Unable to remove actulice bug entirely...

My apologies if I come across as a brainless newbie in this post but I've been having ongoing problems when attempting to open any attached video files, as any attempt to do so results in a series of pop up boxes with the terms "funk" or "No modF", etc. I have gone through several other forums and made mulitple efforts to remove the bug using the advice found there (it is refered to as the "actulice" virus) with no success. I have spent the better part of the last day going through your "Read & Run Me First" list of steps before this post and I have attached all of the log files requested for your review (half in this post and half in the post to follow). During step 7 Hijackthis located a file with the "actulice" name and I selected the option to fix it, however the problem is still occurring.

 

Here are the remaining log files generated during the "Read & Run Me First..." process. A sincere thank you for any words of wisdom that might be forthcoming!

 

Wow...your kung fu is strong...o.k. I've run through all of the items you have suggested and posted the new logs (having placed the programs into the suggested folder first - sorry about that...). The keystroke loggers were definitely not installed on purpose.

After reboot locate the below folder and delete if found:
c:\program files\MedCh found and deleted
c:\program files\primesoft found and deleted
C:\WINDOWS\System32\PIN not found


I just tried to open up a .WMV file to test how everything is working and I now have that incredibly irritating pop up window named "actulice" up on the screen again with it's o so cheerful "No modF" message in the box. Attempts to close the box or to "end task" in Windows Task Manager cause it to disappear for a second, then it just pops up again....so frustrating.....

 

In answer to your earlier questions:

I see McAfee in your installed program list and I also see a couple lines in your HJT log where McAfee is trying to load; however the program is not running and does not truly seem to be installed (at least not properly). Did you uninstall it? I had constant pop ups from McAfee asking to update or purchase a new version, which prompted me to try to uninstall it.
If you did uninstall McAfee, why are you running with no antivirus application? I perform regular checks with AdAware and use CCleaner daily, using antivirus checks on the web on occasion...(translation: I am an idiot.)
Why don't you have a firewall installed? I plead the fifth on this one.
Why haven't you updated your Windows OS? I updated XP to SP2 but ran into so many problems with performance and general strangeness afterwards that I had to go to a Windows forum and follow the steps to use a system restore and go back to SP1, which seemed to alleviate the vast majority of trouble.

 

All steps were followed in the order given, I printed out all of your posts and checked off the items one at a time in the order provided. Re: removing Windows Messenger I downloaded and ran the application using the link provided and was presented with the message that "Windows messenger is not installed on this computer" followed by "Windows messenger has been removed."

 

Here's what I have so far...

1. The file is attached to an email in my email inbox.
2. The file name for this particular file is EverBeenThisDrunk.wmv
3. It is on my PC.
4. Any and all video files that are attached to incoming emails have an icon to the left of the file name (in the place of the windows media file icon) which looks like a miniature windows screen. Regardless of the file name, the icon appears as such for video files and if I attempt to open them it results in the activation of the actulice virus, which continues to pop up on computer start up and at other random points until I go through the removal process for actulice detailed on other forums. These removal steps seem to prevent the actulice pop ups from appearing when I boot up, but they do not solve the problem, which is that if I ever open up another video file (any video file attached to an email), actulice once again rears his ugly head.

HijackThis run per your directions (log file attached)

System rebooted, C:\Program Files\McAfee.com located and deleted

AVG Free Edition informs me that I have an outdated version of Roxio Easy CD & DVD Creator which will likely cause problems for AVG 7.5 and recommends I update Roxio via a link provided. I have attempted to update the program, but the Roxio site is not sending an email to my hotmail account so I can verify account activation, I've tried it a few times. Should I install AVG anyway? I thought it best to check with you before I went any further on the "to do" list.

 

I have just received the email from Roxio (not certain why the huge delay) and am updating. Will perform the remaining steps and get back to you shortly.

 

1. The file is attached to an email in my Outlook inbox.
2. The name of this particular file is EverBeenThisDrunk.wmv
3. It is on my PC.
4. Any and all video files that are attached to incoming emails are being displayed in Outlook do not have the typical small icon to the left of the file name (e.g. windows media player, quicktime, etc.). In the place of the normal icon a miniature windows screen appears. Regardless of the file name, the icon appears as such for video files and if I attempt to open them it results in the activation of the actulice virus, which continues to pop up on computer start up and at other random points until I go through the removal process for actulice detailed on other forums. These removal steps seem to prevent the actulice pop ups from appearing when I boot up, but they do not solve the problem, which is that if I ever open up another video file (any video file attached to an email), actulice once again rears his ugly head. I am able to forward these files home or to any other computer and they appear normally with no ill effects.

HijackThis run per your directions (log file attached)

System rebooted, C:\Program Files\McAfee.com located and deleted.

AVG Free Edition installed and run, the following is the list of items found:
General properties
Report name Complete Test
Start time 1/18/2007 1:02:42 PM
End time 1/18/2007 2:03:00 PM (total: 1:00:18.7 hrs)
Launch method Scanning launched manually
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 83975
Threats Found 5
Cleaned 0
Moved to vault 0
Deleted 5
Errors 0
C:\WINDOWS\System32\ROWSERB.exe Deleted
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1300\A0085076.exe Deleted
C:\WINDOWS\actulice.exe Deleted
C:\WINDOWS\SYSTEM32\ROWSERB.exe Deleted
C:\WINDOWS\SYSTEM32\SUIEXTD.exe Deleted


ZoneAlarmFree has been downloaded and installed. System has been rebooted and I have been presented with the ZAF tutorial and the firewall is now up and running.

GetRunKey run (log attached)
ShowNew run (log attached) the only version of ShowNew I can find is the one on MajorGeeks in the link provided on the “Read & Run” step-by-step.
HJT run (log attached)

After completing all of the above, in order, I have just attempted to open another media file attached to an incoming email in Outlook and Zone Alarm notified of two program alerts. The first was that windows media player was trying to connect to the internet, which I permitted per the recommendation of Zone alarm. The second was that a program called msbb.exe (identified by it as spyware) was attempting to connect to the internet, which I denied per the recommendation of Zone alarm.
The media file never opened and now I have a "Zone Alarm Security" window appearing as though it's minimized but it is not reactive to mouseclick and is not appearing on "Windows Task Manager" as a running program...

 

I have rebooted my system and the "Zone Alarm" minimized window is no longer appearing. I have been attempting to open a few different .wmv files that are attached to emails within Outlook and after Zone alerts me of windows media player attempting to access the web and I opt to permit it to do so, I am being prompted with a pop up box that reads as follows:

"Install
This system must be restarted to complete the installation. Click the O.K. button to restart this computer. Press Cancel to return to Windows."

As I am not sure why I'm getting this I have not been selecting either of those options and simply clicking on another open window, which causes the "Install" pop up to disappear.
I'm not sure if this means anything at all, but I thought I should send be as detailed as possible with my experience at this end.
Any thoughts on whether we're close to beating whatever this is?

 

But you need to redownload the new version and extract the files again. You did not do this. You still have the previous version. new version downloaded 0.28 per log file


Some of my previous steps do not seem to have worked properly. McAfee still shows and yes a new infection appeared. Please do the following:

run a new scan with CounterSpy and fix all that it finds and attach a new log from it. counterspy run (log attached)
then uninstall CounterSpy since it could be getting in our way. counterspy uninstalled
Then run HijackThis and fix the below lines:
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe not found
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime found and fixed
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe found and fixed

Exit HijackThis and boot into safe mode and delete the below file (if found! HJT may already have deleted it):
c:\windows\msbb.exe booted into safe mode - file not found

Also delete the below folder if found!
C:\Program Files\McAfee.com file not found

Now attach the below new logs and tell me how the above steps went.
GetRunKey
ShowNew - but download the new Version 0.28 first!!!!
HJT
Are you still getting messages about completing an installation? If so, are they from ZoneAlarm not completing? When this message appears, DO NOT close it. First get me a HijackThis log while that message is on your screen.
I tried to open a wmv from hotmail this time and was presented with the following chain of events: 1) Message Window C:\WINDOWS\actulice.exe "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" 2) closed window 3) new message window "Error - Could not execute the external program C:\WINDOWS\actulice.exe 4) closed window 5) Installation message appeared again - Per your directions I did not close the window this time and ran HJT (log attached)
Not sure if this is noteworthy, but there is also a file appearing on my desktop now called "DESKTOP.INI" which contains a notepad file with the following text: "[LocalizedFileNames]
Windows Media Player.lnk=@C:\WINDOWS\inf\unregmp2.exe,-4"

 

Show New Log attached (no space in previous post)

 

Okay, I have re-set the computer to boot in Normal Startup mode (I've done this a few times for earlier steps, I'm not sure how it got changed back to Selective Startup). The names of all the items in the Startup Items column are as follows:

NvCpl
DirectCD
E_S4I2K1
FirstStart
iTunesHelper
UpdReg
nwiz
mm_tray
WkUFind
DSentry
CTSysVol
CTHELPER
CTDVDDet
juschead
avgcc
zlclient
ctfmon
Monitor
GoogleToolbarNotifier
AdobeUpdateManager
mnyexpr
Audigy
Adobe Reader Speed Launch
Adobe Reader Synchronizer
Microsoft Office
Photo Loader supervisory

Items listed in Services tab (after "Hide All Microsoft Services" box is checked):

AVG7 Alert Manager Server
AVG7 Update Service
Creative Service for CDROM Access
InstallDriver Table Manager
Intel(R) NMS
NVIDIA Display Driver Service
TrueVector Internet Monitor
iPod Service

File type for WMV described as "Windows Media Audio/Video File", "Opens with wmplayer". Application used to perform action: C:\Program Files/Windows Media Player/wmpl

First 6 file names listed in "Date Modified" column of C:\windows\system32:
WPA.DBL
vsconfig.xml
settingsbkup.sfm
settings.sfm
DVCStateBkp--{00000002-00000000-00000009-00001102-00000004-10031102}.dat
DVCState--{00000002-00000000-00000009-00001102-00000004-10031102}.dat


Desktop.ini file deleted from desktop, not found in Documents and Settings, but located in Startup File and deleted.

Per your directions, I attempted to open an attached WMV file again from hotmail and encountered the C:\Windows\actulice.exe message. I ran Process Explorer and went through the steps described. Log files are attached as requested.

 

Having some issues getting the attached files to upload (they don't seem to be showing up in my last post - although they were definitely attached)...second attempt.

 

When I perform those steps and try to run wmplayer I get a "Threat!" warning from AVG indicating "C:\WINDOWS\actulice.exe - Trojan Horse DownloaderVB.3.X" as well as the pop up box "C:\WINDOWS\actulice.exe - Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the file." I have not yet closed the same box from the last attempt to open a WMV file attachment so now I have two of the same pop up boxes appearing on screen. Should I close these boxes or avoid them altogether?

 

Okay, I've installed and run the Sophos Anti-Rootkit 1.1. Log file is attached.

 

After updating AVG, I rebooted into safe mode and ran a full system scan. The scan identified four threats, all of which were listed as "Trojan horse Downloader.VB.3.X". The log is attached. In safe mode, I went to C:\Windows\Prefetch and deleted all files in this folder, per your directions. I took a look and didn't see any with actulice in the file name. I have now rebooted into normal mode.

 

O.k., after performing the steps detailed in step 8 of the Read & Run Me post, I ran AVG and it found no threats. However, when I clicked onto the Windows Media Player a "Threat" warning is displayed with the "C:\WINDOWS\actulice.exe file showing. I opted to "move it to vault" this time. Nothing we've done so far seems to have had any impact on this puppy, should I just give up and never expect to use Windows Media Player or see any WMV files on this computer? At this point I'm honestly ready to throw in the towel...any way to remove Windows Media Player and reinstall it? Would that work?

 

I just updated the windows media player on my computer to windows player 10 and I have successfully opened an attached wmv file without activating the actulice issue! Not sure if the problem is going to crop up in future, but at least it's a step in the right direction.