I have windows 98. I have a pop up actulice.exe that I can't get rid of. I looked on this forum and found some ideas to delete a bunch of files...pup.exe, over.exe and a few more but it didn't work deleting them. Is there anyone that can suggest something for me to do???

Erin

hi erin,
you may have Trojan Horse Downloader VB.EC
i am not sure, so check to see if you have any of these files in windows and or system directory.
Intsesst.exe
Udcedite.exe
actulice.exe
pup.exe
bookmarks.exe
ompmgmtc.exe
sheartsm.exe
astlsr.exe
ddbse320.exe
if found delete them. now, i want you to check in your media player folder and see if pup.exe is also there, if it is delete it from there.
it would be a good idea to go to safe mode and do this from there, before you do, get your latest anti-virus defs, and also the latest defs if you have an anti-trojan, and scan your computer in safe mode, while there, clean your temp internet files, temp files, history files, and cookie folder.
you may also want to scan disk and defrag in safe mode also.
for more info on trojans go to www.thepublicworks.com, security section and link to security dogs,etc.
all the best,
murve

Yes! We did update all my virus scan stuff and did the scan and did find that I had the trojan virus. So we quarantined it but I still have the dang pop up! All those files you suggested I delete I had tried to find ALL day yesterday and only found a few and did delete them and I've deleted all my temp files, cookies...yada yada yada. I will check my media player and see if I can find more files to delete. I tried to do a defrag last week but it wouldn't complete, I started it when I got off work and the next morning 0% had been completed. Personally, my computer is a P.O.S in a HUGE way and my boss is so cheap he won't buy an new one for me. Yeah, it just shuts down on me in the middle of things a few times a day....I guess that's what I expect since he bought the computer from an old company that went out of business...it has so much crap on it, you wouldn't even believe.......it sucks. Thanks for the info!!!

Erin,
I have the same problem with the same results. I have also found this thing in Windows/System. See if you have "SERU" listed as an application. I'm going to start another post to see if anyone can help me get rid of it. Good Luck!

Mike

I just found this thing on my computer this morning. I too tried to defrag but nothing happened.

I have lloked for the file names you mention but can't find any, perhaps I'm not looking in the right place?

I did a find file and found that I do have the pup.exe file but can't locate it to delete.

My computer is also old, running on Win98.

I ran SpyBot and it didn't come up. Where else should I look?

K, right click on start and go to explore. Do a search for pup.exe. In the box where you see it right click and delete. Empty recycle bin. Then you might want to try the following.

Erin, this worked for me.

Here's what worked for me. It seems to be gone now.
I did have a pup.exe that I deleted. I tried all the others, over.exe, actulice.exe, bookmarks.exe but I didn't have any of those. I did, however, have an application called "SERU" that was in Windows\System. I couldn't delete it.

From a command prompt I ran REGEDIT. I removed the following:
HKEY_CLASSES_ROOT\pup.setup
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\pup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\asauthr

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\dhcpv

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\dwwizh

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\qlsrv32s

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\svidc32m

HKEY_LOCAL_MACHINE\software\pup

REBOOT. Deleting these stopped the pop-up at boot. I was then able to go to Windows\System and delete "SERU". Rebooted again and it appears to be long gone. (Keeping fingers crossed!!!) Hope this helps.

Michael J,

the only file I found was
HKEY_CLASSES_ROOT\pup and
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\pup

I deleted them both. I did not find any of the others you recommended. After my reboot I still have the pop up. I am going to defrag my comp tonight but I'm not sure that will work. I don't know what else to do but take a hammer to the dang thing! Anyway, thanks for the info. I'll keep trying!!

Erin

Thanks, Michael...but like Erin, it didn't work. I only found the pup.exe file and nothing else. I emptied the recycling and rebooted but the popup came back as well as n-Case that I thought I got rid of.

Where else can this pain in the butt be hiding?

Erin, may I borrow your sledgehammer when you're done?

Thanks for all your help.

K

To solve the "actulice" problem:
1) Go to "start"
2) Click "run"
3) Type in "msconfig"
4) Click "OK"
5) Click on "Startup" tab
6) Find "pg4ds32m" in the list
7) Uncheck its box
8) Restart your computer
9) Smile
______________________

It didn't change names in my particular case, like it apparently did for others.

I posted this earlier over at: http://www.computing.net/windows95/wwwboard/forum/158218.html

Hope it solves your problem.

I forgot to mention that, after the above, you need to erase "pg4ds32m" completely off of your computer. To do so, follow these instructions:

1) Go to "start"
2) Go to "Find"
3) Select "Files or Folders"
4) Type in "pg4ds32m"
5) When it's found, highlight it and hit the delete key.
6) Also delete it from your trash bin.

You can really smile now.

Thanks Yadirf,

I looked in msconfig/startup but the file you mentioned wasn't there.

I have been seeing something called TV Media lately. I tried deleting it before but it keeps coming back. Could they be the same thing?

I also searched for the file "pg4ds32m" but again, nothing.

Thanks again.
K

Yadirf,

I had the same problem as K. I couldn't find "pg4ds32m". A friend suggested I download spykiller, I don't think it's working though. I seriously don't know what else to do....it's so annoying!!

Dears K and Erin,

I'm sorry that this thing is causing y'all so much trouble. There's a lot of people who would like to get their hands on the person who did this to OUR possession. The person may just as well have thrown a rock through a window of our houses, or thrown paint on our cars or something as equally disgusting.

I can suggest two other things you might try, one of which I had to do myself in order to cure this for me. It's been so confusing that I actually forgot having done it, and consequently forgot to tell you all what I did.

But, before I get to that I'll try to help you deal with the reason that you didn't find the "pg4ds32m" listed. It's apparently listed a different way for each computer. In that case, what you'll have to do is uncheck all of them ONE BOX AT A TIME until you've identified the culprit. Just start with the first one in your list, uncheck it's box, then restart your computer. If the problem is still there, go to the next one on the list, and so on. You'll eventually find the guilty culprit. Once you do, then go back and recheck all the other's boxes.

Now, here's what I had forgotten to tell you to do, and I sincerely appologize for having done so (Yadirf hitting himself on the head):

1) Go to "start"
2) Go to "Programs"
3) Go to "Windows Explorer"
4) Scroll down to "Program Files" & click it.
5) In the listing on the right look for the items "over.exe" and/or "pup.exe". Delete these.

After having done the above, I hope that you are finally able to "smile".

OH MY GOD!! IT WORKED!!!!!! This is what I did...thanks to YADIRF!!!

1) Go to "start"
2) Click "run"
3) Type in "msconfig"
4) Click "OK"
5) Click on "Startup" tab

Then I made sure all the boxes were checked and started to go down the list like Yadirf said. The first one I checked was Taskbar Display Controls and that did it!! Hopefully this will work for you K!! Good luck!!!

Erin

You can also download and run Security Task Manager. It will locate and delete Actulice files for you. For me, it told me the name of the file on my machine (ODEMM.exe), so after I deleted it with the task manager tool, I searched and found it in my Windows\system directory and deleted it through Explorer. I was then able to go into msconfig\startup and uncheck it (now that I knew the name it assigned itself. I also deleted two other recent files (streama.exe and staskm.exe) as well.

P.S. I did the above after finding and deleting pup.exe, but this didn't do the trick. So you should probably find and delete pup.exe as well.

Good luck,

Ted

- I have treid all of the above plus some
- Actulice pop-up attempts to open www.palsol.com (an ad to purchase pop-up eliminator software)
- Run Ad-aware 6 in safe mode
- Also have deleted HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\pup key... after reboot key comes back

Any suggestions would be appreciated

RogKel

RogKel,

I'm sorry to hear that you still have the "actulice" problem. I wish I had something more to suggest, but I don't.

There's something that you said that makes me suspect that the one responsible for having created this in the first place is connected with www.palsol.com. You said that this is an ad that sells pop-up eliminator software. Now why do you suppose that the "actulice" thingy would cause you to see an ad like that? My guess is so that the author of "actulice" can make money off of you buying HIS product. Yes, the creator of "actulice" may very well be the owner of www.palsol.com. If this is the case, this person is deliberately causing an agravating problem for others so that he can benefit financially from it.

Someone really ought to get the proper authorities after this guy, whoever he is, and www.palsol.com should perhaps be the first place they should look for him.

My fix should do it for you. See http://www.computing.net/security/wwwboard/forum/11722.html

look for:

CUTQ - COMPANY: thunderdome, INTERNAL NAME: actulice, ORIGINAL FILE NAME: actulice.exe, PRODUCT NAME: actulice

I found mine is the SYSTEM folder
(Im using Windows ME)

Thank you all for your help! I think I'm finally rid of it!

I printed off TopSpeeds solution and it worked for me. Since I'm not exactly sure what i'm doing, I hope I didn't screw something else up. But all I know is that there isn't any little popup on my screen.

Does anyone know if actulice is associated with n-Case? That is something else that pops up on my screen every now and then.

Again, thanks for all the help everyone. I agree with you Yadirf...that guy should be sentenced to months of tedious work...say like digging a hole with a toothpick?

K
p.s. I'm smiling :)

Been at it all day before I found this page.
Thanks for the help. and to those who are responsible :p

Yadirf,
I had the same problem with actulice, and I followed your advice and it worked. On my computer the problem was "mgutili". I noticed that everytime I unchecked a box that wasn't the actulice one, a new file was there and a previous one wasn't. "mgutili" the restart before was "ilemgt". I believe this is true, if so when you restart your comp, the one in msconfig that changes is the problem. Thanks for the advice Yadirf.

I don't know exactly how I did it, but I got rid of the actulice pop up. I booted up the computer. When the actulice pop up came up, I did not click ok. I left it opened. Then I went to the task manager. I clicked on the applications tab. I saw actulice in the list. I right clicked on it, and choose go to process. Then it went to ryptextc.exe, so I clicked it, and then I clicked on end process. Then I went to the start menu, and I went to find, files and folders, and I typed in ryptextc.exe, and when it showed up, I deleted it from the list, and then I deleted it out of the recycle bin. Then when I rebooted the computer, the actulice pop up was gone. I hope this works for someone else, because I was ready to throw my laptop through the window. No I really can smile. I hope my problem is fixed for good.

Nko

where exactly can you download this "Security Task Manager" that everyone keeps mentioning?!

Jasen, You can download Security Task Manager at the link below. It is Shareware ($29.00)but does offer a Free Trial.

Security Task Manager

Tufenuf

I had This piece of sh*T on my computer too.

What I did is what someone else sugested
go to your start up and uncheck one box at a time and reboot. The actulice popup wascalled vpasm.exe on my computer .
I erased it and its gone.
I hope this helps.

We fixe it

(It seems that it is renaming itself.)

We uncheck masfw with msconfig

and reboot on safe mode F5

and delete or rename masfw.exe

The procedure :
1) Go to "start"
2) Click "run"
3) Type in "msconfig"
4) Click "OK"
5) Click on "Startup" tab
6) Find "masfw" in the list
7) Uncheck its box
8) Restart your computer

F5 for safe mode

delete masfw.exe
and pup.exe

reboot

thanks Yadirf

M A Gagnon
Aylmer

I found the method of checking the startup boxes one by one working fine. It took an hour, and the actulice pop up was terminated. My computer uses Win XP, and had 2 times pup.exe, one over.exe and svpr.exe located in win/system32. Thanks to you all for solvig this problem. Anton

I've searched this site for all the info i can about this actulice pop-up and how to get rid of it. The only file i could find and remove was pup.exe I also tried doing the msconfig and going to startup, and the only thing i could find there that someone suggested removing was SERU. But i tried to find the file in my c:\windows\system pathway but i couldn't find a seru.exe file there. I'm not that computer literate so if anyone out there could tell me what i can do to get rid this, (even though there appears to be a number of methods), i would greatly appreciate it! Janet

Running Win98 SE: Deleted the pup files, but to no avail. Couldn't find any of the other ones mentioned. Then tried the Security Task Manager free trial. It showed actulice running, and details said it was called in from Windows/System as SOCKW.EXE. Had S.T.M. end it, then I deleted it and emptied recycle bin to be sure. Rebooted and it was gone.

I got a dose of this too.
On my machine (W98/2), it showed as a 1" square window with "modF" & "ok" in.
Even tho I ignored it, when I came to shut the PC down it wouldn't - just popped another window up saying "Can't Close".
Had to End Everything thro Task Manager to kill the machine, plus it was still there on reboot even after deleting PUP.EXE.
Yes it does seem to change on different machines: on mine it was
C:\Windows\system\idimapm.exe
What solved it for me was security Task Manager, which put it at the top of the list of running processes, and simply gave me a "Remove" option. NOTE THIS JUST REMOVES IT FROM MEMORY - YOU STILL HAVE TO DELETE THE FILE ITSELF (easiest thro Explorer).
Two thoughts in retrospect:
1. The pondlife responsible for clogging up the Internet with C**P like this should be flogged to within an inch of their lives with rusty barbed wire.
2. The way you guys rallied round really does give me a warm feeling - there IS life after SCUMWARE!
Thank you all very much.

I've had this one too. Deleted the following:
mdmpsw.exe (in dos mode)
bpmone.exe
hdoclcs.exe
pup*.*
over*.*

I had this problem on a workstation running W98 at work and found there was a second run entry under HKLM\software\microsoft\windows in the registry. It was "Run." with and extra "." It had the entry ininetw.exe in it. Once I deleted it and restarted I had no more problems.

Hey guys, much thanks, I found out that, to fool proof find the file, just run msconfig, and check each box like yadarf suggested, however you can check each file like I did by just running each file name under google, that oughta tell you whether or not the file is legit.

Thanx to everyone who posted info here about this nasty little piece of C**p, I too had it, checked out the info here and finally after several attempts at all the sugestions got rid of it. The solution that worked for me was the msconfig route & my file was called TR9DIAAA.EXE

hi, I recently receive the Actulice pop-up and tried everything on this forum and it still pops-up. I am running Windows XP and was wondering is there a solution to this annoying pop-up? I am also running Spybot. Ok, please let me know.

Thank in advance! ;)

One correction about the comprehensive fix for remvoing actulice popups and other malware program files manually for Windows 98 posted on

http://computing.net/security/wwwboard/forum/11720.html
http://computing.net/security/wwwboard/forum/11722.html
http://computing.net/windows95/wwwboard/forum/158218.html
http://computing.net/security/wwwboard/forum/11772.html

The free Sysclean engine and the matching virus definition sofware were downloaded from TrendMicro.com and not from microtrend.com as I stated. I can't believe there is also a microtrend website.

In case anyone needs a free antivirus program, I got the free virus scan from Trendmicro through www.housecall.antivirus.com to do the online scan first. I download and update the sysclean engine and the matching virus definition files as they become available.

Top Speed

Start, Run, type 'MSCONFIG' and click startup tab.

Uncheck "Gae".

Now open task manager and if "GAE.EXE" is running, 'End Process'.

Now search for "gae.exe" (include hidden files and folders). It should find it in Windows/system32 if you have the same problem as mine did.

Delete the 'gae.exe' file and reboot. THis worked for me but it seems apparent that there are a fair few different 'strains' of this actulice problem.

cheers.

Thanks Yadirf, took your advise and went down the msconfig way, found the blighter under the name of SACMM.exe. I am now smiling.

Thanks again, Mary

I have just caught onto this, but this thing is driving me mad.

I have tried checking boxes on 'startup', but the actulice thing will not allow me to restart my computer again.

Any advice.

Many Thanx

Judith

what if I am on Win2K and do not have msconfig...then what do I do?

I resolved my "Actulice" popup. I follow link Top Speed mentioned in the message. Goto trendmicro.com to scan for Trojan. I had 13 files infected. Then I went into Msconfig to unchecked "load.exe" and server other unfamiliarized startup files. Then restart the popup is gone.

This works for Windows XP!

Thanks all!

Thanks to Yardif & TopSpeed for their assitance!

Below is my fix:

**Running Win 2000 Pro SP4**
- Identified and crossed referenced what processes were running from Task Manager and MSCONFIG
- located any suspecious programs
- Found 2kn.exe (C:\WINNT\System32) "Thunderdome"
- Identified 2kn.exe in MSCONFIG & unchecked in Startup Tab
- Using Regedit deleted HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PUP
- Deleted all Internet Temp Files, Cookies & *.tmp files
- Emptied the Recycle Bin
- Restarted PC
- Updated & ran Ad-aware 6.0

RogKel

Thank´s Yadirf! (Response numbet 12)
Than worked for me.
Best regards,
Nucleus from Denmark.

Oh Yadirf, by the way, I´m SMILING now :)

Look for EXE files that have been created in the past week or so. It looks like this thing generates EXE files with a variety of names, but it can't change the dates that it was created.

I found three different names for it they
were "luginp.exe", "egsvr32r.exe", and "sndmon.exe"

Jimc

Thanks for the help in getting rid of this thing. I actually had 2 of them running on my machine. I did a search and got rid of the offending files, but they are still showing up (unchecked) in the Startup menu of the System Config Utility. Is this normal? How can I get rid of them?

No trace of the thunderdom files should remain on your computer.
Locate the previously identified .exe malware from thunderdome by doing either a Find or Search.

Delete the malware .exe files from Windows Explorer - usually found in the system folder.

Search pup.exe and over.exe and then delete them from your Program Files folder.

Remove the previously identified .exe files from thunderdome in Windows registry Run key and delete the entire Pup key as directed in links,

See Top Speed Responses at,
http://www.computing.net/security/wwwboard/forum/11722.html
http://computing.net/security/wwwboard/forum/11772.html

okok 1st of all i really have to thank you guys for all ur help, took me abt 1 and a half hours to fiddle here and there but i finally got it removed, herez how i done it

1)I followed Yadirf's method in response No. 12 and found out mine was a bugger named SSTDFMTM, so i deleted the file in my sys32

2)Then i made a search in windows explorer for the various over.exe, actulice.exe blah blah and found i had actulice.exe, so i deleted that too

3)Ok the pop ups have stopped *phew* but as with lightspeed in response 46, the thingy still exists in my Startup menu

4)I tried Micheal J's method in response 5 and found pup and the SSTDFMTM somewhere along the lines, so i deleted them and woo!!!! okok my com iz now back to normal (I hope)

Don't forget the to delete the data value (of the malware file path) in the Run key in the registry.

Thank-you Yadrif!

The process of elimination worked!! I unchecked half the processes in msconfig startup tab. Didn't get the pop-up on reboot so I knew it was one of those. I rechecked half of them trying to select ones I suspected to be valid... still no pop-up. Repeat until I got down to the last 4 then just guessed until it came up again. Upon reboot the task in that slot was renamed to AVAPERMJ.exe int windows/system. Sorry guys, I forgot what it was named before - but it was NOT that. ANyway, disabled it, deleted it, and I have been pop-up free for 20 minutes.. yeah!

Thank-you all for your ideas and help!

Okay guys and gals, I think I just successfully deleted that actulice.exe pop-up b---tard. After reading many of the suggestions, to no avail, I found a solution that worked for me. I'm running Windows ME on an HP Pavilion if that helps any, and I did the following.

-Click "Start" -
-Click "Run" -
- Type "msconfig" -
- Click the "startup" tab

I wrote down all of the names I saw on the screen because several people have said that this thing changes name. It did just that for me. I found it under C:/Windows/System/csiDlls.exe

I also had the "actulice.exe" program which I found thru the normal file search. I looked for all the other names that I came across, such as:

xtrac32e.exe, pup.exe, xapid.exe, aveej.exe, bdalk.exe, malware.exe, sndmon.exe, egsur32r.exe, luganp.exe, 2kn.exe, gae.exe, tr9diaaa.exe, mdmpsw.exe, sockw.exe, masfw.exe, seru.exe, odemm.exe, Intsesst.exe, Udcedite.exe, actulice.exe, pup.exe, bookmarks.exe, ompmgnite.exe, sheartsm.exe, ddbse320.exe

- and all others. I also looked for the pg4ds32m registry, but it wasn't there. Once I found out that this thing had renamed itself to "csiDlls.exe I used this method.

- Click "Start" -
- Click "Run" -
- Type REGEDIT -
- Find HKEY_LOCAL_MACHINE and double click -
- Find SOFTWARE and double click -
- Find "Microsoft" and double click -
- Find "Windows" and double click -
- Find "Current Version" and double click -
- You should see two folders, one called "Run" and one called "Run-". Delete the "Run-" folder because that it where it will be and that's where it was when I found it. I deleted it, and also wrote down it's location when I used the "msconfig" method. I found it in C:/Windows/System/csidlls.exe

Once you have found and deleted it make sure you empty your recycle bin and look for any other names such as the ones I have suggested and suggested by others on this forum. When you are searching make sure you have all hidden files, hidden system files, and hidden operating files unhidden. I had two of the names, so you may have one, three, or six, who knows. I hope this helps.

Thank you to iceman27c, bowler2301, murve, Michael J, Yardif, Ted, Top Speed, friesx100, and gagnon for their help.

Dudes, I followed the instructions stated here, specifically Top Speed's to remove this malware. I got myself a good news-bad news situation.

Good news

- the files, registry keys and the task manager entries have been cleared of this file

Bad News

- I noticed that my media files (mp3, wma, various movie files) changed icons, specifically the icon where there is no associated program installed to open these file types, and what's more, the windows media player icon changed form it's standard appeareance to that of a setup/install - type file, and when I try to open media player, boom! the horrid things are back...

done the stated removal procedures twice and I'm getting the same results... It seems that this program binded with my media player... what should i do about it?

Hi ashcrimson0083,

It's Top Speed. I have Windows 98. What operating system are you having this problem?
Sounds like you may have another virus or trojan malware not related to actulice and here is why:

I also had a problem with my Windows Media Player; however, in my case, I don't believe actulice affected my media player because it wasn't working already. The Media Player failure was before the actulice problem, and I believe it was due to qhosts and Windows security updates.

After I fixed the actulice problem, I uninstalled my Windows Media Play, cleaned out both Windwos Media and RealPlayer remaining files, reinstalled Windows Media Player from Microsoft website.

I have since updated Windows security patches and Office2000 also, and it has been over a week now since I removed all affected thunderdome .exe files relating to actulice on my first try, kept up with new antivirus and ad removal software (all free software), and I don't have a repeat acutlice popup.

Since I don't have a repeat actulice problem even after I installed many software programs after the actulice resolution, you probably have another virus or trojan infection on top of the actulice problem assuming you followed all the steps in my fix.

Have you kept up with updating your antivirus and ad removal programs? You may have another virus or trojan infection in addition to the acutlice problem. You need to run antivirus everyday and update the virus pattern files frequently.

I just opened my Windows Media Player after reading your post just to see what will happen. My Windows Media Player is working and no actulice popup yet.

I try to be as thorough and methodical as I can with my fixes to save everyon time, did you follow all the steps including the prep work? Perhaps you didn't remove all the thunderdome exe files or missed a step while removing the the changing .exe files from thunderom?

I also noted that I removed many non-thunderdome related malware files in my system folder. Although probably not related to the actulice popup problem (these .exe files are from Totempole), did you try to clean up your system folder?

Make sure you clear out all your Internet temporary files, cookies, Internet history records if you don't need them, search and delete all temp files, and empty recycle bin when doing the prep work.

Also, for XP/ME systems, System Restore has to be disabled so antivirus can scan your any infected system files. What's your OS?

I am afraid you have to uninstall your media player, repeate the actulice removal process, and then reinstall your media player.

I suggest you uninstall your media player via Add/Remove and then delete all related program files. Search and delete shared files, tmp files,empty recycle bin, and scan and defrag your hard drive so no trace of media player or related files remain on your OS. Don't reinstall your media player until you resolved the actulice problem by removing all changing exe files from thunderdome.

Update and run your ad removal and antivirus programs. Your antivirus will identify the malware file(s) you need to remove. Write them down. These are the files your have to identify and terminate from msconfig, Task Manager, Program Files and system folder, and registry keys described in my detailed fix.

All actulice changing .exe files can be removed by this method I described regardless of the exe filename, and the actulice popup problem resolved.

After you UNINSTALLED your media player and resolved your latest acutlice popup problem by repeating the actulice fix, and if you still can't remove this previously detected malware files from the registry keys I mentioned in the fix, then the malware file is not an actulice-related malware, and you should post a new malware problem under a different subject heading if you need help.

At least you'll have removed the actulice popup.

Suggestion: Don't install your media player until after you removed this other NON-actulice-related malware though.

Top Speed

Just a little peace of mind to all those having been affected by the Actulice insurgence..........Federal Cybercrimes Investigators have added the actulice/pup invasive programs to their "urgent matters" list. I have reliable sources who are on the research and development team for Norton and Adaware antivirus moguls who also say that this bug is NOT related to the n-Case problems that many folks are experiencing. (Sidenote: Spybot has updated to include newer infiltration search and countermeasures to handle n-Case adware, spyware, and keylogger sabatuers.) The most reliable information and peace of mind I can offer is that federal agents are hard at work on this and many other internet crimes and criminals. Earliest leads are ties to the owner of www.palsol.com an Adware/Popware development corporation, but only in the earliest stages of fruition.

Secondly, I (yes even I) recently had a bout with ACTULICE. Yardif seems to have the best remedy. Best of luck and happy hunting.

the joker

Also,

Just as you delete Internet temporary files, cookies, and search and delete all temporary files, and empty Recycle Bin before you update and run ad-removal and antivirus to identify malware, you should repeat them again after the malware files are removed.

After you resolved the actulice problem, repeat above steps to clean up your files, empty recycle bin, and then update and run anitivirus again.

Then, scan and defrag hard drive to ensure files are removed.

Create a full backup of your PC once you confirm everything is working.

Install your media player.

Do security updates from Microsoft.

ashcrimson0083,

Make sure you have identified ALL malware exe files from thunderdome in msconfig Startup and do not restart pc when prompted by msconfig until you have identified and removed all thunderdome program files from your system folder. Because these thunderdome exe files change filenames, you have to repeat the identification and disabling process several times in msconfig Startup to identify and terminate all malware exe files in msconfig Startup before you could delete them from system folder. If you restart you PC before you delete the detected thunderdome file (and the remaining unidentified thunderdome program files) from the system folder you risk them being either enabled or uploaded in startup again. If this is all too confusing to comprehend, just don't restart your pc until you are at the last step, the search-and-clean step.

Make sure you confirm that all malware have been identified and removed from the system folder by doing a search of all previous identified and detected thunderdome executable files and by "arrange-icons-by type" to check that no missed or remaining exe files are from Thunderdome.

Also, make sure pup.exe and over.exe are removed from Program Files folder.

All,

Thanks for your suggestions, I actually got the Actulice AND the msbb at the same time ... when just surfing ! I have a router doing NAT, Symantec Anti Virus real time, a Personal Firewall and I STILL got infected !!
Thanks to the firewill I immediately was aware of the thing, but how can you avoid this ? Specific security settings in IE ? ....

RE: FIVE POSSIBLE REASONS FOR ACTULICE POPUP REINFECTION

1. Used the System Resore feature on your pc and restored previously infected system files.

XP/ME systems, should disable System Restore so antivirus can scan and remove infected system files; however, in the case of actulice, if you didn't disable your System Restore when removing thunderdome exe files, this doesn't matter. Thunderdome exe files can be removed manually.

2. Antivirus programs cannot remove virus when it's running, so inactivate the virus by restarting the pc in Safe Mode when running antivirus program.

3. Some of the parts of virus were not removed. Sometimes, additional steps are required for complete remoal. Consult the virus encyclopida of your antivirus software vendor.

4. Not running the latest virus pattern file

5. Failed to install Windows security updates from Microsoft.

http://service1.symantec.com/SUPPORT/sharedtech.nsf/7e7f15291a25d938882567e50048a048/34e1dda598ab705b88256e660063b50f?OpenDocument&src=bar_sch_nam

Can someone help? I have actulice and Windows 2000 Millenium Edition and I have found the files in C:\Windows\System. There were about six .exe files all with random names made on the same date, 22 May, and modified on 12 May. It was made by a company named "Thunderdome". I selected them all and deleted, permanently, but three of them were "being used by windows". I can't delete the last three!!! I've tried all that "msconfig" $h!t but it doesn't stop!!! I get three about seven pop-ups when I turn on the computer now!!!!

HELP!!!!!!!!!!!!!

Thanks,

Joe

---------------------

Viruses on my PC and % to removal:

"Actulice":

|||||__ -- 50%

@@@ SUPPRIMER ACTULICE MODF @@@@

actulice change de nom à chaque démarrage.

Actulice (advertisers and web publishers)http://www.achtungachtung.com

Actulice version 5.0.0.1 Thurderdome original name actualice.exe (68 ko)

Dans C:\WINDOWS\SYSTEM32
--> omaddinc.exe (68ko)
--> igverifs.exe (68ko)
--> ou ((other)).exe
Dans: Demarrer / executer / msconfig / demarrage

Supprimer :igverifs.exe ou omaddinc.exe ou other.exe

Supprimer la clef

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igverifs (or other)

Good Luck ...bonne chance ;o)))

joe_042293,

Excellent, you are half way through. Keep an eye on these identified thunderdome exe files. For Windwows 2000, you shouldn't have msconfig, a system configuration utility. If you do, then notate the filenames and disable the 3 thunderdome files one at a time in msconfig without restarting the pc; they will reappear one at at time with the next filename in msconfig after you disabled one. Don't restart your pc until you have gone all the way through finishing the last confirmation and cleaning step, and if did restart the pc, then repeat from the beginning by terminiating all detected thunderdome files from memory and startup.

1. For Windows 2000 system, you need to terminate your last thee thunderdome exe files from Task Manager from memory one at a time by closing and reopening Task Manager until each detected file has been stopped; remember, each time you terminate one, another thunderdome executable with a different filename shows up. Repeat the end-process in Task Manager on all detected malware files in the running list of running processes.

And if you still can't terminate the malware process from memory, restart the pc and repeat the steps in Task Manager to end malware programs from running one at a time until no thunderdome files are in Task Manager. Close Task Manager and open it again to confirm all malware programs have been terminated.

2. Remove autosart entries from the registry as described in my fix

3. Remove other entry from the registry as dexcribed in my fix

4. Confirm, clean, and delete step (as described in my fix but briefly)

Delete the three thunderdome files from your system folder (For Windows 2000, it's \winnt\system32)

Delete pup.exe and over.exe from program files folder

Do a Find to locate any remaining previously identified thunderdome files and delete them (and any temp files).
Confirm all thunderdome files have been removed from system folder and from the computer.

Empty Internet temporary file,cookies, history, and Windwos temp folder

Empty Recycle Bin

Once everything is working, update and run antivirus again.

Scandisk and defrag your hard drive, and then create a full backup.

vax65 and ashcrimson0083,

To address your concerns related to media player and IE security, while this not a specific resolution to the removal of actulice popup, Trojan exposure seems to have something to do with Active X components and plug-ins. I haven't read up on it yet. If you want to do some research about Active X issues, my old network book suggests www.download.com/browsers and www.cnet.com for information, and one guy from Lavasoftusa support forums posted this link to stop his trojan from acting up (haven't removed it),

http://www.computerbytesman.com/acctroj/

for disabling Java permissions and ActiveX scripting. I did a quick read but haven't read up on it to vouch for it if you are interested.

I kept up with the usual pc cleaning rourtine, antivirus updates, and with the security updates from Microsft and doing that seem to help if not enough. From what I learned so far about antivirus, antiad, and trojan removal programs, I don't download any software, antivirus or not, until I read up on them, except in emergency cases. So far, after running my free antivirus and adaware scans, any malware not removed automatically, I remove them manually to stay out of trouble.

joe_042293,

Sorry if I caused any confusion. I missed read your operating system, but the steps are the same. In your case for Windows ME, you would have msconfig and could disable thunderdome malware files from msconfig startup as described. And then, you must terminate these previously identified thunderdome exe files from running in memory in Task Manager.

Because Windows 95/98/ME systems may not display all processes running in Task Manager, it' best for you to first identify all the thunderdome exe files in msconfig Startup, and then terminate them from running in Task Manager, so you could delete the malware exe files in you system folder manually.

As long as you terminate ALL thunderdome changing exe files from running in Task Manager and follow through with removing the upload program files, editing the registry, and the confirmation and cleaning step, you should be able to remove actulice popup on the first try.

Note: System is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98 and ME,
C:\WINNT\System32 on Windows NT and 2000, and
C:\Windows\System32 on Windows XP.

Detailed steps for Windows 98 are available for your reference at,

Top Speed's responses
http://www.computing.net/security/wwwboard/forum/11722.html
http://computing.net/security/wwwboard/forum/11772.html
http://computing.net/security/wwwboard/forum/11779.html

NOTE: IF you use the msconfig method to identify the thunderdome files, when you click on the OK button on actulice popup, you can see a new thunderdome filename enabled in your msconfig Startup window after you just disabled one. Therefore, you have to repeat the disabling process in msconfig startup until all thunderdome exe files have been identified and disabled.

I was able to FINNALY get rid of this annoying thing.

I looked at the post where the guy said find something like pgxsdm32m.exe when i checked i didn't have it but i did have something called dms32m.exe and i thought the 32m was interesting so i unchecked it and guess what.

NO MORE STUPID ACTULICE!!!

Turns out thunderdome was the company that produced dms32m.exe so someone needs to shut them down.

done all that have been written here but don't know how to take it out of the start-up menu in msconfig.

can someone please tell me how to delete the unchecked programs

btw.... actulice free now for a few hours

Read all of this - very helpful but can one of you genii give me a full idiot's guide as to how to remove the actulice pop up from Windows XP. Got rid of my worm virus I think, but this pop up persists.

Thank you

YESSS ok, so...
I downloaded security task manager and searched for any serious problems. Since i had 2 actulice windows pop up everytime it found 2 files under actulice named "tvdmdn" and "tlanui2n". So, i pressed "Ctrl+ALT+DLT" and stoped both tasks and went to startup and clicked both the file names and it worked!!! FINALLY!!!! YESS! Thank you everybody for your help on the forum this is like the most technical thing i have ever done :)

I had trojan on my computer...I used my antivirus to delete some files but my antivirus always found actulice.exe even if I had deleted it before. Now it seems to be OK, my antivirus does not detect any virus...but windows media player does not want to work! I've got the message C:\windows\actulice.exe, windows can not access the file (it seems normal since i deleted it)...but what can i do to make Windows media player work.
Thanx a lot

YES! thanks Musicwriter, you're idea worked like a charm!
THANK YOU! THANK YOU! THANK YOU! You have no idea how greatful i am!!

Carli

i didn't download the task manager but managed to debug the virus. I did what was suggested here (the startup thingy) and found the virus under P_855C. when i restarted the comp it changed its name to ATACLEND. i just deleted all the application files under these names and actulice disappeared. hope this works for someone.

For XP user:-
- when the piece of s*** appeared on the screen
- press CTRL-ALT-DEL
- click to the Applications
- select actulice.exe(right mouse)
- select Go To Process

It will show the file to be deleted !!!
Try this !!! It works for me !!!!

i used the online scanner( the one that top speed recommended) and i found a trojan called TROJ REVOP.C

the scanner said it was non- cleanable

how do i search for it and delete it now?? I managed to remove tjhe pop-up upon boot, but i want to make sure my comp is REALLY clean of it.

Thanks in advance....

lazy

Hi Lazy,

TrendMicro offers the manual removal instructions for Troj_revop. Look up the removal instructions for the trojan horse in its Virus Encyclopedia.

This trojan horse is not related to the Actulice popup problem, and as most viruses/worms can expire to run for a period of time, you still need to follow through with the written instructions to manually identifiy and remove the executable files and reference files for Actulice.

The last step is to do a Search or Find of all identified executable files from Thunderdome on your hard drive to confirm they have been removed from the computer.