I got that trojan AV stuff and did the follow steps:

1) moved it to the vault with AVG

2) google'd the rouge AV, ended the process it has in task manager to stop the pops up that were happening at the moment.

3) did a system restore to 2 days ago, the pop ups have stopped and it appears to be ok so far

4) running a AVG scan on slow right now. Cookies that the same site that told me the programs .exe are in the firefox cookies folder. AVG detects them as a slight warning.


what else would any of you recommend to make sure I'm ok? I really don't wanna reformat my XP installation.

Download the Kaspersky trial and install it, then buy it. It removes that stuff.

Also, download and run Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I don't think Kaspersky is necessary I like AVG. Will download combofix and run it after this scan

e/ Also google'd the registry data it puts in your system, looked through my registry in regedit and couldn't find any of em.

Combofix really shouldn't be run unless one of the BleepingComputer guys tells you to.

If you're not sure that it's gone, run Hijackthis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) and post the logfile here. It should tell us if you have any signatures of the malware remaining.

Another good standalone scanner you can also run is MalwareBytes Antimalware (http://www.malwarebytes.org/).

^ this.
get MalwareBytes

if the installer does not run (a lot of malware will stop the install of mbam.exe) then rename it to rook.scr and run it.
If malwarebytes will not update, then ask and ill upload the new definitions for you.

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:20 PM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\microsoft games\Halo\halo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com (http://www.antivguardian.com)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7536 bytes


here yah go.

did you run malwarebytes?
did it remove anything?

Ok, the following three lines:

O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www,antivguardian,com

Mean that your HOSTS file has been modified to redirect you from those sites to those IP addresses. Tick them in Hijackthis, then choose Fix Selected.

DO NOT TICK the entry above those: "O1 - Hosts: ::1 localhost," this entry is a required part of your HOSTS file.

Those are the only entries I can see in that log, but if you have any more problems, I'll take another look.

http://forums.majorgeeks.com

We'll help you.

Ok, the following three lines:

O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www,antivguardian,com

Mean that your HOSTS file has been modified to redirect you from those sites to those IP addresses. Tick them in Hijackthis, then choose Fix Selected.

DO NOT TICK the entry above those: "O1 - Hosts: ::1 localhost," this entry is a required part of your HOSTS file.

Those are the only entries I can see in that log, but if you have any more problems, I'll take another look.

Thanksss, if you see anything else let me know

Have HJT delete these:
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe


And would you mind Downloading Ccleaner and posting what is on startup?

Aslo if you would like more help then download Malwarebytes Anti-malware. Make sure to update! Do a quick scan.
The post the log of whatever it finds. Make sure you fix all the viruses it finds.

Download SuperAntiSpyware
Update.
Do a full scan.
Post log.

What is viewpoint?

Also, already have ccleaner, and I'm very meticulous about having less as possible on startup.

http://img134.imageshack.us/img134/450/ccleaner.jpg

Viewpoint is an unwanted program that displays more pop-upss while online.

Also are you still having trouble?

No everything looks good. Just making sure there is nothing on my computer remaining from it that could come back to haunt me.

The whole AVG scan of all drives said everything was ok, and AVG detected the problem the first go round.

Viruses (esecially this type) can often hide in your system restore and restore themselves later on. Just to be sure toggle system restore on and off. That will clear all restore points to ensure that the virus will not restore itself.

AVG is known for not fully removing things. Both of the requested logs would be nice but it is up to you weither you want to or not.

I'll get the malware bytes thing, but how would one go about toggling system restore?

Right click on "My Computer"> Properties> System Restore

Check it and hit OK.
Then Uncheck it and hit OK.

I'll get the malware bytes thing, but how would one go about toggling system restore?
This should have been your 1st move.
MalwareBytes will find malware that most AV's miss and will automatically remove all traces of most of those malwares.
As recycle bin said, make sure to update, and run a full scan.

http://img27.imageshack.us/img27/3568/malwareg.jpg
These came up.

-Is this to do with my problem?
-Assuming I should click 'remove selected'?

What is viewpoint?
http://www.bleepingcomputer.com/forums/topic120989.html


These came up.

-Is this to do with my problem?
-Assuming I should click 'remove selected'?

Fixing those entries will mean that windows will tell you when your Antivirus/Firewall is out of date or turned off. It can be manually disabled, and you may have done this yourself.

These came up.

-Is this to do with my problem?
-Assuming I should click 'remove selected'?

yes, always remove everything that is found in Malwarebytes.
Also make sure after a reboot that your windows security settings are ok.
And doublecheck the security levels in internet options \security and \privacy to make sure the levels were not lowered.

That is not a good thing.

http://rapidshare.com/files/231901485/MGtools.exe.html

Download and run that, it should only take about 5 minutes.

Download it to your C:\ Drive. That's very important.

Either post each indavidual log it makes or upload the MGlogs.zip file to rapidshare or something and I'll take a look at it.

what is mgtools?

ugh guys why are you saying this stuff. If Malwarebytes only detected those entries and nothing which may cause them, they're benign.

It's like a HJT on steroids.

Also, Rook, When did start noticing you were infected?

ugh guys why are you saying this stuff. If Malwarebytes only detected those entries and nothing which may cause them, they're benign.

Not true.

I simply told him to remove what malwarebytes found and told him to doublecheck a couple simple things.
Good advice, imo.

It's like a HJT on steroids.

Also, Rook, When did start noticing you were infected?

Yesterday when the huge fucking popup came up and it attempted to hijack my machine. Naturally i unplugged the network cable and let AVG move it to virus vault, then system restore like 30 seconds after that

Okay.


Did you run MGtools yet or are you still waiting?

If you want to know exactly whats rinning on startup then download and run Unhackme
http://greatis.com/unhackme/

http://img134.imageshack.us/img134/450/ccleaner.jpg
Holy fuck that's a lot of stuff. I run maybe three things on startup.

You can probably remove Google Update, AppleSyncNotifier, GrooveMonitor, iTunesHelper(unless you actually use iTunes, and even then it's not really necessary), NeroCheck(assuming your copy of Nero works, all this does is check for driver conflicts), QTTask, Remind_XP, PDVDServ(unless you have a remote control hooked up to your computer for some reason), jusched, and Logitech Product Registration. Probably a few others as well.

Why do I need MGTools, is malware bytes+hijackthis not enough?

@Cagerrin: only 2 things on that list are enabled...

He already disabled most things -_-


Maniac, anybody can see what is running and what is on startup but it takes someone who knows what they are doing to find the threat.

@ Rook. Malwarebytes and HJT are not enough.

Why do I need MGTools, is malware bytes+hijackthis not enough?

@Cagerrin: only 2 things on that list are enabled...
Argh I'm stupid.

Usually I just delete entries I don't need, so I'm not used to seeing them greyed out like that.

He already disabled most things -_-


Maniac, anybody can see what is running and what is on startup but it takes someone who knows what they are doing to find the threat.

@ Rook. Malwarebytes and HJT are not enough.
or if you think you have hidden files running you can do what i said and install Unhackme and remove them.

Why do I need MGTools, is malware bytes+hijackthis not enough?
Honestly, HJT will provide us with enough info.

Re-reading your first post, I assume you've already cleared cookies from both Firefox and IE?

Also, MGTools is MajorGeeksTools, its official thread is here (http://forums.majorgeeks.com/showthread.php?t=137630), though RecycleBin managed to make it look pretty suspicious by putting the executable on rapidshare. It's basically HijackThis plus a couple of other logfiles.

Honestly, HJT will provide us with enough info.
Alright


Re-reading your first post, I assume you've already cleared cookies from both Firefox and IE?
Yup, with CCleaner & in the browser to make sure

Honestly, HJT will provide us with enough info.

Re-reading your first post, I assume you've already cleared cookies from both Firefox and IE?

Also, MGTools is MajorGeeksTools, its official thread is here (http://forums.majorgeeks.com/showthread.php?t=137630), though RecycleBin managed to make it look pretty suspicious by putting the executable on rapidshare. It's basically HijackThis plus a couple of other logfiles.

Go check out the official file, you don't need to install it. it's an exe file.

Alright


Yup, with CCleaner & in the browser to make sure

HJT is far from "all you need" besides, it won't hurt to post the logs.

So wait, did you remove the virus?

Are you just trying to make startup faster now?

I'm lost. While posting startup options can help a little, in post cases this virus nests itself under services, lsass, winlogon, and explorer.

Which is why i want those damn log files.

So wait, did you remove the virus?

Are you just trying to make startup faster now?

I'm lost. While posting startup options can help a little, in post cases this virus nests itself under services, lsass, winlogon, and explorer.
He's not sure if he has fully removed it, and wants some confirmation.

So MGtools y/n?

Depends, would you care to knoow if it's gone? Yes or no?

It'd probably be faster to backup my stuff and reformat than to jump thru these hoops.

Alrighty.

If you ran Combofix, that probably removed it. If not, get Kaspersky. AVG is one of the biggest shit antivirus apps.

After I had Anti-virus 2009, I went out and got Kaspersky. Worked like a charm.

Hey, if it work then great! There are many fakealert and antivirus2009 variants out there. Some get removed easily while others can be a as hard as a boner.

If you ran Combofix, that probably removed it. If not, get Kaspersky. AVG is one of the biggest shit antivirus apps.

Combofix isn't a fix-all for everything. I've not read anything that suggests it's able to remove this specific piece of malware. I'm not even sure what malware it is, other than it's a Rogue AV with 2009 in its name.

Malware is short for malicious software. There are many different kinds of malware like keyloggers, Trojans, Rootkits, spyware, adware, dialers, wabbits, backdoors, exploits, browser hijackers, worms and viruses.

Combo fix is not a cure all program and in some cases can ruin your PC if it is not ran properly.

I, all of my cases, it has managed to completely fix the problem, or at least get it into a manageable state. You're pulling a dumb move by not getting Kaspersky, as it's the only AV software I have ever used that has been able to completely remove any case of AntiVirus 2009 from a computer - even the worst ones. At the very least, you should get the trial (full version, only missing a license key) from their website and install it before formatting.

I appreciate the help but finally decided to back up most of my data on a 2nd drive and reinstall XP as much as I didn't want to. Wayyyy long overdue anyway.