To: Anyone with the new and annoying popup
problem when Internet Explorer closes.
I too was hit by an annoying Internet pop-up explorer
virus at home this AM (10-Apr-2004). I did NOT have the
virus yesterday. The virus causes annoying pop-ups to occur
almost every time that you EXIT Internet Explorer. It even does
this after opening the null IE default web page and immediately
closing IE -- all without IE having displayed or processed any HTML
or JavaScript content! This obviously is a Trojan somehow
attached to IE and the OS itself.
After looking for recently inserted registry keys and new .DLLs
and EXEs in my system folder I discovered a file called pup.exe
in my root \WINDOWS folder. I the searched for pup.exe in my
registry and found one key that referenced it. Deleting both
the key and the file solved the problem, but only for about
half an hour! Now the file name "pup.exe" no longer exist
but the popups still occurred when closing.
I then did a Google search for "pup.exe" and "popup" and this
is ONE of the things I found...
http://www.theswap.com/BBS/DCForumID8/1169.html
Note that even Norton/Symantec AntiVirus corporate edition does
not yet detect it. So watch out for this baby. It is very
annoying. After further system hacking I finally got rid
of this.
Here's what I had to do. !!Warning!! Be very careful, and do
NOT even attempt this fix (which involves deleting files and
registry keys, and killing processes) if you do not understand
this stuff!!
Use explorer to view the DETAILED files list for all files
in BOTH the windows and the windows\system32 folders.
In Explorer's "View" pull-down menu, select "Choose Details..."
Then check/enable the "Company" option. Allow windows to work for
a bit (may take a few minutes) so as to search all your EXE
and DLL files and extract the company information. Once it is done,
sort the list by company name.
Look for all files by a company named "totempol". Make a note
of the name for each file. (I found just one file named
"XsclnRf.exe" -- THIS was the culprit)
For EVERY file by totempol, try deleting it. If you can't delete
it, look for the same file name running as a process and kill
the process. To kill a process (again, be careful), right-click
on the taskbar and select taskmanager. Click the processes
tab. Search for a process that has a name like one of the filenames
from totempol. Click the "End process" button. You can then
delete that and the other files form totempol.
Then look for all occurrences of any of the totem pole file names
as a key, a key value and/or as a data value in the registry. You
need to use regedit to do this. This requires searching through
and editing the registry. AGAIN -- do NOT mess around with the
registry if you don't know what you are doing --you can cause damage!
If you don't know what regedit is or how to start it, you probably
should not risk using it.
You will probably find the offending exe referenced in the following
registry tree...
HKEY_LOCAL_MACHINE\Software\Micorosft\Windows\CurrentVersion\Run
Delete the key. Reboot and all should be well.
See the email below for additional history on this. Good luck!
Again -- DO NOT ATTEMPT all this if such detailed system
surgery is new to you!!
Kevin Jessup
kjessup AT charter DOT net
http://webpages.charter.net/kjessup/