Help!

When starting up in XP, the startup interrupts and I get a popup that looks like it's a Microsoft system error message, but it's fake. It is the only application in Task Manager, which calls it "XLG Security Center." The popup message has the Microsoft security shield and reads:

1st Line: Warning!

2nd Line: System error! Status: critical

3rd Lines: Attention! Suspicion of external intrucsion into the system. It is necessary to perform all recommendations of security center immediately. Your Windows requires an immediate elimination of system errors.

There is a button labeled "OK"

If I press the OK button, I get a large popup window that seems to be scanning my system, but many of the buttons on it are fake.

The window also contains a copy of the MS security shield, but this time with the words "XL Guarder" on it.

The box is captioned "XLG Security Center" and has 4 sections:

1. Alerts - Fake
2. Automatic Updating with an "Update License" button
3. System Scanner, which flashes: "1159 dangerous files and privacy violations." There are two buttons - "Fix Now" and "Silent Mode."
4. Other Security Settings - Fake

There is a separate area in the left margin of the box which flashes:

Virus Menace Level: High
Privacy Menace Level: High
System Crash Risk: High
Internet Connection: Security

If I stop it through Task Manager, the system just sits idle and does not continue to boot up.
5.
(MS Security Shield)

Couldn't locate any solid research matching your descriptions. A HijackThis LOG might prove helpful (possibly showing badware/infected file candidates), if that is possible. Also, if possible:

Let us see/review what is loaded on your PC:

• Run HijackThis and Click Open the Misc Tools section button.
• Then click the Open Uninstall Manager… button.
• Click the Save list… button. Save uninstall_list to your desktop.
  
  
• Open the Uninstall list file and post in your next reply, please.

Meanwhile,

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, initially select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked , and click Remove Selected.
• When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
• A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Thank you. Not too encouraging to hear that you couldn't find anything matching my descriptions, but I will definitely try your suggestions as soon as I get home. Unfortunately, the popup prevents Windows from botting up completely. I can, however, boot up in safe mode. So, I seem to have two choices:

1. Run HijackThis and Malwarebytes in Safe Mode and print the logs. Just wanted to be sure that the logs will be reliable if the software is run in safe mode.

2. Run HijackThis and Malwarebytes through Task Manager before Windows completes the boot-up. My only question is whether I can print the log through Task Master.

Also, I loaded several spyware and virus protection programs trying to idcentify this. Should I get rid of any of them before running HijackThis or Malwarebytes?

I usually run Avanquest's System Suite 8 Professional, but trying to fix this problem, I also loaded McAfee. I have since tried to uninstall McAfee, but I seem to be having trouble getting rid of it.

I also installed the following Freeware:
HiJackThis
CCleaner
Ad-Aware
AVG
Avira
Avast
Spybot
Spyware Blaster

Thanks for your help

AVG
Avira
Avast

Running multiple antivirus tools at the same time will make a bad situation even worse. Uninstall all but one such tools and reboot before proceeding.



Option 1 is probably your only viable option. Not much can be achieved while a PC is preoccupied with bootup logistics and ongoing interference difficulties.

This is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:48, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: McAfee Application Installer Cleanup (0307811216324453) (0307811216324453mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\030781~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 2868 bytes



This is the HiJackThis Uninstall Manager List:

1Click DVD Copy 4.2.1.5
1Click DVD Copy Pro 2.3.1.6
Across Lite 2.0
Ad-Aware
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
ASUSDVD
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATK0100 ACPI UTILITY
Bluetooth Stack for Windows by Toshiba
CCleaner (remove only)
Comcast Rhapsody
CopyToDVD
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
Drivers Install For Linksys Easylink Advisor
DVD43 v3.9.0
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HDAUDIO SoftV92 Data Fax Modem with SmartCP
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Customer Participation Program 7.0
HP Driver Diagnostics
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
Intel(R) PROSet/Wireless Software
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Linksys Dual Band Wireless-N Notebook Adapter
Linksys EasyLink Advisor 1.6 (0040)
Mavis Beacon Teaches Typing 9.0.0
mCore
mDriver
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mIWCA
mMHouse
MovieStar
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
mWlsSafe
mXML
mZConfig
Nero OEM
NETGEAR 108 Mbps Wireless PC Card WG511T
OCR Software by I.R.I.S 7.0
Power4 Gear

I will try Malwarebytes and rerun the HiJackThis Log

Steve

I ran malwarebytes and this is the log:

Malwarebytes' Anti-Malware 1.20
Database version: 965
Windows 5.1.2600 Service Pack 2

7:11:28 PM 7/18/2008
mbam-log-7-18-2008 (19-11-28).txt

Scan type: Quick Scan
Objects scanned: 44546
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\iebho.tieadvbho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Steven Friedman\Desktop\acl2setup.exe (Adware.Agent) -> Quarantined and deleted successfully.




This is the new HiJackThis Log for the scan that I ran after the Malwarebytes scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:00, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: McAfee Application Installer Cleanup (0307811216324453) (0307811216324453mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\030781~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 2901 bytes

Did you try running in NORMAL MODE since the latest scans? Also, should run a complete MBAM scan.

I see that McAfee seems to have just appeared after having gone thru many other similar tools. Your issues are not likely mostly antivirus related and is not likely particularly helpful to keep trying additional tools without knowing exactly what the remaining issues may be.

Be careful to run Networking in SAFE MODE only for the minimum amount of time necessary because most security features are practically non-existent in that mode and present the possibility for serious additional infection.

I tried to run in normal mode, but still get the same popup and can't get Windows to complete loading.

As I was waiting, I was trying to update Java to be able to run a Kaspersky online scan, but couldn't delete the old Java in Safe Mode. Java website gave instructions on how to do that thru regedit. While I was there, I happened to see a resigtry entry that contained the term "XL Guarder" That's the exact same term that appears on the bogus security center popup.

I will run a full malwarebytes scan. I assume you want the same info again.

Also, I wanted to try to send you a copy of the popup. I can copy it with print screen and can paste it into wordperfect, but don't know how to paste in into my reply.

I can't seem to get rid of Mcfee. I am trying to run only one antivirus (Avanquest). By the way, I did start running the Kaspersky online scan. Should I stop it?


Thanks again

If it makes a difference, the threats found by Kaspersky at 84% are:
Not-a-virus: RiskToolWin32.reboot.f in SmitfraudFix\Reboot.exe
Trojan-Downloader.Java.OpenConnection.ap in VCOM\???
Not-a-virus: RiskToolWin32.reboot.f in SmitfraudFix\Reboot.exe
Not-a-virus: RiskToolWin32.reboot.f in SmitfraudFix.exe
Not-a-virus: FraudToolWin32.spynomore.f in spynomore\snm.exe
Not-a-virus: RiskToolWin32.reboot.f in c:\recylcler\s-1-5-21-2461602610-4104963797-2903605835-500\???
Not-a-virus: RiskToolWin32.reboot.f in c:\recylcler\s-1-5-21-2461602610-4104963797-2903605835-500\???
Not-a-virus: FraudToolWin32.spynomore.f in VCOM\MXCYCLE\00172084