Hello :) I also got "infected" with this nasty little thing. As I was looking through my registry and win32 directory I found more keys/files which originates from this "pup.exe" . The files I found on my computer were: actulice.exe (system32 dir.) pup.exe (windows dir.) bookmarks.exe (windows dir.) ompmgmtc.exe (system32 dir.) sheartsm.exe (system32 dir.) astlsr.exe (system32 dir.) ddbse320.exe (system32 dir.) all files besides bookmarks.exe were 64kb in size. I think bookmarks.exe were around 24kb. Hopefully anyone else that gets "infected" will be helped by this little info. Johan

0

Also found the following files: File Location: C:\Windows\System32\... ------- Intsesst.exe (Company: Thunderdome) Udcedite.exe (Company: Thunderdome) good luck... Rahul

0

Hello, I have deleted everything that has been recommended to delete on this forum. I still have the actulice.exe pop up. Can someone please help!???? Erin

0

Erin I would start a fresh post in your own name on the Security & Virus forum. I doubt many people will look at this post now and the S&V folk are the experts at this sort of thing. Tell them everything you've done. There might be a downloadable fix somewhere. Derek.W

0

Dear Erin, I have the same problem as you. I deleted all suspicious files but the pop up for actulice shows up in the middle of my screen. When I right click using my mouse there is not any option to close it let alone delete it. Please let me know if you found any solution. Thanks, Coal Cracker

0

Tough pop-up you say??? actulice Damed right! It stays in your windows system files and changes name when you run after it!I've never had so much trouble. It also goes in the start up and will not delete because window is using it... Anyways after beeing patient and deleting it by removing it on my msconfig start up list (with different names) it finally left... With its actulice message poping up every two minutes. It even prevented me from restarting my computer when I took it off that list... GOOD LUCK!!!!!!!!

0

scriptj- COMPANY: thunderdome, INTERNAL NAME: actulice, ORIGINAL FILE NAME: actulice.exe, PRODUCT NAME: actulice ispexd- COMPANY: totempole, INTERNAL NAME: pup, ORIGINAL FILE NAME: pup.exe, PRODUCT NAME: werule paw- COMPANY: totempole, INTERNAL NAME: pup, ORIGINAL FILE NAME: pup.exe, PRODUCT NAME: werule i found these in system32 but i can't seem to get rid of them. i also have the actulice pop up where the only thing it says in the box is "modF" and my only options are to click "OK" or click on the X at top right hand corner please help! belle

0

Thank you to Dominique for mentioning to go to the startup list in msconfig!!! After many name changes during my chase of actulice, I finally saw it there with a name of X7VBD.exe, and removed it from Win/Sys dir. No more actulice!!! Thank you again! Meshaela

0

Nice to see I was proved wrong in #10, this bit: "I doubt many people will look at this post now" Derek.W

0

To solve the "actulice" problem: 1) Go to "start" 2) Click "run" 3) Type in "msconfig" 4) Click "OK" 5) Click on "Startup" tab 6) Find "pg4ds32m" in the list 7) Uncheck its box 8) Restart your computer 9) Smile ______________________ It didn't change names in my particular case, like it apparently did for others.

0

Oh, I forgot to mention something else of utmost importance. After the above, you need to erase "pg4ds32m" completely off of your computer. To do so, follow these instructions: 1) Go to "start" 2) Go to "Find" 3) Select "Files or Folders" 4) Type in "pg4ds32m" 5) When it's found, highlight it and hit the delete key. 6) Also delete it from your trash bin. Now you can smile.

0

Also what XP and ME users might want to try is to do a system restore to a previous date. This may seem excessive but it will clear out any obscure registry keys leaving you free to delele the offending file without fear of loosing system stability. -Just my two cents.

0

I need help!!! I have the same problem but when I go into msconfig I dont have the pg4ds32m and I dont understand what the other programs are!! I am ignorant when it comes to computers. This is a list of the programs I have in msconfig. can anyone tell me which ones I should delete? wkfud WksSb WkUFind sysupd alchem indexm raphicsg msmsgs ctfmon Microsoft Office Microsoft Works

0

Angela, In that case, what you'll have to do is uncheck them a box at a time until you've identified the culprit. Just start with "wkfud". Uncheck it's box, then restart your computer. If the problem is still there, go to the next one on the list. You'll eventually find the guilty culprit. Once you do, then go back and recheck all the other's boxes.

0

i found a file named "pnetd" (thunderdome) in system32, but it says that it can't be deleted because "access is denied". how can this be? how can i get rid of it then?! this is truly driving me nuts..

0

That is some problem!! I guess you have to know what your doing, First I have know idea how (maybe my kids) but a over.exe appeared on my C: I clicked!!That is when nothing happened... I did not delete it just in case... Then "aculice" "modF" messeages started appearing. That is when the hunt started. Once you get it out of your msconfig start-up list AFTER IDENTIFING ITS NAME WITH EITHER SEARCH FILES OR IDENTIFIING IT IN YOUR WINDOWS SYSTEM LIST(IT DOESN'T HAVE THE SAME ICON AS ALL THE OTHER ONES) you can delete it!!!! but you also have to delete the source, me it was over.exe but for others it could be anything. Here are a few names it took: IN32S15W, SDMOM , ID32S , ect. everytime you click on it it changes name. You also might have problems restarting your computer once you take it off the start up list because actulice will staop the restart process and give you a message like "impossible to restart cannot stop actulice" This makes me so mad! I would rip the dudes fingers and eyeballs for creating such a stupid and anoying virus. Anyone now what the hell actulice means anyways? I think it is Spanish. And who are the idiots behind Thunderdome? Dominique

0

Very glad to have read this post, for I too had the actulice problem. The problem fixing it though definatly is the name changing. I opened windows/system32 and sorted the files by date. Since this problem just started I thought this might help. Last file on the list was named XTRAC32e.exe. Company - Thunderdome. Original file name - Actulice. Well, well. I also could not delete it as you all said until I unchecked it in msconfig and did a restart. Now its deleted and out of my life. Thanks to all and hopefully I've helped a little.

0

Dear Angela & all concerned, Please see my comments under "Response Number 12" at the following URL: http://www.computing.net/security/wwwboard/forum/11720.html Please let us all know if this (or whatever) fixes your problem.

0

What I did: Found and deleted pup.exe. This didn't work. Downloaded Security Task Manager, free trial version (took less than a minute to find and download). I ran it it, and it found another Actulice file called ODEMM.exe. I deleted it using the Security Task Manager Tool. It was located in Windows\System, so I went there and found two more recent 64meg files (streama.exe and staskm.exe) and deleted them. Also went to run\msconfig\startup tab and unchecked ODEMM. Rebooted, problem gone. I'm not a programmer. This may have been overkill, but I see no signs of it after I did it earlier this morning. Good Luck Ted

0

I get the same problem. I deleted all the files above and it still comes up. I looked through the windows and system32 and didnt find anything can someone please help

0

Today I discovered that I too had the pop-up that won't die. I found this thread by googling "actulice," and followed Yadirf's advice in posts 16 & 17, with the additional knowledge of others who said that the file name was different and can change. Mine was named either nathunkr.exe in the windows/system file or alchem.exe in windows. I used msconfig to isolate them, rebooted, and then deleted the files. So far so good. Thanks!

0

ACTULICE POPUP ON WINDOWS 98 The free antivirus scan and automatic System Cleaner from MicroTrend and the Adaware removal programs didn't eliminate the Thunderdome Actulice malware in Windows 98 for me. Because the malware .exe file is programmed to start in my Windows Starup, and the actulice malware program name also changes when I click the "OK" button on the popup, I had to remove the thunderdome malware manually using the msconfig Startup tab and editing my registry. Basically, I identified and terminated the malware from Memory and the Registries and here are the steps-by-step guide of how I manually removed all the thunderdome malware .exe files (I had two) successfully. PREP WORK: 1. Identify and terminate malware process from memory: See what programs are running your Task Manager (open your Task Manager in Windows 98 by pressing CTRL-ALT-DEL). In the list of running program, locate the malware file or any suspecious programs you either didn't install yourself or have not heard of and write the file path down. Note: Task Manager running on Windows 95/98/ME may not show certain processes. If you are not sure about your task programs, you could use a third party process viewer to identify suspecious or unknown files. I use Process Explorer, a freeware from Sysinternals.com, http://www.sysinternals.com/ntw2k/freeware/procexp.shtml to help me identify program company names on unknown files or processes. With or without the help of Process Explorer, write down any suspecious and unknown programs that shouldn't be on your pc for reference later. 2. Empty all your Internet temporary files and cookies in IE under Tool-> Internet Options. 4. Search and delete all *.tmp and *.gid files using Find by right-click on the Start button. 5. Empty Recycle Bin 6. Run all your virus- and ad- removal programs. 7. Backup your registry if you want (we will need to modify registry later). 8. Shut-down and restart Windows 98 in Safe Mode (I did it in Normal Mode, however). If the Actulice Popup appears first thing on the Desktop after booting up, DO NOT do anything to or click on it - just leave it running as it is. IDENTIFY AND TERMINATE THE MALWARE FROM MEMORY 1) Open Task Manager and repeat PREP WORK Step #1 to identify your malware program. Notate any unknown or suspecious programs for future reference. Click on the suspecious program(s) and click on "End Task" button to end the suspecious program(s) from running. Exit out the Task Manager (and Process Explorer if opened). 2) Open msconfig from Start -> Run -> in the Open: box, type, msconfig -> click "OK" -> click on the Startup tab Identify and cross reference any suspecious program files from those you noted also in Task Manager (or Process Explorer if used). A Thunderdome .exe file (and most malware) is usually listed under c:\Windows\System\. Write down the thunderdome program file name and path (the first malware) found in msconfig Startup Tab. Now, with the msconfig Startup window visible on the Desktop, click on the "OK" buttons of the Actulice Popups and each time you click "OK", write down any name changes and new Thunderdome program files showing in the msconfig Startup window. Note: after you click on "OK" on Actulice Popup, the thunderdome malware program file name changes in the msconfig startup window. Write down all Thunderdome malware program files (and changed file names) you found from the msconfig Startup windows until Actulice Popups stop. Disable and uncheck the last Thunderdome malware program in msconfig Startup Window. Exit msconfig. REMOVE AUTOSTART ENTRIES FROM THE REGISTRY To prevent the malware from executing during startup: 1. Open Registry Editor. Click Start>Run, type Regedit then hit Enter. 2. In the left panel, double click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run 3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier. 4. I have two Run keys in the registry. I found and deleted my two thunderdome malware programs, mgcvddn.exe and mgshli.exe, in the following registry key, HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run- REMOVE OTHER ENTRY FROM THE REGISTRY To remove added registry key which it uses for configuring its programs. 1. Still in the Registry Editor, in the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Explorer>pup 2. Still in the left panel, locate and delete the subkey: pup 3. Close Registry Editor. CLEAN & DELETE FILES 1. Locate and delete any malware programs from Thunderdome detected in Windows Explorer. You could locate the Thunderdome program file either doing a Search or just look in c:\windows\system\. [On a totally diffent issue, I also deleted about 60+ .exe files from Totempole in c:\windows\system\ These totempole and thunderdome.exe have a different icon from the usual .exe files. Double check the company name by right-clicking on the suspecious .exe file and click on the Version tab. All the Totempole .exe files seem to have been downloaded on the same date, so you can also do a Search of .exe file for that date in Find and then check these .exe files are from Totemple to delete them from your computer]. 2. Empty Recycle Bin 3. Shut Down and Restart PC in Normal Mode should complete the removal of the Actulice popups. Topspeed

0

CUTQ - COMPANY: thunderdome, INTERNAL NAME: actulice, ORIGINAL FILE NAME: actulice.exe, PRODUCT NAME: actulice I found mine is the SYSTEM folder (Im using Windows ME)

0

i have tried all the suggestions listed here and am still unable to rid this bug. any other helps? can anyone contact microsoft and inform them of this problem? janet

0

After hunting and hunting for the location , I downloaded the trial version of Security Task Manager (per Ted's instructions) and this found and named my aculice file. It was WINDOWS\SYSTEM\HE 60'S USAT.exe. I followed Ted's instructions and it seems to be gone. I have no computer experience so all of this was a somewhat scary, but with a little luck, this annoying problem is over. Thanks, Ted!

0

You guys are terrific! I was able to fix my problem from all of your posts. Easiest method I found was to go to msconfig, start-up menu, and write down ALL of the files listed. Then I rebooted, knowing the pop-up would return..that's ok. I went to the start-up menu again, and voila! The file changed it's name as expected, and the file stood out like a sore thumb when I went thru the list I wrote down. Mine was _10000c.exe located in the Windows System directory. I unchecked the file from the start-up menu, and restarted the computer. Mission success! the pop up went away. I followed your advice to remove from the directory and from the recycling bin. I am no computer genius, and I found this very easy to do, thanks to you guys. Hope my info helps others as you have helped me. Thanks, everyone! Sandi

0

One correction about the comprehensive fix for remvoing actulice popups and other malware program files manually posted on http://computing.net/security/wwwboard/forum/11720.html http://computing.net/security/wwwboard/forum/11722.html http://computing.net/windows95/wwwboard/forum/158218.html http://computing.net/security/wwwboard/forum/11772.html The free Sysclean engine and the matching virus definition sofware were downloaded from TrendMicro.com and not from microtrend.com as I stated. I can't believe there is also a microtrend website. In case anyone needs a free antivirus program, I got the free virus scan from Trendmicro through www.housecall.antivirus.com to do the online scan first. I download and update the sysclean engine and the matching virus definition files as they become available. Top Speed

0

Hi there, I have the same aculice virus. I could not shut down my computer properly. And now when I turn on my computer, the screen is blank and nothing happens. I am not sure what to do now. Will I lose all my files and have start from scratch now?? Thanks. oliveoil

0

I tried to do several of the "fixes"...but what finally worked for me was Yadirf's suggestion....the file on my computer was called "sxml3rm" and I found it but doing a search with the text "actulice". I followed Yadirf's instructions, was able to delete the file (NO MORE POPUP!) and yes....I was smiling! :-) Thanks Yadirf!

0

One other question though...does anyone know how we "caught" this bug?...was it from email or from a website? Just curious. Thanks! Jill

0

opsgirl I don't know where it comes from either. Looking around Google though, I came away with the impression that it was a website based nasty and probably some clever bit of script. It didn't look like an email virus. It could be the "drive by" type (you only have to visit the website). My approach is to visit unknown websites on High Security, only lowering it to default when I feel sure the website is of sufficient interest. I've put an icon in my Links bar which takes me straight to the security tab. I can understand folks who reckon this would hamper their browsing too much. Maybe someone else will know for certain where this comes from. Derek.W

0

hi this is my first time posting anything on here but i had the same problem and after a while i got my briother up here (im no good w/ computers) and he took this linux disk he made that just loads linux but dosent install anythig and found it on linux and since the virus was not made for linux he just found the files and deleated them without a problem i dont know how many people that will actually help but since i used this site to help me get rid of it i figured i should give just one more way on how to aproch this pop up

0

I think the easiest way is this. -Start-Search Files -Options-Atmost 100KB -Type C:\Windows or.. WinNT i guess where your \\System or \\System32 folder lies -About 250 odd files should be listed -Most have cute icons -Some you will find shaped like a tilted white rectangle with a blue band in top.. one among them is pretty much your Actulice. Good thing is that you may find other malware stuff also -Right click and see properties of each of these files (for me this Actulice had renamed itself to OWEROLDP.exe i havent found this name in any of the comments above. So the program must be giving itself random names. Thats why this slow approach) -OK, now after right click, see company name, and see ORIGINAL FILE NAME -most of them will be 'Microsoft Corporation'. Thats safe right? :) -Just delete them if its of some company you havent purchased a product of. this Thunderdome and Totempole were in mine.. and i just deleted it. -Dont say yippee if you find 'actulice.exe' written somewhere, cos that file wont get deleted. will say, windows is using it. -Thats when u go to MSCONFIG (there is no Start-Run in my Windows Me.. for getting there press the flyingWindows button {near CTRL} in keyboard together with R) -now go to general tab, choose selective startup -go to Startup tab and scroll down and hey.. u will find the name of the EXE which doesnt delete itself. - Uncheck it -Go back to the search screen and delete it! -Empty recycle bin -Click apply in MSCONFIG -Reboot! -Go to MSCONFIG again.. click Cleanup button in Startup tab Should work ;)

0

This worm changes its name frequently. Therefore, there seems little point in trying to track down a specific filename. I knocked the bug out pretty well straight away as follows: ...by finding any application files created since 1st May 2004. There were quite a lot, but there were a group of files with a blue rectangular icon against them. They were also dotted about several different Windows folders. The file property details revealed that they were all created by Thunderdome. All but one would submit to deletion which was the file program still running in Windows. I got rid of that bugger in DOS mode manually. I am more interested in where it came from. Thunderdome has sometyhing to do with "no-beba-el-agua" or "don't drink the water". I'll let you know when I've tracked them down. :-)

0

I used Gregs' method post 23. I went into system32 and sorted by date. I knew the general date it started and found 5 or 6 files from that date. I was able to delete all but one which told me I could not delete it due to being in use. I was finally able to delete it after renaming it and rebooting. I also had to disable the correct items in the startup menu. WOW!

0

I did it. Actulice is a clever file but not as clever as u can be. 1) I ran Windows Task Manager after downloading it here- <<http://download.com.com/3000-2086-10246546.html?tag=lst-0-1>> 2)Then I searched for actulice files. 3)I found a file called "actulice". It fit the description that everyone's been talking about. 4) I quarantined it (by clicking on it in Task Manager & pressing the quarantine button). 5) After quarantining it, I went to the quarantine folder of Task Manager & totally deleted it from my computer by pressing delete. Voila! No more popups... no-beba-el-agua? Pshh... I think I WILL drink the water, THANK YOU VERY MUCH.

0

Thanks everyone. What worked for us was following the advice in Postings 16, 17, 23 and 35. Details below. My brother has a Win98 machine and called me last night because he ended up with Aculice as well. Using a combination of many of the postings on this site we finally managed to get rid of it. I think the key to this whole thing is that the files seem to be named something different on every machine. Like many of the other posters, his machine did have "pup.exe", which we deleted, but that was it - none of the others applied. Viewing the System and System 32 directories by date modified as suggested by Greg in Posting 23, quickly identified some suspect files. Viewing the properties of the suspect files revealed the one created by "Thunderdome". Viola! Once we identified the file (I forget what the name was now and it's actually irrelevant as I will likely be named something else on your computer) we followed Yadirf's advice in Post 16 and 17(with the exception of the specific file name he suggested) and Poof! Problem Solved. We also had a hard time getting the computer to restart. We had to use a combination of Control-Alt-Delete and I think at one point my brother simply turned the power off... that seemed to work! I hope that's a help to anyone still afflicted with this pest. Cheers!

0

RE: no-beba-el-agua SOLUTION!!!! The annoying pop-ups that draw the ads from this site http://www.no-beba-el-agua.com/go.php can be eliminated by deliting following files if they are anywhere on your PC: - Alchemi.exe - open.exe - pup.exe - pupup.exe - polall1t.exe - twaintec.cab*polall1t.exe* - abinetc.exe - shizzyp.exe - bdhu1k.exe - entire folder THI2667.tmp located at C:\Documents and Settings\USER NAME\Local Settings\Temp - notepad.exe located at C:\WINDOWS\LastGood (don't worry, your clean notepad.exe belongs in c:\windows and the one in Last Good has a slightly different icon and its the stealth file) Also: (1) bdhu1k.exe runs at strat up, so to delete it you got to end its process in the Task MAnager. To do that: ctrl-alt-delete---> Processes tab --->select bdhu1k.exe--->Click end process. After this action, go delite the file then remove it out of registry. To do the registry removal go to start--->run--->type: regedit ---navigate to HKEY_LOCAL_MACHINE--->SOFTWARE-->microsoft-->Windows-->Current Version-->Run. Right click on bdhu1k.exe appearing in the right pane then delete. (2) If you find any alchemi on the registry also delite it. Alchemi is another annoying pest that self replicates itself like twaintec. (3) You need to remove any trace of twaintec out of PC, any notepad files, DLLs, and folders they are located in because it self replicates itself. Also, in the INF folder, there will be 2 invisible twaintec files which you must also delete. To locate all just do a search on your computer then go there and delete. This are instructions for Win XP and I don't know whether they'll work on others alsthough these executables are the cullprits. These are trojans which gave me a headache for a long time and could not get rid of it. These trojans are called AGENT.G, REVOP.A and REVOP.B and apperently Symantec Anti-Virus which I use does not see them.

0