Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
I have Win Me - and Norton's installed, so don't know how I got this.

When I boot up, computer is unresponsive and I can't start any applications. At times, even CTFL-ALT-DEL doesn't work. When it does and calls up Task Manager, there are about a million copies of Popuper running. Lots of times I get a system resources error. Only way of switching off computer is by pulling the plug (ouch!).

Is there any other way of getting rid of Popuper when the machine is completely hung like this?
 

·
Registered
Joined
·
1,462 Posts
If you can run 1 tool on your computer, that should give us enough information to get started.

Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe- this program will help us determine if there are any spyware/malware

on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post that log in our Malware Removal Forum!(link below)
http://www.techsupportforum.com/forumdisplay.php?f=50
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #3 ·
Sorry but no, I can't run anything. In fact, nothing works - the machine is totally unresponisve. Sometimes it is a struggle to get it to respond even to CTRL-ALT-DEL. But I think I have already identified the problem - multiple instances of popuper stealing all the resources - and what I need now is a solution, but one for where the computer is totally hung.
 

·
Registered
Joined
·
1,462 Posts
If you have access to a different computer with a floppy drive, or something like that, we NEED this file to do anything with you.

Downloads
Download smitRem.exe and save the file to your desktop or removable media.
-----------------------------------

ON INFECTED COMPUTER

Boot Into Safe Mode
Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Run Downloaded Programs
Double click on the File you saved to floppy/or to desktop - This will extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

NOW please reboot into normal mode, and download the program from my prior post, and follow those Instructions.

In your next reply I need:
1. contents of C:\smitfiles.txt
2. HijackThis.log
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #5 ·
Cant shut down still

HiAgain

Sorry, was away for a few days - should have said.

Anyway, ran your tools before I went away and that allowed the computer to boot up seemingly normally, so I could use it. Searched for popuper.exe but your tools must have removed it!

However, when I select shut down from the start menu, it just goes to a black screen with a flashing underscore character and I eventually have to pull the plug on the machine (ouch again!) to switch it off.

Of your tools, only the hijacker one produced a log file, which I include here.

Many thanks for the help - it is greatly appreciated as I was at a loss on what to do!!!

Greg.
 

Attachments

·
Registered
Joined
·
11 Posts
based ont he fact that you are running ME I am assuming that your computer is a little older but since I do not know the specifics of your machine , is there any reason why your not running XP?
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #7 ·
Yes, machine is about four years old. Bought it from Dell, and it's just under 1GHz so it's a reasonable machine. I suppose I've just been lazy about not upgrading the OS - but you're right, probably time to move to XP.
 

·
Registered
Joined
·
169 Posts
I guess since I'm not a qualified analyst, I shouldn't suggest what you should do from here. Looking at your logfile, it seems you still have some nasties on your machine. Hopefully someone from the security team will get back to you.
 

·
Registered
Joined
·
1,462 Posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Video1


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O2 - BHO: Saristar - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50} - C:\WINDOWS\SYSTEM\SARISTAR.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Hot_Tarts] C:\Program Files\Video1\Dialers\Hot_Tarts\Hot_Tarts.exe /dontdial
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
**Check all the O18 entries except for the first one**

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\SYSTEM\SARISTAR.DLL
C:\Program Files\Video1\
c:\eied_s7.cab
c:\ex.cab

Reboot your system in Normal Mode.


Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

Please post a fresh HijackThis log & the Log from Panda so that we can check if your system is clean.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #10 ·
OK, shall do that tonight. Unfortunately, I switched over to broadband just as this happened, but can't get the broadband installed cos of all these errors (I'm assuming broadband software from Wanadoo is virus etc. free), and they've now switched off my dial up - bugger.

Still had adaware and ran that and it found two malware objects which it killed and now the machine can close down normally again. However, doing a longer scan finds 88 objects and 2 folders, but adaware seems to get stuck so can't find out what they are before it aborts itself. So there's def. some crap still on my machine, but slowly getting better :)

Greg.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top