm surprised that DrWeb CureIt didn't remove the msconfig entry when it moved the file.
Use hijackthis to remove the fix/entry redundant line.
-
so just go into drweb and remove it,an see davidr heres a screenshot of my start up programs,its still there...is highjackthis free?and is it easy to uninstall after im done cause i read on cnet that it leaves bits and pieces everywhere
-
As I said before the entry is inert as it isn't checked, the same as the others that have been unchecked. The registry entry is there but not active and even if it were active, if there is no file in the location it would still be inert as it couldn't run.
We aren't in the habit of recommending paid options for clean-up, etc.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/) and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial (http://www.bleepingcomputer.com/forums/tutorial42.html).
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:28 PM, on 9/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: (no name) - {1f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - (no file)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - - C:\Windows\system32\lxdccoms.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6123 bytes
-
***
This one ...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
... belongs to Yahoo Companion Software application. (Yahoo! Companion for Internet Explorer Browser Extension) http://www.fileresearchcenter.com/Y/YT.DLL-2172.html
Are you still using this?
This one ...
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
... belongs to SiteAdvisor. http://www.castlecops.com/tk28217-SiteAdv_dll_saIE_dll.html
Do you still use this?
This one ...
O3 - Toolbar: (no name) - {1f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - (no file)
... no results were found so I would be suspicious of this one.
Otherwise, I see nothing worth mentioning. But, I am not an expert on HJT logs.
Please wait for someone else to give a second opinion before making any changes.
***
-
Other than what CharleyO has posted I don't see anything obvious.
I don't see an entry for tipguard.exe either which is strange, I would have thought the msconfig entries would appear in the log.
However, I don't see an active third party firewall either.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 (http://forum.avast.com/index.php?topic=30808.0)
See http://www.matousec.com/projects/firewall-challenge/results.php (http://www.matousec.com/projects/firewall-challenge/results.php).
-
Hi charger,
Your system seems clean of harmfull software. But we could not detect an active firewall.
Overview of running tasks:
taskeng.exe System task
Task Scheduler Engine
Dwm.exe Backgroundtask
Desktop Window Manager
Explorer.EXE System task
Microsoft Windows Explorer
RtHDVCpl.exe System task
High definition audio codec driver from Realtek Semiconductor
sm56hlpr.exe Backgroundtask
SM56 modem drivers
eDSLoader.exe Backgroundtask
Launcher
ashDisp.exe Virusscan
Avast AntiVirus
WinPatrol.exe Security software
WinPatrol
MOM.EXE Driver
Catalyst Control Center: Monitoring program
ehtray.exe Backgroundtask
Microsoft Media Center Tray Icon
wmpnscfg.exe Backgroundtask
Windows Media Player Network Sharing Service Confi
ehmsas.exe Backgroundtask
Microsoft Media Center State Aggregator Service
ERAGENT.EXE Backgroundtask
eRecovery agent
mobsync.exe System task
Microsoft Synchronization Manager
CCC.exe Backgroundtask
Catalyst Control Centre: Host application
SpywareTerminatorShield.exe Anti Add/Spyware software
Spyware Terminator Realtime Shield
SearchFilterHost.exe System task
Microsoft® Windows® Operating System
HijackThis.exe Application
Merijn Hijackthis
polonus
-
:) Hi all :
"Charger" posted a similar request for help on another forum where I
recommended going to the Support Forums at Aumha for assistance from
"Microsoft Most Valuable Professionals" who will probably employ the use of
deeper analytical "tools" such as Deckard's System Scanner, Combofix , etc
best used under the supervision of such Experts .
-
thank you guys so very much,i got one other question,the windows firewall isn't good enough?i should get a third party firewall.and when i do does the windows firewall turn off or do i have to shut it off?once again thanks guys
-
thank you guys so very much,i got one other question,the windows firewall isn't good enough?i should get a third party firewall.and when i do does the windows firewall turn off or do i have to shut it off?once again thanks guys
If you want outbound protection and use a 3rd party firewall (like Comodo, PCTools, OnlineArmor, etc.), disable Windows firewall.
-
I like / use zone alarm, but use older versions than the current ones available..... I keep hearing the newer ones are not as good for various reasons.......
You can see here: http://www.oldapps.com/old_version_download_ZoneAlarm.php for older versions that work well ;D