Mozilla Virus - winpup32

[cegerer]

THis sucks! I've got a virus on my laptop that wipes out all bookmarks and toolbars on Firefox. It's winpup32. My spybot doesn't get rid of it. I've done a Google search and come up with all sorts of answers. They either require buying a $40 piece of software or going thru some kind of convoluted manual delete process. Are the friggin' anti-virus software companies and the virus generators one in the same or what!!! Anyway, any easy way to get rid of this?

[Don 944 LA]

reminds me to back up bookmarks

[Saintly]

Is is spyware or a virus? if it's a virus then spybot will not be able to fix it.
Does it have another name?
try going to here
http://us.mcafee.com/root/mfs/default.asp?cid=9914
and run the free scan and then tell us what mcafee pick it up as.

[Saintly]

Did a search (should have done this first) and it's adware.
i would first make sure that you have the current version of spybot (v1.3), make sure it is updated, make sure that your immunised and then scan. then install adaware, update it and scan.
if neither can fix it automaticly then follow the manual instructions below:
good luck.

Winpup.winpup32 Manual Removal:
Follow these steps to remove Winpup.winpup32 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
1.
Kill processes:
systemroot+\pup.exe
systemroot+\system32\20444887.exe
systemroot+\system32\23777407.exe
systemroot+\system32\24065798.exe
systemroot+\system32\25199526.exe
systemroot+\system32\27032107.exe
systemroot+\system32\4026430.exe
systemroot+\system32\61692446.exe
systemroot+\system32\64075869.exe
systemroot+\system32\6904238.exe
systemroot+\system32\73934572.exe
systemroot+\system32\75082033.exe
systemroot+\system32\77946108.exe
systemroot+\system32\8439272.exe
systemroot+\system32\92135256.exe
systemroot+\system32\96062868.exe
systemroot+\system32\winpup.exe
systemroot+\system\msdmodw.exe
systemroot+\system\sratelcm.exe
systemroot+\system\storesp.exe23058718.exe
cmpi.exe
stimem.exe
syscm.exe
trojan.win32.startpage.ae.exe
winpup32.exe

2.
Remove AutoRun Reference: Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. If you find the value dhcpv, delete it and reboot the machine immediately. If you find the value , delete it and reboot the machine immediately.

3.
Remove these DLLs with Regsvr32, then reboot:
msa32chk.dll

4.
Remove these registry items (if present) with RegEdit:
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\pup
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\asauthr
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\dhcpv
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\svidc32m

5.
Delete files:
systemroot+\pup.exe
systemroot+\system32\20444887.exe
systemroot+\system32\23777407.exe
systemroot+\system32\24065798.exe
systemroot+\system32\25199526.exe
systemroot+\system32\27032107.exe
systemroot+\system32\4026430.exe
systemroot+\system32\61692446.exe
systemroot+\system32\64075869.exe
systemroot+\system32\6904238.exe
systemroot+\system32\73934572.exe
systemroot+\system32\75082033.exe
systemroot+\system32\77946108.exe
systemroot+\system32\8439272.exe
systemroot+\system32\92135256.exe
systemroot+\system32\96062868.exe
systemroot+\system32\winpup.exe
systemroot+\system\msdmodw.exe
systemroot+\system\sratelcm.exe
systemroot+\system\storesp.exe23058718.exe
cmpi.exe
msa32chk.dll
stimem.exe
syscm.exe
trojan.win32.startpage.ae.exe
winpup32.exe

[Neilk]

I saw this in a Google Groups search. Try it out...



Hi SteveC,

Nav detects it as "Trojan Horse" correct?

It's not a virus, but it is a trojan. It displays certain advertising for some porn sites upon bootup.

Remove the startup keys that reference Winpup32.exe Winpup32[1].exe and Winpup32[2].exe from the registry

Ensure your Internet Explorer is patched with the latest Patch
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se...)
because that is probably how it got onto your PC.


....

The file itself seems to spawn advertisements.....a drive-by d/l the
culprit.....

Look for --> C:\WINDOWS\SYSTEM32\winpup32.exe

And--> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ..... for it's startup key



.....

Just saw someone had ........C:\WINDOWS\System\winpup32.exe rather than the System32 folder.

SteveC
Thanks all; I have gotten rid of it.

[cegerer]

Thanks guys. I'll be doing some work on it this weekend and see what happens.

[RickM]

There are others that are either not detected or dealt with by the most popular virus and adware/spyware tools.

I have one critter on a laptop that has added an additional extension of .lnk to all shortcuts on the desktop, rendering them inoperable. It also deletes the Windows Explorer link so you have to go to Run and execute through there.

Best I could get was a virus called Adulent or Pirus.lnk...FProt is the only software that recognizes it but says it can't remedy at this time.... lol

[Neilk]

One last tip, download the Microsoft AntiSpyware beta program from here.

If you have XP or 2000 it will clean your PC of spyware. Don't worry about it being a beta, it's basically a repackaged program from a company that Microsoft recently bought.

[Mike(dat's me)]

I use CWSHREDDER and Adaware. They are both free downloads. (If you download the "free" version, not the full pay version).

Keeps my computer very clean.

[Zeke]

I got this last night. It was apparently a drive by. The name of one of a "suite" of programs was winupt.xxx. I got rid of most of it by searching for the time it was created and then downloading adaware. Thanks for the advice on that.

One that came in the "package" is called Gvlwvv.exe. I can't get rid of that because I can't find how to close it. Adaware won't touch it either.