Puper.dll

[Gary Tayman]

I'm curious to know if anyone has heard of a trojan called puper.dll, or
something related to it.

A few days ago my system got hijacked pretty badly -- Internet
Explorerunusable, pop-up windows everywhere, and an endless string of McAfee
alerts stating that puper.dll has been found and will be removed upon
restarting the computer. If I restart, it comes back again. Spybot and
Ad-Aware found nothing; McAfee kept finding the puper.dll trojan but did
little else. Here's the really annoying part -- there were several new
icons on my desktop with shields on them, saying things like click to
update, click to delete spyware, and whatever. I was also getting pop-ups
saying I had a virus, and to click to install software that will remove it.
There was even a toolbar in Internet Explorer with these shields on them,
inviting me to click to "fix" everything.

I ended up taking the computer to the dealer. They cleaned it. When I got
it back it was much, much better, but still not clean. There were still
shields on the desktop, and after awhile I began to get those pop-ups again.
However it was far better than before, and I was indeed able to use Internet
Explorer.

So I downloaded and installed Spy Sweeper. It found a BUNCH of trojans, and
deleted them. Since then things have been far better -- no pop-ups, no
hijacks, and those funny toolbars and shields -- after deleting them they
didn't come back. That is, except for one. In the bottom right corner of
my screen, there's a yellow shield that gives the message "Updates are ready
for your computer. Click here to install these updates."

Running Spy Sweeper again, I've found several PUP's, called dialer 257. I
also occasionally get a McAfee message stating a trojan has been found and
deleted -- you guessed it -- puper.dll.

Is anyone familiar with this? Do you have a recommendation for getting rid
of it?

 

[Art]

I'm curious to know if anyone has heard of a trojan called puper.dll, or
something related to it.

A quick Google search returns tons of hits.

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>

| I'm curious to know if anyone has heard of a trojan called puper.dll, or
| something related to it.
|
| A few days ago my system got hijacked pretty badly -- Internet
| Explorerunusable, pop-up windows everywhere, and an endless string of McAfee
| alerts stating that puper.dll has been found and will be removed upon
| restarting the computer. If I restart, it comes back again. Spybot and
| Ad-Aware found nothing; McAfee kept finding the puper.dll trojan but did
| little else. Here's the really annoying part -- there were several new
| icons on my desktop with shields on them, saying things like click to
| update, click to delete spyware, and whatever. I was also getting pop-ups
| saying I had a virus, and to click to install software that will remove it.
| There was even a toolbar in Internet Explorer with these shields on them,
| inviting me to click to "fix" everything.
|
| I ended up taking the computer to the dealer. They cleaned it. When I got
| it back it was much, much better, but still not clean. There were still
| shields on the desktop, and after awhile I began to get those pop-ups again.
| However it was far better than before, and I was indeed able to use Internet
| Explorer.
|
| So I downloaded and installed Spy Sweeper. It found a BUNCH of trojans, and
| deleted them. Since then things have been far better -- no pop-ups, no
| hijacks, and those funny toolbars and shields -- after deleting them they
| didn't come back. That is, except for one. In the bottom right corner of
| my screen, there's a yellow shield that gives the message "Updates are ready
| for your computer. Click here to install these updates."
|
| Running Spy Sweeper again, I've found several PUP's, called dialer 257. I
| also occasionally get a McAfee message stating a trojan has been found and
| deleted -- you guessed it -- puper.dll.
|
| Is anyone familiar with this? Do you have a recommendation for getting rid
| of it?
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Gary Tayman]

David,

I did exactly per instructions. When I ran the Sophos, it ran for about ten
minutes and then locked up. It just froze, with no changes for at least
another ten minutes. I did the three finget salute and it said the program
was still running, so I left it longer and nothing happened. I ended this
program and ran the others. The Trend found numerous errors but no viruses.
The Kaspersky found 1 known virus, 4 suspicious programs, and deleted them
all. This took practically the entire day. When finally through, I brought
things back up normally, and was greeted with the same trojan as before.

A lot of good that did! Don't the software companies find these new nasties
and put them into the updates? I've had this for a couple weeks now.


--
Gary E. Tayman/Tayman Electrical
Sound Solutions For Classic Cars
http://www.taymanelectrical.com

From: "Gary Tayman" <[email protected]>

| I'm curious to know if anyone has heard of a trojan called puper.dll, or
| something related to it.
|
| A few days ago my system got hijacked pretty badly -- Internet
| Explorerunusable, pop-up windows everywhere, and an endless string of
McAfee
| alerts stating that puper.dll has been found and will be removed upon
| restarting the computer. If I restart, it comes back again. Spybot and
| Ad-Aware found nothing; McAfee kept finding the puper.dll trojan but did
| little else. Here's the really annoying part -- there were several new
| icons on my desktop with shields on them, saying things like click to
| update, click to delete spyware, and whatever. I was also getting
pop-ups
| saying I had a virus, and to click to install software that will remove
it.
| There was even a toolbar in Internet Explorer with these shields on
them,
| inviting me to click to "fix" everything.
|
| I ended up taking the computer to the dealer. They cleaned it. When I
got
| it back it was much, much better, but still not clean. There were still
| shields on the desktop, and after awhile I began to get those pop-ups
again.
| However it was far better than before, and I was indeed able to use
Internet
| Explorer.
|
| So I downloaded and installed Spy Sweeper. It found a BUNCH of trojans,
and
| deleted them. Since then things have been far better -- no pop-ups, no
| hijacks, and those funny toolbars and shields -- after deleting them
they
| didn't come back. That is, except for one. In the bottom right corner
of
| my screen, there's a yellow shield that gives the message "Updates are
ready
| for your computer. Click here to install these updates."
|
| Running Spy Sweeper again, I've found several PUP's, called dialer 257.
I
| also occasionally get a McAfee message stating a trojan has been found
and
| deleted -- you guessed it -- puper.dll.
|
| Is anyone familiar with this? Do you have a recommendation for getting
rid
| of it?
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>

| David,
|
| I did exactly per instructions. When I ran the Sophos, it ran for about ten
| minutes and then locked up. It just froze, with no changes for at least
| another ten minutes. I did the three finget salute and it said the program
| was still running, so I left it longer and nothing happened. I ended this
| program and ran the others. The Trend found numerous errors but no viruses.
| The Kaspersky found 1 known virus, 4 suspicious programs, and deleted them
| all. This took practically the entire day. When finally through, I brought
| things back up normally, and was greeted with the same trojan as before.
|
| A lot of good that did! Don't the software companies find these new nasties
| and put them into the updates? I've had this for a couple weeks now.
|

So why didn't you use the McAfee module ?

Did you try to create a DOS Boot Disk with NTFS4DOS and trying scanning the system after
booting from the DOS Boot Disk ?

Please submit a sample of "puper.dll" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

BTW: Your problem and XLurker's problem are not the same and should not be equated as such.

 

[Gary Tayman]

The McAfee was not in the instructions that I printed out. I was curious as
to why it's in there, but not to use it. Actually I have McAfee installed
on my computer.

No, I haven't made a dos disk. That's something else I'll try.

As for Puper, I'd be happy to do something with it if I could find it. I
tried search and it comes up empty.

What I've done so far -- the dealer I bought my computer from, takes all of
the old files, programs and all, and puts them in a folder called old_c.
I've has this computer for over a year now (does that qualify as antique?)
and I've noticed the old_c folder takes up plenty of time when running
spyware stuff over and over and over, so I just deleted it.

I'm also wondering if Spysweeper may do more in safe mode. I'll try again
when I have several hours to kill.

 

[pcbutts1]

If you have SpyAxe, SpywareStrike, PSGuard, Smitfraud,Spy Sheriff,Sinnaka
Advertisments or detections for Puper or Alemod that can not seem to be
removed automatically, please try this automated removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known Trojan files. These files are
modified by the malware authors and encrypted to avoid detection. The tool
will now remove parts of SpywareStrike and ask if you want to reset your
desktop background. If you choose yes, customized desktop options are reset
to Windows' defaults.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, etc, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee Antivirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.

Also just a reminder there are new variants of this type of malware that
this tool may not detect. The tool has not been upgraded to detect the new
variants because of lack of donations and the constant bad information
posting from trolls in this group that don't like me. My new tool will
remove all variants and clean your system but you will have to find my
website to get it. Blame the trolls.


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>

| The McAfee was not in the instructions that I printed out. I was curious as
| to why it's in there, but not to use it. Actually I have McAfee installed
| on my computer.
|
| No, I haven't made a dos disk. That's something else I'll try.
|
| As for Puper, I'd be happy to do something with it if I could find it. I
| tried search and it comes up empty.
|
| What I've done so far -- the dealer I bought my computer from, takes all of
| the old files, programs and all, and puts them in a folder called old_c.
| I've has this computer for over a year now (does that qualify as antique?)
| and I've noticed the old_c folder takes up plenty of time when running
| spyware stuff over and over and over, so I just deleted it.
|
| I'm also wondering if Spysweeper may do more in safe mode. I'll try again
| when I have several hours to kill.
|

Gary:

Re-read those insttructions...
"The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC."

Chances are you have the retail version of McAfee VirusScan which does NOT include the
McAfee Command Line Scanner (CLS). That is what the Multi AV Scanning Tool provides. The
CLS can be more effective then the GUI and it has a Win32 and DOS version. Thus the DOS
version can be used from a DOS Boot Disk. Please read the included included PDF Help File.

As for finding the file it is most likely marked as a Hidden & System file and you have to
make sure to search for Hidden & System files and have Explorer show Hidden & System files.

 

[Gary Tayman]

I tried it.

It's still there. At least the shield is. The "Puper" deletion window only
shows up every so often, so time will tell if we've made progress on that.
The shield appears to be a leftover from the internet hijacker, where it put
these shields all over the desktop, and even had a toolbar on Internet
Explorer, trying to get me to install some "Security defender" or something
like that. When it hijacked IE, the browser was rendered useless. It's
back, and all those shields are gone (most removed manually) except for this
one.


--
Gary E. Tayman/Tayman Electrical
Sound Solutions For Classic Cars
http://www.taymanelectrical.com

 

[Gary Tayman]

The instructions I had were printed from the website. Step 9 says to press
2 to start Trend, step 10 says to observe the window, step 11 says to click
exit, step 12 says to press 4 for Kaspersky.

Do all of these have to be done in order? Also, would it be beneficial,
when in safe mode with restore turned off, to run Spysweeper?

The first sweep, with Sophos, locked up on a file that I know is useless.
I'll find and delete it, and try this out again.

I've got the impression that the file(s) I'm looking for have no telltale
signs of being vicious. There's some instruction somewhere in the registry
that tells windows to put this link on the bottom corner, and who knows --
the program itself may have been caught and deleted. But the only way to
find out might be to click to install, and if still there it could make a
mess of things.

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>

| The instructions I had were printed from the website. Step 9 says to press
| 2 to start Trend, step 10 says to observe the window, step 11 says to click
| exit, step 12 says to press 4 for Kaspersky.

| Do all of these have to be done in order? Also, would it be beneficial,
| when in safe mode with restore turned off, to run Spysweeper?

| The first sweep, with Sophos, locked up on a file that I know is useless.
| I'll find and delete it, and try this out again.

| I've got the impression that the file(s) I'm looking for have no telltale
| signs of being vicious. There's some instruction somewhere in the registry
| that tells windows to put this link on the bottom corner, and who knows --
| the program itself may have been caught and deleted. But the only way to
| find out might be to click to install, and if still there it could make a
| mess of things.


| --
| Gary E. Tayman/Tayman Electrical
| Sound Solutions For Classic Cars
| http://www.taymanelectrical.com


System Restore should NOT be disabled. You need it just in case you remove malware and
the system is completely unstable. Then you could restore the system, albeit to an
infected system, that was know to work and remove the malware using a different process.

You would dump the contents of the System Restore cache (disable the cache) after you know
the PC is clean then re-enable the System Restore cache then create a new Restore Point.

It is always best to scan in Safe Mode.

You said "The instructions I had were printed from the website. " -- Which one ?

I gave you a specific set of instructions in mty reply email. That is what i suggested
you do. You can download an AV module in Normal Mode and then scan in Normal Mode or in
Safe Mode. If a given infector is detected in Normal or Safe Mode but is not removed in
either mode you can then create a DOD Boot Disk with NTFS4DOS and then scan the PC in DOS.

 

[Gary Tayman]

You said "The instructions I had were printed from the website. " -- Which
one ?

I gave you a specific set of instructions in mty reply email. That is
what i suggested

The one that you recommended in your former message:

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>


| The one that you recommended in your former message:



OK -- I got you now. BigBruva's instructions set !

Those are a more envolved set of instructions to the use the Multi AV Scanning Tool.
I am sorry if they complicated its use or confused you.

 

[Gary Tayman]

I do have a question: Is there a way to follow a link without activating
it? It appears the only problem I presently have is that little shield on
the bottom corner of the desktop, inviting me to install some updates. I'm
very curious at to what program it's trying to activate if I select it, so I
can find out if the program has been removed or is still there. Also I want
to obviously remove that shield from the desktop.

Aside from that there doesn't appear to be any signs of suspicious activity.
That other anti-puper patch may have removed that trojan; at least I haven't
had one of those messages since I ran it.

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>

| I do have a question: Is there a way to follow a link without activating
| it? It appears the only problem I presently have is that little shield on
| the bottom corner of the desktop, inviting me to install some updates. I'm
| very curious at to what program it's trying to activate if I select it, so I
| can find out if the program has been removed or is still there. Also I want
| to obviously remove that shield from the desktop.
|
| Aside from that there doesn't appear to be any signs of suspicious activity.
| That other anti-puper patch may have removed that trojan; at least I haven't
| had one of those messages since I ran it.
|

The shield in the running TaskBar ?

There are Trojans that specifically load there to look like the legitimate MS versions to
get you to use their malicious tools.

You say "...inviting me to install some updates" Are they MS Critical U[pdates or "other"
non-MS software ?

If it is NOT legitimate, you can read the following...
“How to perform a clean boot in Windows XP”
http://support.microsoft.com/kb/310353

Then you can selectively enable/disable items being loaded and possibly disable the item
loaded in the taskbar.