I just inherited the Actulice worm. I checked out the following threads; http://www.computing.net/security/wwwboard/forum/11722.html, 11720.html, 11733.html, and 158218.html. So far the only thing I found was pup.exe and I deleted that. I've gone through the laundry list of other exe's, I've looked for 64K files from the known offenders and gone through my startup list going after everything with the least suspect name. This damn thing is still there. Any other suggestions? I hate to format and reload I'm getting tired of that.

One additional thing, I also checked for the SERU under Program files and came up empty. According to Windows explorer, this thing doesn't exist.

Jim,

Because actulice can swap .exe files and instead of chasing after .exe files, my newly revised comprehensive fix in Response #3 for "Subject: Popup plague =Hijack? help please" should do it for you. It will remove actulice and other popups as well, and you can use the instructions for future problems.

Here is the link,
http://computing.net/security/wwwboard/forum/11772.html

Top Speed

Jim,

Briefly, you do not need to reformat your hard drive to fix this problem. Removing popups and malware program files manually is easy to do, but it's better to be thorough to save time. The tricky part is identifying the changing .exe files from thunderdome to delete. About fixing the actulice popups specifically, make sure you:

1) Identify and disable any malware .exe files (I show you how in post link 11772) from Thunderdome from msconfig Startup tab. Do not exit msconfig and restart your pc until you deleted all suspected .exe files from thunderdome from windows system folder in Explorer and edit the windows registry. Most of us have at least two changing .exe files to spot for in msconfig startup while clicking on the actulice popup before we could delete them from the system folder, and you may have more than two .exe swap files from thunderdome so you have to repeat the process of identifying the changing .exe files from thunderdome from msconfig startup, (the actulice popup), and the system folder.

2) Delete pup.exe and over.exe from Program Files folder

In addition to deleting and empty all .tmp and .gid files, you could also delete the Internet temporary files, cookies before you run your antivirus and ad removal programs in the Prep Work stage.

I would delete all other malware programs from the system folder while you are at it. Removing them will improve the performance of your pc.

One correction about the free antivirus software I mentioned in http://computing.net/security/wwwboard/forum/11772.html. The free Housecall scan and the free Sysclean engine and virus definition sofware are from TrendMicro.com and not from microtrend as I stated. I can't believe there is actually a microtrend website, too!

Top Speed

Thanks Top Speed. It seems to be gone. For others who may get this; The .exe was changing each time making it difficult to find. Downloaded the programs suggested except for sysclean. Thunderdome was the culprit.

Jim,

Appreciate your feedback and glad things worked out for you.

re: Downloading Sysclean

Running Trend Micro Antivirus as per Trendmicro.com:

"Scan your system with Trend Micro antivirus and delete all files detected as [malware aliases]... Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner."

This means -

For first time Trenmicro antivirus program user:
Find free online virus scan at, http://housecall.trendmicro.com/

For subsequent Trend Micro users, either purchase or download free antivirus software updates:

1. For free automatic removal of malware after initial free online scan, use Trend Micro System Cleaner (working well for me and recommended if you want automatic removal of the latest malware free).

2. Free update of this automatic removal software is available for both the matching scan engine and virus pattern file; both should be updated at the same time.

Free Sysclean Package: http://www.trendmicro.com/download/dcs.asp
Free Matching update of latest virus pattern file: http://www.trendmicro.com/download/pattern.asp

Top Speed

I would really like a reply or some help, so if someone gets this I would greatly appreciate it. I am also not the comprehensible as to the technology terms that you guys may us so if someone does get this please try to speak in a way that I can understand. I don't know if this is a virus or not but suddenly I am getting this prompt or small window that says (actulice):modf or something like that. Afterwards (when you press OK) another one comes up that says funk. Weird I know. My question is "Is it a virus and if so how can i get rid of it?" Thank You.

DerrickA,

Actulice popup is a malware program that can be removed from your computer (or operating system) manually if your antivirus program couldn't remove it for you. And depending on the type of OS you have, the resolution would be slightly different.

There is a wealth of Actulice popup fixes for various Windows operating systems provided on the board (three + threads), and two very in-depth step-by-step fixes have been provided by me for Windows 98 at links,

Top Speed's responses
http://www.computing.net/security/wwwboard/forum/11722.html
http://computing.net/security/wwwboard/forum/11772.html

My step-by-step guide is pretty comprehensive and thorough (to a point or the written instruction could become too tedious and confusing).

If you use another operating system other than Windows 98, may I suggest you reference all three+ previous discussion threads on the board and find a resolution that is relevant and understandable to you. You will find background information that will enahance your understanding of this Actulice popup.

Here are somethings to do to start:

1. Have you installed, updated, or run the latest antivirus program?

If not, information is available on how to install and run the Trend Micro antivirus program -- see Response #5 above and in Top Speed's reponses in the links provided above.

2. What operating system is having the Actulice popup problem?

3. What specific problems or difficulties are you having with the instructions to remove the malware?

4. Do you know how to download and install software?

If you don't know how to download program files and install software downloaded from the Internet either from the discussion board or from experience and are afraid to do it, I suggest you find someone to show you how to do it in person the first time around and direct them to the fixes that are relevant to your computer on the board to help you remove the malware.

You could also search the Internet or the computing.net site for specific basic information you need to get started.

Top Speed

Thank you TOP SPEED

I really appreciate your help, and computing.net for existing.

Hi guys !! I also got this actulice pop-up thing and i
also have Widows Millenium !!
Is there anything more i should do to
to destroy it ??
Anyway i want you to know that when i got to the websitecalled
www.cheats-and-codes.com and seerched for cheats for the VICE CITY game
i was hit by 5 pop-ups and one of them must have stuck me
the actulice!!
So do never go on this website
THANK YOU!!!!!

Pandelis Andreadis

I do not have yet installed in to my computer the office for ME windows so i dont have any .exe . WHAT can i do ???
Can you help me?

Pandelis Andreadis

Pandelos,

Reference Top Speed's methodical and in-depth actulice fix for Windows 98 and other relevant issues at,
http://www.computing.net/security/wwwboard/forum/11722.html
or
http://computing.net/security/wwwboard/forum/11772.html

It's step-by-step fix for Windows 98, but all operating systems could adopt the fix mentioned above for Windows 98 except Windows 2000. Windows 2000 is the only Windows operating system without a system configuration utility (at least one not supported by Microsoft), but I provided it's fix in another actulice therad already.

Here is brief checklist or an overview how to remove actulice popup for all OS but please reference my or other responses at the links mentioned for detailed steps:

1. For Windows ME/XP systems, disable System Restore before running antivirus.

2. Update and run antivirus to remove actulice automatically. For free Trend Micro antivirus, instructions for running Trend Micro antivirus are mentioned in Respose 3-5 above. Run free Housecall scan and then Sysclean Package.

3. If malware remains after automatic removal, remove the actulice changing EXE files manually.

4. Once the malware program file(s) are identified (various .exe file names) from you antivirus software, Task Manager, and msconfig, terminate them from memory in Task Manager.

W95/98/ME: press CTRL+ALT+DELETE
NT/2000/XP: press CTRL+SHIFT+ESC

5. Editi Windows registry to remove autostart and other entries from the Registry

Have fun. Will be happy to resolve any specific problems after.

ME/XP operating systems need to disable System Restore so the antivirus can clean and remove infected EXE and COM files.

Here is the link to the whys and hows of System Restore for ME/XP,
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm

I may have just saved you if u have xp. If you remember wen u downloaded it, just roughly will do. (you can always look at wen u downloaded the file) just go to, all programmes>accecories>system tools>system restore. Now just restore the computer to a date before you had this actulice thing, and it should be gone. Was for me.

Now.........Smile.

System restore would be a possible quick fix if you haven't altered your system files or updated/installed/removed software on your computer in this same time period and know for certain the system files are clean. However, this assurance is difficult since no antivirus program can provide 100% detection and removal of malware as in the case of actulice malware. Actulice malware EXE files weren't not identified or removed by antivirus software.

Restoring your system files also may not address the uploaded thunderdome program files; however, you could just delete the two known pup.exe and over.exe from Windows Program Files and System folders and see if that will work with the System Restore mentioned by Anssi.

I believe an XP user mentioned that the actulice popup came back a few days after she did a system restore, but she didn't say if she deleted the pup.exe and over.exe files.

everytime i run msconfig system config panel jumps on the screen then off the screen to fast to make any changes is there a solution thanks john

This msconfig problem is not actulice-related.

Search the Internet of check the computing.net support forum under your specific operating system for any system configuration utility related problems.

drummer12,

Do you have the Actulice popup? If so, were you able to identify and terminate the malware from Task Manager? What is malware?

What operating system has this system configuration utility problem?

I have found the best way to get the virus is
1. to ctrl+alt+delete and find actulice under applications tab.
2. Right click the application and choose "Go to process" It will then highlight the application under the Processes Tab.
3. Do a search for that file name and make sure that you are searching all hidden files and folders. Once the search finds the file delete it and empty it from the recycle bin. Most of the executables are in C:/windows/system32/
4. repeat untill virus no longer appears.

Just fixed actulice with the latest Adware update. Tried deleting pup.exe from \Windows as well as cleaning up the registry before I ran Adware. The manual deletions had no effect. Obviously I was missing something.

How do you know Adaware removed the trojan? Adaware is not an antivirus and anti-trojan software. The latest antivirus or trojan removing software may do the job, but I doubt Adaware is design to do that when most of the antivirus programs miss this memory-resident trojan.

Once a malware file is identified by an antivirus, it can be removed manually if it couldn't be removed automatically.

And if the malware files are not identified by a current antivirus or anti-trackware as in the case of actulice popup, some detective work is required to identify the malware files first before they could be removed.

Removing the malware files from the registry are required steps of removing actulice popup.

i discovered actulice on my computer last week . i did a system restore which got rid of actulice windows box.i also took pieces of advice from all the responses from this list. i found even though i had got rid of the actulice box i managed to find 36 files in my system 32 file all with diferent names all created by totepole with a file size of 64kb all with a pale blue angled windows box'which i deleted all,but i cant seem to delete some of the files from my start list . i can untick the boxes but i cant delete the writing from there .so i am not certain i am totally rid of this pain in the butt. Also does anyone know what this is?????????

It's good that you cleaned out the Totempole .exe files from your system folder, but they are not associated with the Actulice popup problem. Actulice popup have .exe files made from Thunderdome.

To totally remove a malware file, you must at least have done the following steps:

1. Disable the identified malware from msconfig Starup without restarting your pc. Once one identified malware file is disabled, repeat to disable other Thunderdome exe files from startup. Once you follow through with the steps described in the step-by-step fix (or described briefly below), they will be removed from msconfig Startup.

2. "End Task or End Process" the thunderdome exe files one at at time from running in memory from Task Manager. Close and reope the Task Manager to confirm all Thunderdome files have stopped from running if necessary.

3. Delete them directly from your system folder, and then do a Find/Search and delete ALL previously identified malware files (several random .exe filenames for thunderdom) from your hard drive to confirm you have removed all associated or uploading files, such as pop.exe and over.exe in Program Files folder.

4. Edit the registry as described in my step-by-step fix.

5. Empty IE cookies files, temporary files, Windows Temporary files; I prefer to this via Explorer instead of IE Internet Option. Find all *.tmp files and delete them.

6. Empty Recycle Bin.

7. If Actulice popup is removed and everythig is working, then update and run antivirus and anti-trackware again to confirm pc is clean. Run Scandisk and defrag your hard drive to permanently remove malware files from pc and do a full backup of your pc.

8. Run Windows Security Updates via Microsoft.com. Keep your pc OS updated regularly.

Also, run antivirus in Safe mode, and if you have System Restore, you need to run antivirus with System Restore disabled so your system files could be scanned.

I've done the way of using trendmicro housecall and deleted pup.exe and over.exe however this actulice pop-ups come back aft a while again?wad can i do now?

Hi,
I have found two files containing Actulice within my Windows System.

My problem is everytime I try to delete them it says they cannot be deleted because they are being used by windows!

I'm running Windows ME, I do not have an antivirus program installed in my computer and honestly, I'm very new to computers and although some responses have been given on how to get rid of it, I do not understand them.

Can someone please post here and exactly directed me on how (in a step by step format) to get rid of this thing?

Thanks for your time!

Before you can delete these two Actulice excutable files, you have to disable them from running at Windows startup using a system configuration tool (msconfig Startup tab) and in memory in the Task Manager.

Windows ME and 98 are comparable systems with similary folder directories, so you can follow the step-by-step instruction written for Windows 98 available at any of the URL addresses already provided.

To print out the comprehensive step-by-step Actulice popup fix for Windows 98 for example:

1. Copy and and paste the URL address provided below to your browser's address box. Hit Enter.

http://computing.net/security/wwwboard/forum/11722.html

2. Once at the desired Internet page, scroll down to look for Response #9 from Top Speed

3. Print Response #9

We all learn by doing and fortunately information is at your finger tips. To look up any computer functions, commands, system directory, or terminology you don't understand, you can use your Windows Help index database or tutorial features (Click Start. Click Help) on your computer, look up tutorials from microsoft.com or netcomupting.net for Windows ME, read various support forum responses, or use the Internet.

Post any Actulice-specific difficulties or questions. Someone may be happy to help.

OTHER NON-ACTULICE SECRUITY RELATED ISSUES:

1. Install and run the most up-to-date antivirus and Ada-aware scans TODAY. Be selective with your software and build your knowledgebase from reliable sources in the Internet age. Information for essential computer security protection for your computer is posted at www.support.microsoft.com

2. Learn the basics of computer maintenance and data backup routine asap. Once you have a backup of your data and system files, install critical and security software using Windows Update regularly to prevent loss of data and privacy and other security threats.

http://v4.windowsupdate.microsoft.com/en/default.asp

www.support.microsoft.com provides both basic and technical information specific to your operating system.

Been Reading posts for a few weeks now looking for a simple solution to this...

I'm in Tech Services and have a remote user (about 800 miles from here) with Actualice. So far nothing damaging... just a bit annoying so I've left him with the bug until I find a simple answer for him.

(This guy can handle email... not much else. I don't think it's possible to walk him through by phone the posted solutions.)

Anybody know:

Where the heck is this coming from?
Why don't any of the major AntiVirus or Spyware programs locate and disable this?

Pretty much Retorical questions there... just frustrated!

I've run him through Symantec, Spybots S&D,AdAware, TrendMicro, Panda, Xcleaner Etc..(along with all updates... of course!) None of them find or clean this.

So... if anyone has an easier solution I'd love to hear it... my user WILL NOT be able to be walked through the steps/hacks/searches to do the manual removal. Otherwise... he's got to ship this into me for removal.

OH... reminds me... he doesn't seem to have problems other than the NO MODF and Funk popups about every 15 minutes. System performance hasn't been effected. What else might be going on in the background? Anyone know?

Thanks!

JC:)

Sanity is Overrated

I don't know why none of the antivirus and anti-trackware you mentioned couldn't identify the actulice malware files as they appear to work like viruses, trojan horses, and worms. Perhaps it has to do with it's ability to switch into the vast random number of exe filenames at Windows startup (i.e., as you get rid of one malware exe file, another one is enable to run at Startup) and that the program functions like a legitimate antivirus or software program. May be this question could be directed to one of the antivirus and anti-trackware vendors.

Is "simple" always the best? Perhaps your frustration did get the best of you. I don't know how simple is simple as far as removing malware files manually goes. The removal steps required depend largely on how the malware worked. Given that none of the updated antivirus and anti-trackware could remove Actulice files so far, if you could remove them manually and completely on the first try and not experience reinfection and not have to spend time troubleshooting afterwards, shouldn't that be the goal? Could repeating what has proven to work and being thorough be the more efficient process?

These removal steps for Windows 98 have proven to work and can be adopted for other operating systems for those who have experience using the different Windows OS and the inquiring types. Sure, you could simplify the steps (for example disable startup programs and skip the "end processes from running" step in Task Manager for example) and go straight to removing the actulice reference file if you could identify it in the registry, but it'll take time to test out the outcome of these steps, and it's no gurantee that you could identify and catch all the random changing exe files through the shortcut method. If you don't identify the malware file to remove, you can't know what malware files to remove and if you have removed them all and reduce the chance they will reapper.

Since Windows 2000 doesn't have a system configuration utility, users of this OS had to bypass the msconfig step and followed a different resolution. Did you try any of them? What OS are you working on to remove the actulice popup?

The steps of identifying actulice exe files and removing them manually from the identified Windows directory and the registry are pretty fundamental and parallel many procedures for removing a worm, trojan horse, and virus. If you are just dealing with the removal procedures for one OS, then the manual removal steps should be even more simpler and direct. If a written instruction won't work for your client, you may need to walk him through the procedures by phone and have him be your eyes or provide him with both written and verbal guidence because the identification and catching the changing swapping exe files in msconfig Startup are the crucial beginning steps. And like you proposed, you have the option of him shipping the pc to you; however, do the shipping and phone support cost comparison first though and lay out all the options with your client.

In my case, once I ran TrendMicro and Ad-aware, I had to remove one other trojan horse in addition to the Actulice popup, "NO MODF and Funk," manually, but unlike Actulice, the trojan horse was detected by the antivirus. Once I removed all the actulice reference files from the Windows directory and the registry (and other pest .exe files) in the system folder, my computer runs more efficiently. My computer does not have a repeat reinfection since my first removal attemp about a month ago, but I do empty my Cookies, Windows Temp and IE temporary folders often, update and run antivirus and Ad-aware regularly, and my OS and browser is up-to-date with Microsoft's security critical updates and other Microsoft products.

BTW, Actulice files seem to have affected Windows Media Player for a few people in the other Actulice discussion threads, so you may want to either double-check the Windows Media Player program folder for suspicious files in addition to the required removal steps, or just uninstall, update, and reinstall Windows Media Player.

The other method (easier to instruct but not the most direct) would be to locate and remove the Actulice malware files in reverse order as described for the Totempole files, since the Actulice .exe files have already been identified to be from company Thunderdome. See the written procedures from Response #9 in the other link for details but for an overview briefly:

Sort the files by type in the system folder and identify any .exe files from Thunderdome and disable them from the msconfig Startup tab one at a time without rebooting the pc and then delete all identified Thunderdome files from the system folder. Delete reference entry from the registry and associated files from Program Files folder. Search and Find to confirm all Actulice reference files have been removed.