Re: = HELP! pup.exe and over.exe =

From: nlightend (nlightend.12h97h_at_mail.mcse.ms)
Date: 03/02/04

Next message: nlightend: "Re: = HELP! pup.exe and over.exe ="
Previous message: STFLING: "SECURITY CENCORING"
Maybe in reply to: Mcbamm: "Re: = HELP! pup.exe and over.exe ="
Next in thread: nlightend: "Re: = HELP! pup.exe and over.exe ="
Reply: nlightend: "Re: = HELP! pup.exe and over.exe ="
Reply: Howie: "Re: = HELP! pup.exe and over.exe ="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 2 Mar 2004 00:03:42 -0600

I don't know if you have found a solution, but here is something I hope
will help you. I was also aflicted by those little buggers.

Here is what you need to do: ad-aware does not detect them, but use it
anyway and get rid of anything called spyware, data miners, adware on
your computer. We'll eventually get to the registry, but let's first
disable the sucker at the root. Buckle up it's quite a ride!

1. Turn off "system restore" because the virus will lodge itsel in
there when you try to delete it. Go to your Windows\system32 directory
and list all the files by type. To do this click on the type heading at
the top of the window. Once you've done that examine every .exe file's
property, especially the ones that look like they were named at random.
Click on the version tab to see if it was created by a company called
either "totempole", "werule" or "totally". Also check the original
file name. It should say: pup.exe. If that's the case delete the
file. Write down the name so that you can find it in the registry
later. Continue deleting them until there are no more ocurrences.
2. (By any means avoid opening notepad.exe files) This little critter
rewrites the path of the notepad files and writes a new copy in the
system32 folder, so everytime you click on a .txt file it activates
itself and connects to the net and downloads a new update to itself.
Delete the copy of notepad.exe in the system32 folder.(Don't worry,
there is a fresh copy in the Windows directory.)
3. Go to the C:\Program Files directory and delete a file
called "pup.exe"(250kb, roughly) and empty the recycle bin.
4. Go to the c:\documents and settings\yourprofilename and select from
the mainmenu tools\folderoptions. In the view tab check "show hidden
files and folders." Once you do that you will be able to access your
History, Temp and Temporary Internet Files folders. Delete all the
files in the Temp folder. Delete all the files and cookies.
Specifically, look for 2 files in the list, one is called
"over.exe"(64kb) and another .exe file of the same size, I believe it
might have the same name as mine which was "B1O1420.exe"(64kb)that's "b
one o one four two zero.exe; the description for these files reads
either "www.belgiandip.com" or "www.achtungachtung.com", it might be
different in your system, I don't know. You can go by the size (64kb.)
Delete them.
5. Once you have taken the previous measures, you can go to the
registry and delete the entries (Make sure you backup your registry;
you wrote down the .exe filenames you deleted before)in
"HKEY_LOCAL_MACHINE\Software|Microsoft\Windows\Current Version\Run."
Go into the Windows directory and copy the notepad.exe program onto the
Windows\system32 directory. Your .txt files will work again, no risk
of reactivating the virus.
6. Restart your computer and run Ad-Aware6 again. You should be all
set. Repeat the steps and hunt the sucker down if necessary(shouldn't
be.)

I told you it would take long! Take care and good luck. Hope this
helps.

nlightend

--
nlightend
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message348344.html

Next message: nlightend: "Re: = HELP! pup.exe and over.exe ="
Previous message: STFLING: "SECURITY CENCORING"
Maybe in reply to: Mcbamm: "Re: = HELP! pup.exe and over.exe ="
Next in thread: nlightend: "Re: = HELP! pup.exe and over.exe ="
Reply: nlightend: "Re: = HELP! pup.exe and over.exe ="
Reply: Howie: "Re: = HELP! pup.exe and over.exe ="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: LINKS
... that executed an exe (i'm not totally sure but AFAIK there is no way to know ... But anyway i think that it doesn't help too much to know where the shortcut ... or in Start menu/Programs folder and it wouldn't be rigth to write there. ... Or you could use the registry intead. ...
(microsoft.public.vb.general.discussion)
Re: Re: Register DLL Question
... > I just copied the main EXE and the OCXs to the same folder without ... installing on a new computer, search the registry for the OCX file, you will ... your EXE and run your EXE. ... > Just copy and paste the EXE and their own OCXs to their own folders. ...
(microsoft.public.vb.enterprise)
Re: I think I have virus after all....
... Compare the two lists. ... but not the hidden registry entries. ... folder is one good way to find these babies too. ... mismatch between Windows API and raw hive data. ...
(rec.games.computer.ultima.dragons)
Re: SEHException at app startup
... > Who entered this in the registry in the first place? ... > should never contain your exe. ... AppVerifier is not installed on this computer. ... >>> Droopy. ...
(microsoft.public.dotnet.languages.csharp)
Re: Text of KB Article Included - From error to missing system file
... This article describes how to recover a Windows XP system that does not start because of corruption in the registry. ... If you use the procedure that is described in this article, you may not be able to log back into the recovery console to restore the original registry hives. ... In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. ...
(microsoft.public.windowsxp.general)