Puper-E Trojan Keeps coming back!

[owl182]

Hi,
I've been trying for days to get rid of the puper-e virus that Avast keeps detecting yet cannot remove. Its been detected in temp files but can't remove it because it's being used by another program. I've tried deleting my internet explorer temp files and running Avast in safe mode but I still have ads popping up. It also tells me my ip address,what browser I'm using, and whats in my documents folder. I'm ready to wipe out Windows XP and start over. I've been using Zone Alarm firewall along with Webroot spy sweeper also. I've downloaded some other spyware programs but I'm having zero luck at removing this pain in the XXX. It still got into my computer. Anyone have any ideas?
                     Thanks for any help,John

[DavidR]

1. Schedule a boot-time scan from within avast.
2. Programs in use are protected by windows (great when they are viruses).
3. Something that keeps coming back is likely to have become established with registry entries, etc. or is exploiting a vulnerability.

The best tool to see what is running on your system and removing registry entries is hijackthis.
Program & Tutorial - Download HijackThis.zip - HiJackThis Tutorial
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Also see - Advice & Tools for virus/trojan/malware Removal & Prevention

[polonus]

Hi owl182,

DavidR gives you some sound advice. Also look at what starts up with this viewer:
http://www.diamondcs.com.au/index.php?page=asviewer. This could be additional to your HijackThisFile. If you get the latest HijackThisfile, sound thing to do is, download the zip, scan it with AVAST (always), check it with fileAlyzer (dates, checksums). Unzip it to your WINDOWS/TEMP folder, create an empty MAP by the name HijackThis in Program files, and copy the unzipped HijackThis files there, make a shortcut to the desktop and run, that is the procedure, according to SPYWARE WARRIORS,

greets,

POLONUS

[DukeNukem]

This may be of help.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPUPER%2EE&VSect=Sn

[owl182]

Thankyou For the replies given to me so far,I appreciate the help. I've waited reposting until I'd tried all the suggestions and some others. I work with my computer alot but am not proficient at programming or anything along those lines.

I've tried the scan and repair from Trendmicro(found 3 infections which were not cleanable but were supposedly deleted) but Avast detected the virus at startup again-"memory is infected!"

I have performed several boot time scans-and deleted the file but it returns again.

I tried going into the registry using regedit command to try to delete the entry "notepad.exe = popuper.exe". It is not there. As a matter of fact when windows tries to shutdown there is an error message posted for a few seconds"popuper.exe DLL Initialization Failed". This always appears when shutting down now.

My desktop now appears differently-I previously had an astronomy  photo for my screen but my desktop is just blue now with all the shortcut icons still present.

I've cleared temporary internet explorer files and offline files but it doesn't help. I currently use Mozilla Firefox as I had in the past. The popup ads still appear,some for a pornographic online dating service. These have the Internet Explorer icon present in the upper left corner when they popup.

I've downloaded the Startup Viewer but do not understand Polonus instructions for making a map,etc  I HAVE downloaded Hijack This and put it in a folder on my desktop. I performed a scan and then posted it to http://hijackthis.de/index.php. I now have a list of the entries I would like to fix  by Hijack This. BUT when I check these off in the list from my scan and click "fix" I'm told the entries will be deleted then  the screen goes empty. I scan again and all the checked items I wanted to delete  are all stll there.

I have also gone thru windows explorer and located the "hp temp file" containing the "Avast located infection" but the virus installs another temp file at reboot. Avast always detects the virus at the beginning of a computer session but is unable to move it to the chest.

I haven't fixed my problem but I now have some entries I'd like to delete so maybe there is still some hope in removing it without wiping everything out.

           Thanks, John

[polonus]

Hi Owl182,

When you start to clean up your files, you have to take care XP does not restore them back on. It does this automatically. Go to a hijackThis site and follow instructions, or go for advice to a specialised forum or ask our DavidR, he knows how to do this,

greetings,

polonus