It is likely that 'trustedantivirus.com' (from a previous fix item) may still be a problem. We want to block access to that URL to see if the popups then become halted. If that proves to be correct, we can then attempt a more permanent and complete removal process.



Get HostsXpert here:
http://www.funkytoad.com/download/HostsXpert.zip

• Unzip it to a convenient place and run the program.
• On the left-hand column:
  Click Download>MVP’s Hosts>Replace.

This will create a block entry(s) for:

trustedantivirus.com (Tools>Search)

I disabled my DNS client, but I keep getting this error message when I try to use HostsXpert:

ERROR: Cannot open file C:\WINDOWS\system32\DRIVERS\ETC\hosts

if it makes a different, my drivers and etc folder are lowercase.

Oh, and I can't turn Auto-Protect on Norton anymore.
Every time i try, I get an error message.

I disabled my DNS client

Please don't do that. If you go off on tangents, it may be difficult to truly judge what is going on in your PC. This is the second procedure that has run into serious difficulty - that is never a good sign.




Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  Click the Empty Selected button.
  NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

http://research.sunbelt-software.com...hreatid=198346

%PROGRAM_FILES%\ common files\ trustedantivirus\ bm.exe

Download and scan with the 15 day trial version of Counterspy.

http://www.sunbelt-software.com/CounterSpy-Download.cfm

• Install Counterspy.
• Click on 'Spyware Scan', then click 'Updates' at the top right.
• Once any available updates have been installed, click the 'Scan Now' button.
• Save the report when it's finished:
  1. Once Counterspy has done scanning, the 'Scan Results' box will appear.
  2. Click on 'View Results'.
  3. Under (Recommended Action),using the drop down menus at the side of each entry found, set EVERYTHING to 'Remove'.
  4. Then click on 'Take Action'.
  5. Once everything has been removed, click on 'View Details'.
  6. Copy and Paste those details into a Word/Text document, then save it to your desktop.

Post the above results and tell us how your PC is doing.

Originally Posted by VopThis

Please don't do that. If you go off on tangents, it may be difficult to truly judge what is going on in your PC. This is the second procedure that has run into serious difficulty - that is never a good sign.

Ah, I only did that because the program asked me to.

Here's the details from Counterspy:

Scan History Details
Start Date: 2/5/2008 7:44:03 AM
End Date: 2/5/2008 8:00:13 AM
Total Time: 16 Min 10 Sec
Detected security risks

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\.DEFAULT\SOFTWARE\WGET
HKEY_USERS\S-1-5-18\SOFTWARE\WGET
HKEY_USERS\S-1-5-21-450875506-3947421743-1634981352-1003\SOFTWARE\WGET


Trojan-Downloader.Win32.VB.atp Trojan Downloader more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\XPRE


Trojan.in-t-e-r-n-e-t Trojan more information...
Details: Trojan.in-t-e-r-n-e-t is an adware program that monitors web sites visited by users and sends collected data to the vendor's server.
Status: Deleted

Files detected
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\wts1\ovstadcom2.exe


AdWare.Win32.Agent.acn Adware (General) more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\WINDOWS\system32\eeljubj.dl l.vir

After restarting, I still can't turn Norton back on. I also received an error message about a program called "DrWatsonDebugger"

I'm still getting pop-ups from Internet Explorer, but they're coming up as blank pages now. And again, they're coming up when I'm using Firefox.

Also, no advertisements are showing up on the websites that I usually visit. All trusted sites, with reputable advertisers (aicn.com, facebook.com, etc...). Not a problem, more of an oddity.

I'm still getting pop-ups from Internet Explorer, but they're coming up as blank pages now.

Can you determine some of the URL source(s)? Try right-clicking the window or use any available info links on status bar.

After restarting, I still can't turn Norton back on.

Turning off and turning on Norton AntiVirus Auto-Protect:
http://service1.symantec.com/SUPPORT.../1997121131456
http://service4.symantec.com/SUPPORT...s/199733115529

Add search terms for your specific version, if further research needed:
http://www.google.ca/search?hl=en&q=...om&btnG=Search



Did you try 'HostsXpert' again?



The following tool might help find and resolve some of your more obscure remaining issues:

http://www.threatfire.com/




Lastly, you may want to load the following Firefox add-on tool (NoScript) - in case the pop-ups are script-based:

https://addons.mozilla.org/en-US/firefox/addon/722

Originally Posted by VopThis

Can you determine some of the URL source(s)? Try right-clicking the window or use any available info links on status bar.

http://url.adtrgt.com/cpv.jsp?p=1121...tingId=6559502

http://url.adtrgt.com/cpv.jsp?p=1120...tingId=7124472

Originally Posted by VopThis

Did you try 'HostsXpert' again?

I did, and it still isn't working.

Threatfire didn't find anything.

I'm still getting the blank pop-ups, even with no-script running. Still not getting any advertisements on the websites I visit.

How did you make out with Norton?



This and other variations of the following URL are also blockable by the HOSTS file we are trying to setup:

url.adtrgt.com


It would appear that some security application may have been used to lockdown or protect the HOSTS file from being changed - perhaps by being made 'read only'. Try using HostsXpert as follows:

(left column) 'File Handling'>'Make Writeable'
-- or --
'Restore MS Hosts File' (normally should be possible on an unrestricted HOSTS file)

Proceed as previously directed.

Ok, that seems to have worked this time. But I'm still getting popups. When I search the host file, I see url.adtrgt.com and trustedantivirus in there, but sure enough the popups still say url.adtrgt.com.

I haven't tried re-enabling Norton yet. ThreatFire seems to be picking up a lot, though.