help i got infected

[chargers]

well davidr i have it quarantined in drwebs cureit quarantine,does that mean that i have removed it from my computer?and no when i go back to my start up programs it's still unchecked.but yes it has been identified as malicious cause i googled it and this is what it said it is...."XLG Security Center, also known as XLG SecurityCenter or XL Guarder, is a rogue anti-spyware program. XLG Security Center may have entered your system through manual means or through a trojan-infected video codec, usually bundled with the Trojan Zlob, found on adult websites. "

[DavidR]

In quarantine is a good short term solution, but as it has been pretty much confirmed as a part of the xlg it could be deleted from the quarantine. I'm surprised that DrWeb CureIt didn't remove the msconfig entry when it moved the file.

Use hijackthis to remove the fix/entry redundant line.

[chargers]

so just go into drweb and remove it,an see davidr heres a screenshot of my start up programs,its still there...is highjackthis free?and is it easy to uninstall after im done cause i read on cnet that it leaves bits and pieces everywhere

[DavidR]

As I said before the entry is inert as it isn't checked, the same as the others that have been unchecked. The registry entry is there but not active and even if it were active, if there is no file in the location it would still be inert as it couldn't run.

We aren't in the habit of recommending paid options for clean-up, etc.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

[chargers]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:28 PM, on 9/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: (no name) - {1f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - (no file)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device -   - C:\Windows\system32\lxdccoms.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6123 bytes

[CharleyO]

***

This one ...

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

... belongs to Yahoo Companion Software application. (Yahoo! Companion for Internet Explorer Browser Extension)    http://www.fileresearchcenter.com/Y/YT.DLL-2172.html
Are you still using this?

This one ...

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

... belongs to SiteAdvisor. http://www.castlecops.com/tk28217-SiteAdv_dll_saIE_dll.html
Do you still use this?

This one ...

O3 - Toolbar: (no name) - {1f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - (no file)

... no results were found so I would be suspicious of this one.

Otherwise, I see nothing worth mentioning. But, I am not an expert on HJT logs.

Please wait for someone else to give a second opinion before making any changes.


***

[DavidR]

Other than what CharleyO has posted I don't see anything obvious.

I don't see an entry for tipguard.exe either which is strange, I would have thought the msconfig entries would appear in the log.

However, I don't see an active third party firewall either.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

[polonus]

Hi charger,

Your system seems clean of harmfull software. But we could not detect an active firewall.
 

Overview of running tasks:

taskeng.exe System task
 Task Scheduler Engine
 
Dwm.exe Backgroundtask
 Desktop Window Manager
 
Explorer.EXE System task
 Microsoft Windows Explorer
 
RtHDVCpl.exe System task
 High definition audio codec driver from Realtek Semiconductor
 
sm56hlpr.exe Backgroundtask
 SM56 modem drivers
 
eDSLoader.exe Backgroundtask
 Launcher
 
ashDisp.exe Virusscan
 Avast AntiVirus
 
WinPatrol.exe Security software
 WinPatrol
 
MOM.EXE Driver
 Catalyst Control Center: Monitoring program
 
ehtray.exe Backgroundtask
 Microsoft Media Center Tray Icon
 
wmpnscfg.exe Backgroundtask
 Windows Media Player Network Sharing Service Confi
 
ehmsas.exe Backgroundtask
 Microsoft Media Center State Aggregator Service
 
ERAGENT.EXE Backgroundtask
 eRecovery agent
 
mobsync.exe System task
 Microsoft Synchronization Manager
 
CCC.exe Backgroundtask
 Catalyst Control Centre: Host application
 
SpywareTerminatorShield.exe Anti Add/Spyware software
 Spyware Terminator Realtime Shield
 
SearchFilterHost.exe System task
 Microsoft® Windows® Operating System
 
HijackThis.exe Application
 Merijn Hijackthis
 
polonus

[Spiritsongs]

  Hi all :

 "Charger" posted a similar request for help on another forum where I
  recommended going to the Support Forums at Aumha for assistance from
 "Microsoft Most Valuable Professionals" who will probably employ the use of
 deeper analytical "tools" such as Deckard's System Scanner, Combofix , etc
 best used under the supervision of such Experts .

[chargers]

thank you guys so very much,i got one other question,the windows firewall isn't good enough?i should get a third party firewall.and when i do does the windows firewall turn off or do i have to shut it off?once again thanks guys

[Lisandro]

thank you guys so very much,i got one other question,the windows firewall isn't good enough?i should get a third party firewall.and when i do does the windows firewall turn off or do i have to shut it off?once again thanks guys

If you want outbound protection and use a 3rd party firewall (like Comodo, PCTools, OnlineArmor, etc.), disable Windows firewall.

[bunk]

I like / use zone alarm, but use older versions than the current ones available..... I keep hearing the newer ones are not as good for various reasons.......

You can see here: http://www.oldapps.com/old_version_download_ZoneAlarm.php for older versions that work well