Removing W32.Hitapop Virus?

[Mike950]

While doing a reinstall of SoundBlaster Audigy program files, Norton alerted
(and blocked) something called W32.Hitapop. I did some research and I think
I will be able to remove it but am curious why I can't find it on my
computer. NAV indicates that the files associated with the W32Hitapop are
"jgl_rt\jshap or.dll" and "
jgl_rtl_rt1\jshap or.dll" and says they are located at: c\documents and
settings\Mike\local settings\temp\.

I looked in that temp directory and there is no jgl_rt folder,
jgl_rtl_rt1\jshap or.dll folder or jshap or.dll files. (I have Explorer set
to show hidden and systems files.) Any ideas on how I can located these
files to see if they are really there? Thank you. Mike (WinXP Hm SP3)

Here is the main part of the Norton Report.

Risk Name: W32.Hitapop
Risk Catagory: Virus
Overal Risk Impact: High
Privacy: High
Removal: High
Stealth: High

Action Taken: Blocked

Affected Areas:

c\documents and settings\Mike\local settings\temp\jgl_rt\jshap or.dll

c\documents and settings\Mike\local settings\temp\jgl_rtl_rt1\jshap or.dll

 

[David H. Lipman]

From: "Mike950" <[email protected]>

| While doing a reinstall of SoundBlaster Audigy program files, Norton alerted
| (and blocked) something called W32.Hitapop. I did some research and I think
| I will be able to remove it but am curious why I can't find it on my
| computer. NAV indicates that the files associated with the W32Hitapop are
| "jgl_rt\jshap or.dll" and "
| jgl_rtl_rt1\jshap or.dll" and says they are located at: c\documents and
| settings\Mike\local settings\temp\.

| I looked in that temp directory and there is no jgl_rt folder,
| jgl_rtl_rt1\jshap or.dll folder or jshap or.dll files. (I have Explorer set
| to show hidden and systems files.) Any ideas on how I can located these
| files to see if they are really there? Thank you. Mike (WinXP Hm SP3)


| c\documents and settings\Mike\local settings\temp\jgl_rt\jshap or.dll

| c\documents and settings\Mike\local settings\temp\jgl_rtl_rt1\jshap or.dll


http://www.symantec.com/security_response/writeup.jsp?docid=2006-120115-5706-99&tabid=1

Looks like a worm. You probably have a new variant.

Look at the Registry entry ; "Userinit" under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

It should be; "userinit.exe,"

Anyway...

The %tmp%\jgl_rtl_rt1\jshap or.dll as you indicated are most like there but are marked as
Hidden System files and thus NOT viewable without changing the attributes or changing the
way Explorer views files and folders.

 

[Mike950]

Thanks for the reply David, but as I indicated in my post, (I have Explorer
set to show hidden and systems files.) but I still can find those files.
Since I was unable to find those two folders and the file, I ran a NAV on
just the Temp folder where they were supposed to be and NAV indicates that
the folders are virus free. Now I'm not sure what is going on because first
NAV says it "Blocked" (NOT REMOVED) W32.Hitahop and says the virus files are
in that Temp folder but when I run NAV on that folder, it says it's clean.

I also checked the Registry entry, "HKEY\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" The value is:
C:\WINDOWS\system32\userinit.exe Which I believe is the correct value (or
is it?).

Here's what Symantec said about the Registry value that should be changed:

In the right pane, restore the default value:

from:

"Userinit" = "C:\WINDOWS\System32\userinit.exe,rundll32.exe
%System%\winsys16_[RANDOM DIGITS].dll start"

to:

"Userinit" = "%System%\userinit.exe, "

The problem with that suggestion from Symatec is that there is no "Userinit"
value line at the location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

A lot of help they are... lol Anyway, if you have any more ideas or
suggestions, I sure would appreciate hearing back from you. Thanks, Mike

 

[nass]

While doing a reinstall of SoundBlaster Audigy program files, Norton alerted
(and blocked) something called W32.Hitapop. I did some research and I think
I will be able to remove it but am curious why I can't find it on my
computer. NAV indicates that the files associated with the W32Hitapop are
"jgl_rt\jshap or.dll" and "
jgl_rtl_rt1\jshap or.dll" and says they are located at: c\documents and
settings\Mike\local settings\temp\.

I looked in that temp directory and there is no jgl_rt folder,
jgl_rtl_rt1\jshap or.dll folder or jshap or.dll files. (I have Explorer set
to show hidden and systems files.) Any ideas on how I can located these
files to see if they are really there? Thank you. Mike (WinXP Hm SP3)

Here is the main part of the Norton Report.

Risk Name: W32.Hitapop
Risk Catagory: Virus
Overal Risk Impact: High
Privacy: High
Removal: High
Stealth: High

Action Taken: Blocked

Affected Areas:

c\documents and settings\Mike\local settings\temp\jgl_rt\jshap or.dll

c\documents and settings\Mike\local settings\temp\jgl_rtl_rt1\jshap or.dll

I wonder if it ( The Worm) wrote a Zero space file!!

Did you unchecked this check box beside showing the hidden files/folders:
[ ] Hide extension for known file types

Hit F5 then reopen the Windows Expolrer again to locate the file in question.

You can use one of the foillowing tools to help you out.
PendMoves v1.1 and MoveFile v1.0
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

SDelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Where did you got the software for the sound card?
HTH,
nass

 

[David H. Lipman]

From: "Mike950" <[email protected]>

| Thanks for the reply David, but as I indicated in my post, (I have Explorer
| set to show hidden and systems files.) but I still can find those files.
| Since I was unable to find those two folders and the file, I ran a NAV on
| just the Temp folder where they were supposed to be and NAV indicates that
| the folders are virus free. Now I'm not sure what is going on because first
| NAV says it "Blocked" (NOT REMOVED) W32.Hitahop and says the virus files are
| in that Temp folder but when I run NAV on that folder, it says it's clean.

| I also checked the Registry entry, "HKEY\SOFTWARE\Microsoft\Windows
| NT\CurrentVersion\Winlogon" The value is:
| C:\WINDOWS\system32\userinit.exe Which I believe is the correct value (or
| is it?).

| Here's what Symantec said about the Registry value that should be changed:

| In the right pane, restore the default value:

| from:

| "Userinit" = "C:\WINDOWS\System32\userinit.exe,rundll32.exe
| %System%\winsys16_[RANDOM DIGITS].dll start"



| "Userinit" = "%System%\userinit.exe, "

| The problem with that suggestion from Symatec is that there is no "Userinit"
| value line at the location:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

| A lot of help they are... lol Anyway, if you have any more ideas or
| suggestions, I sure would appreciate hearing back from you. Thanks, Mike


Like I said, it looks to be a new variant. That description is old.

Even if you have Explorer view Hidden and System attributes, the active trojan can still
mask its view in Explorer.

Have you booted into Safe Mode and performed a scan ?

Hav you tried another anti virus "On Demand" scanner ?
If not...


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *

 

[Mike950]

Hi, I already had the box for "Hide extension for known file types"
unchecked so that wasn't the problem. The CD for the SoundBlaster is the
factory CD that came with the SB card so I don't think it was infected. I'll
look at the tools you suggested to see if they can help. Thanks for your
assistance. Mike

 

[Mike950]

Thanks David, I'll try NAV in safe mode then try a On Demand AV like you
suggested (both in Safe Mode and Normal) and will report back. Thank you so
much for the detailed instructions. They will be very helpful when I try
this out.

Mike

From: "Mike950" <[email protected]>

| Thanks for the reply David, but as I indicated in my post, (I have Explorer
| set to show hidden and systems files.) but I still can find those files.
| Since I was unable to find those two folders and the file, I ran a NAV on
| just the Temp folder where they were supposed to be and NAV indicates that
| the folders are virus free. Now I'm not sure what is going on because first
| NAV says it "Blocked" (NOT REMOVED) W32.Hitahop and says the virus files are
| in that Temp folder but when I run NAV on that folder, it says it's clean.

| I also checked the Registry entry, "HKEY\SOFTWARE\Microsoft\Windows
| NT\CurrentVersion\Winlogon" The value is:
| C:\WINDOWS\system32\userinit.exe Which I believe is the correct value (or
| is it?).

| Here's what Symantec said about the Registry value that should be changed:

| In the right pane, restore the default value:

| from:

| "Userinit" = "C:\WINDOWS\System32\userinit.exe,rundll32.exe
| %System%\winsys16_[RANDOM DIGITS].dll start"



| "Userinit" = "%System%\userinit.exe, "

| The problem with that suggestion from Symatec is that there is no "Userinit"
| value line at the location:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

| A lot of help they are... lol Anyway, if you have any more ideas or
| suggestions, I sure would appreciate hearing back from you. Thanks, Mike


Like I said, it looks to be a new variant. That description is old.

Even if you have Explorer view Hidden and System attributes, the active trojan can still
mask its view in Explorer.

Have you booted into Safe Mode and performed a scan ?

Hav you tried another anti virus "On Demand" scanner ?
If not...


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *

 

[trotski]

Hi, I already had the box for "Hide extension for known file types"
unchecked so that wasn't the problem. The CD for the SoundBlaster is the
factory CD that came with the SB card so I don't think it was infected. I'll
look at the tools you suggested to see if they can help. Thanks for your
assistance. Mike

I have EXACTLY the same problem Mike, when installing my soundblaster etc
etc, the symptoms I have are a mirror of yours, no values added to registry
nothing !!!!
very strange, I am running a Kapersky online scan to see if that spots
anything at all, but I shall not hold my breath
I must add that I actually installed all the creative drivers from the cd
last night with no errors, but today when updating everything on the
Microsoft website, there were drivers for the soundcard so I did the update,
this knocked my sound card out of use, so that is when I tried to reinstall,
and was then told that the hitapop virus was present. Did you do this also
?.......download the drivers from Microsoft I mean

I wonder if it ( The Worm) wrote a Zero space file!!

Did you unchecked this check box beside showing the hidden files/folders:
[ ] Hide extension for known file types

Hit F5 then reopen the Windows Expolrer again to locate the file in question.

You can use one of the foillowing tools to help you out.
PendMoves v1.1 and MoveFile v1.0
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

SDelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Where did you got the software for the sound card?
HTH,
nass

 

[Mike950]

Trotski, The SB sound card and software (new card and factory CD software)
were installed on this comp a year ago. I lost my audio a couple of days ago
and reinstalled the SB software from the CD then went to the Creative site
and installed the newest software upgrade for the SB Audigy card. Since NAV
shows that it blocked W32.Hitapop on 04/11/09 and back on 01/03/09 (prior to
me reinstalling the SB software), I don't think the virus was in the
software. I'm not sure what, if anything, the SB software has to do with the
W32.Hitapop. Maybe it was just a coicidence. Does seem strange that the
same thing happened to both of us though.

So for I have run NAV (in Normal Mode and Safe Mode plus run the Online-On
Demand version of McAfee and no virus was found on my computer. But, I have
no idea what that means because NAV says it blocked W32.Hitapop from running
twice (once on 04/11/09 and once on 01/03/09) but doesn't say it was REMOVED.
So I don't know if the virus was removed or not. Please let me know if you
find any more information/solutions. Thanks.

Hi, I already had the box for "Hide extension for known file types"
unchecked so that wasn't the problem. The CD for the SoundBlaster is the
factory CD that came with the SB card so I don't think it was infected. I'll
look at the tools you suggested to see if they can help. Thanks for your
assistance. Mike

I have EXACTLY the same problem Mike, when installing my soundblaster etc
etc, the symptoms I have are a mirror of yours, no values added to registry
nothing !!!!
very strange, I am running a Kapersky online scan to see if that spots
anything at all, but I shall not hold my breath
I must add that I actually installed all the creative drivers from the cd
last night with no errors, but today when updating everything on the
Microsoft website, there were drivers for the soundcard so I did the update,
this knocked my sound card out of use, so that is when I tried to reinstall,
and was then told that the hitapop virus was present. Did you do this also
?.......download the drivers from Microsoft I mean

I wonder if it ( The Worm) wrote a Zero space file!!

Did you unchecked this check box beside showing the hidden files/folders:
[ ] Hide extension for known file types

Hit F5 then reopen the Windows Expolrer again to locate the file in question.

You can use one of the foillowing tools to help you out.
PendMoves v1.1 and MoveFile v1.0
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

SDelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Where did you got the software for the sound card?
HTH,
nass

 

[Mike950]

David, I ran NAV in Regular Mode and Safe Mode and also ran McAfee (On
Demand Version in Normal Mode) and no virus was found on my computer. I
haven't tried the MULTI_AV.EXE yet. I guess that will be my next step unless
you can think of anything else. Thank you again for helping me with this
problem. Mike PS: Please see my reply to Trotsky about his similar
problem. Strange about the SB software coincidence.

Thanks David, I'll try NAV in safe mode then try a On Demand AV like you
suggested (both in Safe Mode and Normal) and will report back. Thank you so
much for the detailed instructions. They will be very helpful when I try
this out.

Mike

From: "Mike950" <[email protected]>

| Thanks for the reply David, but as I indicated in my post, (I have Explorer
| set to show hidden and systems files.) but I still can find those files.
| Since I was unable to find those two folders and the file, I ran a NAV on
| just the Temp folder where they were supposed to be and NAV indicates that
| the folders are virus free. Now I'm not sure what is going on because first
| NAV says it "Blocked" (NOT REMOVED) W32.Hitahop and says the virus files are
| in that Temp folder but when I run NAV on that folder, it says it's clean.

| I also checked the Registry entry, "HKEY\SOFTWARE\Microsoft\Windows
| NT\CurrentVersion\Winlogon" The value is:
| C:\WINDOWS\system32\userinit.exe Which I believe is the correct value (or
| is it?).

| Here's what Symantec said about the Registry value that should be changed:

| In the right pane, restore the default value:

| from:

| "Userinit" = "C:\WINDOWS\System32\userinit.exe,rundll32.exe
| %System%\winsys16_[RANDOM DIGITS].dll start"



| "Userinit" = "%System%\userinit.exe, "

| The problem with that suggestion from Symatec is that there is no "Userinit"
| value line at the location:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

| A lot of help they are... lol Anyway, if you have any more ideas or
| suggestions, I sure would appreciate hearing back from you. Thanks, Mike


Like I said, it looks to be a new variant. That description is old.

Even if you have Explorer view Hidden and System attributes, the active trojan can still
mask its view in Explorer.

Have you booted into Safe Mode and performed a scan ?

Hav you tried another anti virus "On Demand" scanner ?
If not...


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *

 

[nass]

Mike
If you gone to the Quarantine option in Norton it will show what file been
listed as a Virus.
It could be a programming feature which made the NAV to list the Audio SB as
Virus in this criterion.

Trotski, The SB sound card and software (new card and factory CD software)
were installed on this comp a year ago. I lost my audio a couple of days ago
and reinstalled the SB software from the CD then went to the Creative site
and installed the newest software upgrade for the SB Audigy card. Since NAV
shows that it blocked W32.Hitapop on 04/11/09 and back on 01/03/09 (prior to
me reinstalling the SB software), I don't think the virus was in the
software. I'm not sure what, if anything, the SB software has to do with the
W32.Hitapop. Maybe it was just a coicidence. Does seem strange that the
same thing happened to both of us though.

So for I have run NAV (in Normal Mode and Safe Mode plus run the Online-On
Demand version of McAfee and no virus was found on my computer. But, I have
no idea what that means because NAV says it blocked W32.Hitapop from running
twice (once on 04/11/09 and once on 01/03/09) but doesn't say it was REMOVED.
So I don't know if the virus was removed or not. Please let me know if you
find any more information/solutions. Thanks.

Hi, I already had the box for "Hide extension for known file types"
unchecked so that wasn't the problem. The CD for the SoundBlaster is the
factory CD that came with the SB card so I don't think it was infected. I'll
look at the tools you suggested to see if they can help. Thanks for your
assistance. Mike

I have EXACTLY the same problem Mike, when installing my soundblaster etc
etc, the symptoms I have are a mirror of yours, no values added to registry
nothing !!!!
very strange, I am running a Kapersky online scan to see if that spots
anything at all, but I shall not hold my breath
I must add that I actually installed all the creative drivers from the cd
last night with no errors, but today when updating everything on the
Microsoft website, there were drivers for the soundcard so I did the update,
this knocked my sound card out of use, so that is when I tried to reinstall,
and was then told that the hitapop virus was present. Did you do this also
?.......download the drivers from Microsoft I mean

I wonder if it ( The Worm) wrote a Zero space file!!

Did you unchecked this check box beside showing the hidden files/folders:
[ ] Hide extension for known file types

Hit F5 then reopen the Windows Expolrer again to locate the file in question.

You can use one of the foillowing tools to help you out.
PendMoves v1.1 and MoveFile v1.0
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

SDelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Where did you got the software for the sound card?
HTH,
nass

 

[Mike950]

Thanks nass but there is nothing in Quarantine. It appears that NAV blocks
W32.Hitapop from running but apparently does not/can not remove it. I have
no idea what makes Hitapop try to run. NAV blocked it once on on 01/03/09
and once on 04/11/09 but what made it run is a mystery to me. Mike

Mike
If you gone to the Quarantine option in Norton it will show what file been
listed as a Virus.
It could be a programming feature which made the NAV to list the Audio SB as
Virus in this criterion.

Trotski, The SB sound card and software (new card and factory CD software)
were installed on this comp a year ago. I lost my audio a couple of days ago
and reinstalled the SB software from the CD then went to the Creative site
and installed the newest software upgrade for the SB Audigy card. Since NAV
shows that it blocked W32.Hitapop on 04/11/09 and back on 01/03/09 (prior to
me reinstalling the SB software), I don't think the virus was in the
software. I'm not sure what, if anything, the SB software has to do with the
W32.Hitapop. Maybe it was just a coicidence. Does seem strange that the
same thing happened to both of us though.

So for I have run NAV (in Normal Mode and Safe Mode plus run the Online-On
Demand version of McAfee and no virus was found on my computer. But, I have
no idea what that means because NAV says it blocked W32.Hitapop from running
twice (once on 04/11/09 and once on 01/03/09) but doesn't say it was REMOVED.
So I don't know if the virus was removed or not. Please let me know if you
find any more information/solutions. Thanks.

:

Hi, I already had the box for "Hide extension for known file types"
unchecked so that wasn't the problem. The CD for the SoundBlaster is the
factory CD that came with the SB card so I don't think it was infected. I'll
look at the tools you suggested to see if they can help. Thanks for your
assistance. Mike


I have EXACTLY the same problem Mike, when installing my soundblaster etc
etc, the symptoms I have are a mirror of yours, no values added to registry
nothing !!!!
very strange, I am running a Kapersky online scan to see if that spots
anything at all, but I shall not hold my breath
I must add that I actually installed all the creative drivers from the cd
last night with no errors, but today when updating everything on the
Microsoft website, there were drivers for the soundcard so I did the update,
this knocked my sound card out of use, so that is when I tried to reinstall,
and was then told that the hitapop virus was present. Did you do this also
?.......download the drivers from Microsoft I mean


I wonder if it ( The Worm) wrote a Zero space file!!

Did you unchecked this check box beside showing the hidden files/folders:
[ ] Hide extension for known file types

Hit F5 then reopen the Windows Expolrer again to locate the file in question.

You can use one of the foillowing tools to help you out.
PendMoves v1.1 and MoveFile v1.0
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

SDelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Where did you got the software for the sound card?
HTH,
nass

 

[trotski]

well I am damned if I can find anything anywhere, and as this only seems to
happen when installing SB Audigy, and no other software, I am really tempted
to ignore it. I have adaware se, cc cleaner, and symantec corporate anti
virus on the PC I have scanned, and checked and searched, so I am bored with
the whole thing now, as I belive that the worm aint there no more, and if it
is then one of my systems SHOULD pick it up. It is just faintly annoying
having the possibility of a virus, if indeed there is one in the first place,
but I dont really think it is too much of a problem, so I shall just monitor
it, and we shall see what transpires.

 

[Mike950]

What I can't figure out is the fact the NAV alerts on this thing when it trys
to run and apparently stops it from running but can't locate it as malware
during a normal scan and neither can McAfee. I sure hope someone can give us
some answers. Do we have something bad on our computers or is this some kind
of false postitive associated with some other program.

 

[trotski]

Well mike except for a few problems with my internet connection.......which
seems to have sorted itself out (touch wood) I have had no further problems,
however I AM going to pop the battery on my motherboard for a few hours and
then replace it later on tonight, and see if this has any
effects......failing that if the problem does persist, I shall rip my hard
drives out, and purchase a new sata drive (any excuse to justify that
hehehehe), I take it that you have had no further feedback on this problem ?

 

[Mike950]

I've gotten a little more information and "I Think" the bug has been removed
but am not entirely sure. I've been told that the "Blocked" designation by
NAV ment that the bug was blocked before it installed on my computer. I'm
not sure if I can believe that since NAV indicated that the file in question
was in that Temp folder but since multiple scans by both NAV and McAfee say I
am bug free, I guess I'll just hope for the best. What I did do for a little
more peace of mind was reset Restore Point to clean it out and ran NAV in
Safe Mode and Normal Mode and ran On Demand McAfee. So far so good. Thank
you to everyone that helped me out on this problem.