Pop-ups and Trojans (oh my!)

ellenron,

Next time please wait for someone to ask you to post your log. The below fix may not complete resolve your problems. I think you may have some hidden VX2 infections. We will get them later after the first go around.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

First look in Add/Remove programs for Alset or HelpExpress and uninstall if found.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\atce\trdb.exe
C:\WINNT\system32\??mbols\svchost.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O4 - HKLM\..\Run: [*msvchard] C:\WINNT\security\LOGS\msvchard.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\system32\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitepbr32.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Ellen\HXIUL.EXE
O4 - HKCU\..\Run: [Brct] C:\Program Files\atce\trdb.exe
O4 - HKCU\..\Run: [Xwxh] C:\WINNT\system32\??mbols\svchost.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\MVGINA.DLL

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\Program Files\Ftk <--- the whole folder
C:\Program Files\atce <--- the whole folder
C:\Program Files\Alset <--- the whole folder
C:\WINNT\system32\vidctrl <--- the whole folder
C:\WINNT\system32\??mbols\svchost.exe <--- be careful looking for this one. The file name will more than like not show up with the question marks in it. Do not delete the svchost.exe file that is in c:\windows\system32
C:\WINNT\security\LOGS\msvchard.exe
C:\WINNT\system32\n20050308.EXE
C:\Program Files\Common Files\Java\ftkcpy.exe
C:\winnt\system32\elitepbr32.exe <--- also look for other file names starting with elite and ending with .exe and delete them too.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You are still getting popups because you still have some additonal problems we have not gotten to yet. You have a VX2 infection.

Please download the following tool and save it where you will be able to find it. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the link below:

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log. Based on the log, we will determine the next steps. Please DO NOT REBOOT after scanning for these logs!! Otherwise potential problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Do not worry about anything that Norton finds for now. Just follow keep following my directions until we get to a point where I say you are clean. If Norton still finds problems then we will worry about it. Right now we know you have problems and we are trying to fix them.

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Now get a new HJT log.

Now reconnect to the internet and come back here and post and attach the L2MeFix Log along with the new HJT log.

Okay after doing the above DO NOT REBOOT.

 

Okay! Now your log is looking better and we removed a bunch of hidden baddies. How are things working now?

As another safe guard also do the below:


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

 

This may be a bug in MS Antispyware. See know bug jj in the following link: http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt


Does it happen with any other programs?
Does it happen in safe mode?

Make sure you have all of your Windows updates. Following all the steps in the below thread will help you get your updates and will also help keep you clean:

How to Protect yourself from malware!

 

It could be related to Windows Installer or it could be a Dell problem.

I asked in my last message: Does it happen in safe mode?

 

Okay! Let me know the result.

 

Windows Installer? Or are you getting a message about Backup Dell-Installed Programs?

Is MS Antispyware already installed and you are trying to run the program? I believe this is the correct statement based on previous messages.

Or are you trying to run the installation (the file you downloaded)?

Do you have all of your Windows Updates? Goto the below and check:

Windows Update

 

I'm not sure what is going on here. It is not a malware related problem from what I can tell (but maybe it is the result of what malware has done). You could check with Dell on this. But I did read a message somewhere that said the below, which may be worth a try:

That's how it was written. So I'm not exactly sure why they were saying "select repair and then reinstall". They sound like two different things.

You may also want to read the below MS KB article and give the Windows Installer Cleanup utility a run.

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Run it and scroll down to Backup Dell-Installed Programs and delete it.

Let me know the results.