[1212magicman]

The virus is called Temp:winupd.exe some know it as the popupper. It started Dec. 15, 2011. It is located in User\Local Settings\Temp:winupd.exe

This file is hidden in the users local settings. It's invisible, regardless if you have hidden files and folders turned on, you can't find it. CMD can't find it or delete it. Malwarebytes and Avast found it, but can't delete it. It starts on boot, and it uses a massive amount of ram, the ram it uses goes up exponentially always growing. What it does is hijack the browser and sends you tons of popups in the corner of the screen so that you can't X out of them. I have found no way of deleting this file. However once you end the process via task manager it stays dead until you reboot.

Please help me. I'm attaching a log from malwarebytes, notice all the IP's it blocks and how it fails to quarantine the virus.

Attached File(s)

•  protection-log-2011-12-30.txt (27.69K)
  Number of downloads: 8

This post has been edited by 1212magicman: 31 December 2011 - 05:04 PM

[allen2]

Did you tried to boot to safe mode and then to remove the folder temp in the infected profile(s) ?

[submix8c]

Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingc....exe-23850.html

Quote

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.

This post has been edited by submix8c: 30 December 2011 - 04:10 PM

[1212magicman]

submix8c, on 30 December 2011 - 04:07 PM, said:

Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingc....exe-23850.html

Quote

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.

No both of you don't understand. There is no folder called Temp. THE FILE IS CALLED TEMP:WINUPD.EXE. It is located under D:\\Documents and Settings\User\Local Settings. That is where the file "Temp:Winupd.exe" should be. It is not there. The only thing in that folder is a folder called Application Data. I'M SCREWED.
"

[Yzöwl]

Your problem then is that you have a file name containing a character, :, which is not allowed in an NTFS file name. There are some utilities available for dealing with such files but you may be lucky using the following in a command prompt window:

del /a /f "\\?\D:\\Documents and Settings\User\Local Settings\*.exe"

BTW there should be a directory named Temp in that location unless you have purposely redirected it to a non standard location yourself.

[submix8c]

@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!
http://www.msfn.org/...-how-do-i-dele/
There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!
http://www.threatexp...a0e417f9afff924
Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.
All while in Safe Mode...
There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!
Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.
P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)

This post has been edited by submix8c: 30 December 2011 - 05:13 PM

[1212magicman]

submix8c, on 30 December 2011 - 05:01 PM, said:

@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!
http://www.msfn.org/...-how-do-i-dele/
There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!
http://www.threatexp...a0e417f9afff924
Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.
All while in Safe Mode...
There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!
Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.
P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)

Wow thanks for trying so much It was not in the registry. I do not have a folder named temp in local settings. And to finally say the truth. This is a school laptop which I get all year. Who knows what in the f*** they did to it, somethings I can't even comprehend, they destroyed the location of "My Documents" and made it so it was only accessible while on their server. Who knows what else they did. But I have administrative access on it because I used Rainbow Tables to acquire the password. Still no luck in deleting the virus. Ran Malwarebytes full scan, it found nothing. However I ran a full scan with Exterminate it and found 13 registry viruses. 12 were linked to something called "Tarma Installer" the other was an anomaly my school put in to stop system restore. Also, Symantec found over 50 attempts to take a file out of its quarantine. All the file extensions start with unp(numbers).tmp Weird thing is that they hide in my Avast Antivirus folder. Even Avast itself thinks itself is a virus with messages "Avastsvc.exe threat detected" Anyways 2 of these files are in quarantine and cannot be deleted. I haven't tried Safe mode because I don't see a point to doing that. I can't find the folder "Temp"...

[1212magicman]

OH CRAP!!! OH MY GOD I JUST FOUND SOMETHING!!! I tried creating a folder called "Temp" guess what.... it said that a folder called Temp already existed there..... but I can't see it....... What do I do?

[1212magicman]

I DID IT!!! I CAME UP WITH AN AWESOME PLAN!!
Here's what I did to remove the virus.

Step 1:
Safe Mode
Step 2:
Went to local settings
Step 3: Copied "Application Data"
Step 4: Pasted it on desktop.
Step 5: Delete "Local Settings" Folder.
Step 6: Make a new Local Settings Folder
Step 7: Inside make a new Temp folder
Step 8: Paste back your Application Data Folder.
Step 9: enjoy

Hope I helped anyone with the same problem

[submix8c]

Well, FWIW, I suppose that works, however there may have been an additional folder that may need to be kept. This is what I have (Dell Downloader is installed) -
Local Settings\Application Data\ <-- (hidden folder)
Local Settings\Apps\ <-- this folder (see Wiki link below)
Local Settings\History\
Local Settings\Temp\
Local Settings\Temporary Internet Files\
Also, there are (were) many "Desktop.ini" (hidden/system) files that may have been needed.
Within "Local Settings\Application Data\ ApplicationHistory" there are many "*.INI" files that may or may not be needed (I think maybe not but unsure - ComboFix may delete them).
More "Apps" info on Wiki (MS ClickOnce Technology).

If you have no other problems or issues, you might change the title to "Solved - yada yada", unless someone else indicates dire issues with this.