Actulice worm or virus

J

John M. Coyle

Hey,
I'm currently researching some kind of popup that is
occurring on my winxp laptop computer.

a small system error message pops up when I turn the
machine on. In the header it says "Actulice" and the
message varies.
the original message said "modf" with an okay button
I ran NAV and Ad-Aware to no avail.
Now the message says "funk" and then "done"

strange thing..
Can't find anything about it on the net. Everything I
have found involves a file called actulice.exe, which I
can't find on the machine.
Thank you very much for your help.

John M. Coyle
Credit Manager/IT Director
Western Petroleum, INC.
(435) 789-1832
Cell: (435) 790-4373
Fax: (435) 789-1837
 
S

Sadie

Hello,John,

Download HijackThis! here:

http://www.spywareinfo.com/~merijn/downloads.html

I strongly suggest you submit a Hijackthis! log to one of
the specialist forums below,for expert assistance in
removing this and any other malware you may have onboard:

http://www.spywareinfo.com/forums/index.php?showforum=30
http://computercops.biz/forum67.html
http://forum.aumha.org/viewforum.php?f=30
http://forums.net-integration.net/index.php?showforum=32
http://cexx.org

You are right,there is not much information
available,yet.The experts'll help you make a clean sweep
of your O.S.,though.If you really got into researching
this kind of infestation,there's a HijackThis! Boot Camp
recruiting volunteers for training here:

http://www.spywareinfo.com/forums/index.php?
showtopic=32637

The world needs more HijackThis! maestros.

Sadie
 
L

Lisa_at_wotk

John,

When you search for this file "actulice.exe",are you
setting your options for Explorer to show all / hidden /
system files..?

Go to Explorer --> Tools --> Folder Options --> View and
make sure that you have selected to show hidden, system,
and operating system files. After you have done this,
search for "actulice.exe". It may simply have the "hidden"
attribute.

Good luck.

Lisa
 
C

C B

search for "actulice.exe". It may simply have the "hidden"

I couldn't find it either, but I found xtrac32e.exe which I think is
that program. I deleting that file and it seems to help. Also search
for pup.exe and delete them too.
 
S

Steve Kirsch

I had the same problem.

Take a look in your registry at this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

You'll see an entry for BDALK.exe

Remove that.

Then remove the file that the entry is pointing to, e.g., Windows\system32\bdalk.exe

That should solve the problem.
 
S

Steve Kirsch

this is an addendum to my previous posting. It looks like actulice
occurs in many places, not just the BDLK.exe

For example, there is another registry entry for emotespr which runs
emotespr.exe which also runs the actulice popup.

In general, go through the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and looks for anything you didn't put there.

make sure you understand each entry.

Delete the reg key and the file for anything you can't verify that
looks suspicious. Remember what you did in case you need to reverse
it.
 
J

John Coyle

Thanks for the help.
I'm still not able to find the file.
I have turned on to search for hidden files and folders,
as well as show file extensions of known file types.
didn't find anything. :(
 
M

Mark Bush

For what it's worth, this trojan/worm or whatever it is seems to
morph. There's a thread at
http://www.computing.net/security/wwwboard/forum/11733.html. The fix
is somewhat intensive. Here's what I had to do to get rid of it:

I'm running Windows 2000 with Office XP.

I found "actulice.exe" in the C:\WINNT directory. I searched for a
light blue file icon that appears with the popu in the
C:\WINNT\System32 directory and found the file "insevntw.exe". File
was 68KB, created on May 19, 2004 10:52:00 AM and modified on May 12,
2004 10:52:00 AM. This file is unique to my system. The file get's
renamed so you have to find the one with that particular icon. Leave
the search windos open.

I opened Task Manager, selected "insevntw.exe", then clicked "End
Process". I went back and deleted both "insevntw.exe" and
actulice.exe". I also searched the registry for "actulice" and deleted
the entry there. Finally, I ran Adaware 6 (do the update since it was
last updated May 13, 2004). I deleted all the files it found.

After this, Media Player would not start. I got a popup saying
istallation could not be completed. I uninstalled Windows Media
Player, then deleted all files. Five files in the "Windows Media
Player" directory would not stay deleted. They would reappear
everytime I backed out of the directory and went back in. I rebooted,
then downloaded the latest version of Media Player and installed it.

I haven't seen the popup again yet. I've got my fingers crossed.

The only destruction I've noticed is that it renders Windows Media
Player useless. Other than that, it's just very annoying.

Good luck and I hope this is useful.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WTD: Nvidia Videocard for 4x AGP Slot 0

Top