I've reviewed and tried everything that others have offered. I have also tracked this thing to Windows\System where it is an application called "SERU" and sure enough it is from thunderdome. The system won't let me delete it as it says it is use by windows. Any help would be appreciated. Thanks.

Mike

Check this post:

http://www.computing.net/windows95/wwwboard/forum/158218.html

Thanks Jennifer...I've tried all those things, I had seen those posts prior to me posting. Any suggestions on how to delete this thing would be greatly appreciated. It won't let me delete in explorer.

Mike, See if zeko's Response Number 12 instructions are of any help. They seemed to have worked for others in the thread that followed those instructions.

http://www.computing.net/security/wwwboard/forum/10892.html

Tufenuf

Here's what worked for me. It seems to be gone now.

I did have a pup.exe that I deleted. I tried all the others, over.exe, actulice.exe, bookmarks.exe but I didn't have any of those. I did, however, have an application called "SERU" that was in Windows\System. I couldn't delete it.

From a command prompt I ran REGEDIT. I removed the following:
HKEY_CLASSES_ROOT\pup.setup
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\pup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\asauthr

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\dhcpv

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\dwwizh

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\qlsrv32s

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\svidc32m

HKEY_LOCAL_MACHINE\software\pup

REBOOT. Deleting these stopped the pop-up at boot. I was then able to go to Windows\System and delete "SERU". Rebooted again and it appears to be long gone. (Keeping fingers crossed!!!) Hope this helps.

Mike, Glad to see that you hopefully got rid of that problem and Thanks for posting back to let us know what you did. It will help others who may get that problem in the future.

Tufenuf

To solve the "actulice" problem:

1) Go to "start"
2) Click "run"
3) Type in "msconfig"
4) Click "OK"
5) Click on "Startup" tab
6) Find "pg4ds32m" in the list
7) Uncheck its box
8) Restart your computer
9) Smile
______________________

It didn't change names in my particular case, like it apparently did for others.

I posted this earlier over at: http://www.computing.net/windows95/wwwboard/forum/158218.html

I failed to mention something else of utmost importance. After the above, you need to erase "pg4ds32m" completely off of your computer. To do so, follow these instructions:

1) Go to "start"
2) Go to "Find"
3) Select "Files or Folders"
4) Type in "pg4ds32m"
5) When it's found, highlight it and hit the delete key.
6) Also delete it from your trash bin.

Now smile.

Dear all,

Please see my comments under "Response Number 12" at the following URL: http://www.computing.net/security/wwwboard/forum/11720.html

Please let us all know if this (or whatever) fixes your problem.

ACTULICE POPUP ON WINDOWS 98

The free antivirus scan and automatic System Cleaner from MicroTrend and the Adaware removal programs didn't eliminate the Thunderdome Actulice malware in Windows 98 for me. Because the malware .exe file is programmed to start in my Windows Starup, and the actulice malware program name also changes when I click the "OK" button on the popup, I had to remove the thunderdome malware manually using the msconfig Startup tab and editing my registry. Basically, I identified and terminated the malware from Memory and the Registries and here are the steps-by-step guide of how I manually removed all the thunderdome malware .exe files (I had two) successfully.

PREP WORK:

1. Identify and terminate malware process from memory: See what programs are running your Task Manager (open your Task Manager in Windows 98 by pressing CTRL-ALT-DEL).

In the list of running program, locate the malware file or any suspecious programs you either didn't install yourself or have not heard of and write the file path down.

Note: Task Manager running on Windows 95/98/ME may not show certain processes. If you are not sure about your task programs, you could use a third party process viewer to identify suspecious or unknown files. I use Process Explorer, a freeware from Sysinternals.com, http://www.sysinternals.com/ntw2k/freeware/procexp.shtml to help me identify program company names on unknown files or processes.

With or without the help of Process Explorer, write down any suspecious and unknown programs that shouldn't be on your pc for reference later.

2. Empty all your Internet temporary files and cookies in IE under Tool-> Internet Options.

4. Search and delete all *.tmp and *.gid files using Find by right-click on the Start button.

5. Empty Recycle Bin

6. Run all your virus- and ad- removal programs.

7. Backup your registry if you want (we will need to modify registry later).

8. Shut-down and restart Windows 98 in Safe Mode (I did it in Normal Mode, however).

If the Actulice Popup appears first thing on the Desktop after booting up, DO NOT do anything to or click on it - just leave it running as it is.

IDENTIFY AND TERMINATE THE MALWARE FROM MEMORY

1) Open Task Manager and repeat PREP WORK Step #1 to identify your malware program. Notate any unknown or suspecious programs for future reference. Click on the suspecious program(s) and click on "End Task" button to end the suspecious program(s) from running. Exit out the Task Manager (and Process Explorer if opened).

2) Open msconfig from Start -> Run -> in the Open: box, type, msconfig -> click "OK" -> click on the Startup tab

Identify and cross reference any suspecious program files from those you noted also in Task Manager (or Process Explorer if used). A Thunderdome .exe file (and most malware) is usually listed under c:\Windows\System\. Write down the thunderdome program file name and path (the first malware) found in msconfig Startup Tab.

Now, with the msconfig Startup window visible on the Desktop, click on the "OK" buttons of the Actulice Popups and each time you click "OK", write down any name changes and new Thunderdome program files showing in the msconfig Startup window. Note: after you click on "OK" on Actulice Popup, the thunderdome malware program file name changes in the msconfig startup window.

Write down all Thunderdome malware program files (and changed file names) you found from the msconfig Startup windows until Actulice Popups stop.

Disable and uncheck the last Thunderdome malware program in msconfig Startup Window. Exit msconfig.

REMOVE AUTOSTART ENTRIES FROM THE REGISTRY

To prevent the malware from executing during startup:
1. Open Registry Editor. Click Start>Run, type Regedit then hit Enter.

2. In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.

4. I have two Run keys in the registry. I found and deleted my two thunderdome malware programs, mgcvddn.exe and mgshli.exe, in the following registry key, HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run-

REMOVE OTHER ENTRY FROM THE REGISTRY

To remove added registry key which it uses for configuring its programs.

1. Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Explorer>pup

2. Still in the left panel, locate and delete the subkey: pup

3. Close Registry Editor.

CLEAN & DELETE FILES

1. Locate and delete any malware programs from Thunderdome detected in Windows Explorer. You could locate the Thunderdome program file either doing a Search or just look in c:\windows\system\.

[On a totally diffent issue, I also deleted about 60+ .exe files from Totempole in c:\windows\system\ These totempole and thunderdome.exe have a different icon from the usual .exe files. Double check the company name by right-clicking on the suspecious .exe file and click on the Version tab. All the Totempole .exe files seem to have been downloaded on the same date, so you can also do a Search of .exe file for that date in Find and then check these .exe files are from Totemple to delete them from your computer].

2. Empty Recycle Bin

3. Shut Down and Restart PC in Normal Mode should complete the removal of the Actulice popups.

Topspeed

I have the same problem I was wondering if System Restore would work (I have Windows XP). If not I need a simpler way to fix this because my father insists I download no anitvirus things off the internet.

I forget what response I was reading, but I wish I could remember to thank that guy. I went into System32 and right click. Then Arrange Icons by Modified date. You will notice the last icons looking like application files are the company everyones been talking about totempole and thunderdome. When trying to delete them, 3 I could delete but one I couldn't. It was called (langm.exe), I went to start, pressed RUN, then type in msconfig, then press on the last tab startup. I unchecked (langm) and restarted my computer. Then I came back in went to system32 and deleted the langm file, everything seems to be working fine. I hope this helps you guys.

NORTHERN

Jacki - I am not familiar with Windows XP, System Restore you are referring to, and the Windows XP registry, but I would imgaine with some modification, the principle behind the fix in Response 9 should resolve the actulice popup because the fix is methodical and not file specific as we know this thunderdome actulice malware can have many changing .exe names.

One thing to consider is what systems files are restored, overwritten, and left untouched (may be the malware) when doing a System Restore. In addition, a System Restore is not a gurantee resolution to your actulice problem because you don't know if these malware files will be deleted by the System Restore, are already present in your backups your want to restore, or will they be left remaining after the restore, unless by System Restore you meant is doing a clean reinstall of Windows XP from your Windows XP CD and want to take a chance on one of your backups assuming you know which backup is free of actulice and other malware. Neither the time involved to do a clean install of Windows XP or restoring a questionable backup seem to save time, nor will it address your original problem - actulice or any malware, but the judgment call is yours. Perhaps these are the reasons why antivirus and malware programs exist so users don't have to reinstall OS and restore data every time there is a computer problem. Besides, if you screw up on the fix, you could do the System Restore afterwards, but you would have tried something new that might have worked for you and learned something new.

The methodical fix I mentioned in Response #9 is very simple to do involving only five major steps if you understand the concept and the reasons behind the resolution. The detailed step-by-step instructions may seem complicated but are just there as a guide and a reference to help you succeed on the first try and to avoid complications.

With some modification, you could also adopt these steps to remove future malware using the steps I described so it would be time well-spent, not to mention the new found confidence and skills gained.

My computer has been actulice- and ad-free for at least four days. Everything is working fine, and I have since done an updated antivirus scan, ad-scan, system scan, defragmentation, and created a clean full backup of my computer and data.

If you aren't confident or sure about how to adopt my actulice and totempole fix for Windows 98 for Windows XP, I suggest you start a new thread for XP and perhaps someone could address a fix for XP specifically.

Nothern - You are right about the choice of "Arranging icon by Date" under the View menu in Windows Explorer to remove Totemple .exe files. After I wrote Response 9, I thought to sort and remove totempole .exe files by selecting "Arrange icon by TYPE" from View may be more efficient than using the Fine option I used and suggested.

Topspeed

hi,

im using xp and i managed to fix this little pest, here is how i was able to fix it:

1. open my computer
2. go to c:\windows\system32\
3. then sort by modified
4. go to the last execute files on the list
5. all the files should look the same, also if you highlight the execute program it will tell you if it is made by thunderdome or totempole.
6. try to delete these files, if you get a message saying it is in use,
7. go to start, then to run, then type msconfig and press ok,
8. then go to startup tab, then search for the files that are unable to be deleted, then uncheck them
9. restart windows, and delete these files.

that worked for me, hope it works for you

Just wanted to say that Response Number 13 worked for me like a dream. Actulice and all of it's changed names and affiliates are FINALLY gone! I had been feeling so violated and discouraged.

Anyway, the tricky little bugger, pest, pain in the you know what...is gone!

jsc xander, thanks so much!
gis.

Here's what work for my HP with Win. XP.

1- Start
2- Run
3- msconfig
4- Startup
5- rogmanp (disable)
6- Search/Find rogmanp
7- Dispose of file (empty bin)
8- Restart comp.

Response #9 did it for me. I had no SERU, no pg4...., but the suggestion that one search by date and then check 'version' to find the company worked. I went into the Windows/System (I don't have the Windows Explorer, that threw me in some of the other solutions) checked one out that was dated 5/14/04 (about the time this stinkin' actulice began) and sure enough it was Thunderdome. I went into Search (not called Find on my machine) typed in exe and specified by the date 5/14 and the search turned up 3 things. I was able to delete two of them, but the original BGHELPPD wouldn't delete because the computer said it was in use by Windows.... The light bulb went off. I went into MSConfig and sure enough, there was BGHELPPD in the start up. I unchecked it and then went and deleted it. When I restarted the computer, bye bye actulice. I am keeping my fingers, toes and eyes crossed. This thing is a real pest.

thanks for all the advice. By using everything that was given, I was able to finally get this all figured out. May the creator of this actulice rot in the particularly warm place...........

BTW I did have the pup.exe. That was the first thing I deleted.

bookscape

the best solution for fix actulice pop up
on windows XP is;
WHEN THE ACTULICE POP UP CAME UP THE COMPUTER,YOU DID NOT CLICK OK, LEFT IT OPENED, THEN GO TO THE TASK MANAGER, CLIK ON THE APPICATIONS TAB, YOU SAW ACTULICE IN THE LIST,RIGHT CLICK ON IT, AND CHOOSE GO TO PROCESS, THEN GO TO RYPTEXT.EXE, CLICK IT, AND THEN CLICK ON END PROCESS, GO TO START MENU, SEARCH AND SELECT ALL FILES AND FOLDERS,TYPED RYPTEXTC.EXE, AND WHEN IT SHOWED UP, DELETE THE 2 RYPTEXTC FILES, AND THEN DELETE IT OUT OF THE RECYCLE BEIN, THEN REBOOT THE COMPUTER....
NO MORE F... POP UP :)

When I first got this pop up I tried EVERYTHING, I downloaded virus scanners, parasite scanners, pop up blockers, and everything else know to the world of the internet smart people. What you do is when it pops up:
1)Hold Alt
2)Hit F4
3)Laugh at who ever created that thing!

To get rid of the annoying actulice pop-up do this! Go to http://www.spychecker.com/program/securitytask.html and download the trial of Security Task Manager. Run it and look for actulice. Click on it and the name of the file should appear on the bottom of the screen and all the info. In my computer it was igbe.exe. Then go to the Start menu, go to Run and type in msconfig. Under the Start up tab look for the name of the file the Security Task Manager Found. Uncheck the file and click Apply and Save. Go back to Security Task Manager and click Remove and Move file to quarantine. Reboot and SMILE!

response 6 worked for me

One correction about the comprehensive fix for remvoing actulice popups and other malware program files manually posted on

http://computing.net/security/wwwboard/forum/11720.html
http://computing.net/security/wwwboard/forum/11722.html
http://computing.net/windows95/wwwboard/forum/158218.html
http://computing.net/security/wwwboard/forum/11772.html

The free Sysclean engine and the matching virus definition sofware were downloaded from TrendMicro.com and not from microtrend.com as I stated. I can't believe there is also a microtrend website.

In case anyone needs a free antivirus program, I got the free virus scan from Trendmicro through www.housecall.antivirus.com to do the online scan first. I download and update the sysclean engine and the matching virus definition files as they become available.

Top Speed

okay, one problem here, when I run msconfig in win2000, it gives me the message

'cannot find the file 'msconfig' (or one of its components). Make sure the path and filename are correct and that all required libraries are available'

I haven't had this problem with either win 98 or win xp.

Ran steps 13 / 15 and disabled from startup... the name of file poinw07h...
the little raskel is changing its name on us!
thanks for putting basic steps on web for the inexperienced drivers :))

Nathan,

For Windows NT/2000/XP systems,

1. For Windows ME/XP users, disable System Restore before running antivirus so the program can scan and remove any infected EXE and COM system backup files.

Disabe System Restore directions at,
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm

2. Run you updated antivirus to remove the actulice malware automatically and identify the infected actulice files. Write down the infected undeleted actulice files.

3. Terminating the Malware Program from Memory

You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

The Actulice infected file is from company Thunderdome, and the infected .exe files can have multitudes of different program file names. If an executable program file is from Thunderdome, you should selected the .exe file and click End Task to stop it from running. Repeat and End Task with other Thunderdome .exe files.

Do the same for all detected malware files in the list of running processes.

To check if the malware process has been terminated, close Task Manager, and then open it again.

Close Task Manager.

4. Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective way to terminate its process. In this procedure, you will need the name/s of the file/s detected earlier.

Open Registry Editor. Click Start>Run, type Regedit then hit Enter.

In the left panel, double click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.

5. Removing Other Entry from the Registry

This procedure removes the added registry key, which it uses for configuring its programs.

Still in the Registry Editor, in the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Explorer>pup

Still in the left panel, locate and delete the subkey: pup

Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Top Speed

Northern - many thanks. Your fix worked a treat !!!

the actulice pop up worm cause certain chain reaction damage (should i say).. wen i went online evtym, a default page appears with the big word STOP.. and saying that my PC myt had been attacked by a spyware.. with it, a small pop up window appears with a picture of a lady with sumthin wriiten lyk dont open this if ur not 18.. (i dont hav those pop ups before my PC had been "actuliced".. i did followed the actulice elimination steps however..and suceeded

God Bless!

RESPONSE 13 DID THE TRICK!
This pain in the rear actulice thing constantly changes names within your computer. If you follow the steps that Response 13 says, you will get rid of this thing! I AM NOW 3 DAYS ACTULICE FREE. I'd like to thank all the people who supported me through the 8 step program! LOL GOOD LUCK ALL!

Number 13, you are awesome! Mine was PTL, under the SYSTEM folder, but like you said, I clicked on properties, and Thunderdome was the author, so I ran MSCONFIG, removed the checkmark for startup, then was able to delete it on the reboot. THANKS SO MUCH!!

Susan Z

I tried response 17 and it worked :) better yet it was simple. Although mine was not RYPTEXTC.EXE. I had LLHOSTD.EXE instead. Thanks! That pop-up was starting to kill me..

It's good to have cleaned out Totempole files from your system folder, but they are not related to the Actulice popup files, which are from Thunderdome.

My experience in removing these random exe files from Thunderdome was that they have to be removed from the registry for a first-try and thorough removal.

Who knows you might also find other suspecicous files in your registry.

Thanks to all who posted in this thread, with a special thanks to response 9, 13, and 24. I‘m using windows xp pro with windows media player 9 and I had to do one extra step to finally give the last rites to my dear departed “actulice”. It appears that some malware had replaced my wmplayer.exe file with it’s own special version that downloaded and ran actulice. This would happen whenever a web streaming server used media player or even if I ran it myself, without my browser open. If anyone also has this problem here is what I did after much nashing of teeth. Follow any relevant advice from response 9, 13, and 24 and then Open your C: (boot drive)\Program Files\Windows Media Player folder. Look at your wmplayer.exe file in this folder. It should have a circular icon with a triangle in the center. Underneath the wmplayer.exe text to the right of the icon, it should say ‘Window Media Player’ and ‘Microsoft Corporation’. My infected version had a different icon, looked like a desktop pc and no text other than ‘wmplayer.exe’. Another difference is the size of the file. In my version of Media Player 9.00.00.35, the correct size is 72kb. If you place your mouse pointer over the icon it will display the size of the file. My infected file was 302kb. The way I got my original version back was simply to rename the infected file. Be careful not to execute the file when you do this-just right click on it once and choose rename from the menu. I renamed it wmplayerinfected, but that is just arbitrary. Once renamed my original wmplayer.exe file reappeared. I’m planning on sending the infected version to Microsoft and a few of the Trojan/ Virus/adware removal software companies so they can automate the fix and or prevent it from happening in the first place. If you want to know when you were infected, right click on the infected file and choose properties form the menu and look at when the file was modified.

A great find. Thanks for the tips.