and they wonder why I stay away from emule and all those other virus ridden places... thanks for reinforcing my staying totally away from all of that!

I got this downloading a zip file named DEMO!!! So innocent people are getting this also!!!
There are a couple of other steps you need to do:

1. There will be TWO files under Program Files that you need to delete
A. A Visual Basic folder and all contents with a file named 'nctrup.exe' in it.
B. Do a searc for 'nctrup' on your 'C' or 'System' drive and delete ALL files found.
C. There will also be a file named 'restore' with some weird letters (it varies) in your Program Files folder. Delete all of it. If you have Spybot Search & Destroy go to its startup section, and it will show it to you. It should be the only folder that says 'restore'.
D. Do a registry search for 'nctrup' and delete ALL you find. There will be more than a few. When I found one I deleted the head folder in registry that that folder was contained in or a sub sub sub folder of.

E. I had three places in my registry that I had to fix NoControlPanel with a '0' (zero) instead of a '1' (1 is BAD).

F. The names of the backup folders that put this Trojan back on your system are somtimes different or vary some. Do a system drive search for any other filenames mentioned by others here that were kind enough to help. A BIG thank you to those who took the high road and helped out.

Hope this is of some help to others that downloaded a DEMO in good faith from a normally good shareware site. That is one of the problems when someone does something like this, it ends up with a name on a shareware site and hurts innocent people. There is never a reason or excuse for something like this. Coding and distributing a Trojan/Virus/Worm is still illegal and punishable by a hefty fine and jail time. Whoever did this is just as bad as the 'pirates'??? he/she was trying to get revenge on.

IMHO
isepiq

P.S. Almost forgot. Lavasoft Adaware v1.05 (newest one) with todays updates will find and remove a lot of this Trojan. I had to go into the Lavasoft install folder and click on the exe file to get it to run, instead of getting that Trojan window.

Innocent people get a lot of crap on the internet. That's a fact of life. "Chance favors the prepared mind." What I mean by that quote is that *BEFORE* you download anything, make sure your AV, firewall, and spyware software are up to date. Scan the hell out of whatever it is you want to install BEFORE installing it. Scan your system with the spyware software after, as well. When all else fails, it is my experience that it's good to have a fairly up to date copy of a WinPE boot cd handy. Yes, ok, this is beyond the capability of the average user. However, if people took the time to learn a few precautions, we'd probably not have as many zombie machines running around. In any case, it behooves you to know what it is you're downloading and installing and to take the proper precautions before actually installing it.

All that being said, I agree with you that the j@ck@$$ that wrote that trojan ought to be punished by a fate worse than death. These idiots think they have some great programming skills because they can exploit people's ignorance and get them to install it, but, the truth is they are the lowest form of sludge in the computing world. Nonetheless, they will always be out there writing this crap. Hence it's up to everyone to be vigilante about keeping as many machines as safe as they can. It's the price we pay for being a digital citizen I'm afraid.

Just a note: I build and program computers, and ALWAYS do virusscans even on 'safe' downloads from shareware/demoware sites. I also have Spybot and Spyblaster, and TeaTimer and other programs running all the time, not to mention a multi-layered firewall.

One other thing this Trojan did: It messed up the 16 bit msdos run command. You can go to Microsoft and do the fixes. You fix 3 files: autoexec.nt, config.nt, & command.com. You have to expand them from your XP disk into your system32 folder to fix this minor last problem.

Also, running the newest v1.05 Adaware from Lavasoft with newest dat files was what let me into the registry and other things. It IS IS IS worth buying this program.

ALSO!!! It messed up my RETAIL legit copy of AnyDVD even thought he demo said CloneCD DEMO. Had to uninstall it as it cut access to my cd/dvd drives, and before it did that it had me burning coasters of my sons newest Retail PS2 disk that I was trying to make a backup copy of. UGH!!!

So, a SAFE site, a SAFE Demo, Scanned with 3 different programs did NO GOOD. Who needs a mule??? program to get a trojan/virus, hah!

Hope this is of some help.
IMHO
isepiq

With these MP3 files having been deleted - no-one has said they have recovered the MP3s as well as control of their system. If not, have you tried a file recovery program - eg RecoverMyFiles or Handy Recovery - as I think this coupled with the actions detailed above would fully restore things to "normal". Hope this suggestion helps any innocent users.

Yes I fell prey to this so called virus as well. Norton never found it. This just forced me into replacing my 120 gig HD with a 250. I was able to recover all my MP-3s with Handy Recovery although I had to create a macro to rename them back to their original names. The offending file is a 208KB keygen.exe. Everytime a program was started on te PC a window would come up asking yu to report piracy to som site in the uk so there seems to be many version of the same thing. The one I got was bundled with AnyDVD on Edonkey and was supposed to be a crack. Shame on me for running it. I was taken off guard. I knew better..guess it must have been late at night.

GREAT NEWS!!!!!

Symantec AntiVirus discovered this virus on June 4, 2005 and is releasing a fix in their virus definitions on June 5, 2005.

AKA: W32.Nopir.C, W32/Nopir-B [Sophos], Nopir.A [Panda], WORM_NOPIR.B [Trend], W32/VB.CZ (Nopir.B). Flock archives mp3 and COM, VB.CZ, P2P-Worm.Win32.VB.cz, W32/Nopir.B, W32/Nopir-B, W32/Spybot.SC.worm, Win32/VB.CZ, Worm.P2P.Fupi, WORM_NOPIR.B

http://securityresponse.symantec.com...2.nopir.c.html

Riiiiight....and that's not illegal . No let's not start a discussion about this 'cause this is a 'grey' area.
And since when is it legal to take the law in own hands?

Anyway, I'm infected too with this #@$%& virus. Tried all of the above but seems like "new" version of virus. Can't turn anything back in Safe Mode, cannot execute any .exe .bat or .com files. So I hope the symantec fix works, that is if they have an online scan option. Let's hope for the best.
btw I got this from dloading a demo of AnyDVD. Seems like people wanting to backup their DVD's are the victims

This is exactly why I'm an advocate of having a WinPE disc on a CDRW. Update it once a month to get the latest virus defs and McAfee stinger program. Then if you find you can't boot because of a *(&Y^&*^ing virus, boot up the WinPE disc, run the stinger and whatever antivirus program you have and it'll take care of it. It's better to do it this way than "live" in the OS anyway because the virus doesn't get a chance to lock itself in memory so that it can't be deleted. Bart PE makes creating the PE disc rather painless. The trick is to keep it up to date.

The best way for anybody to download the DEMO is to got to the programs site and you will get a clean copy of it.

What's a WinPE disc again Samur? Or better what does PE stand for? I'm not sure but think I once used something like that. Also used the Stinger prog but forgot why I removed it (and indeed I have to keep the disc up to date)
The prob is most virus progs have to catch up with the different virii. I scanned with several online progs but none recognized the virus. Not even symantec. Guess I have to buy norton then (maybe the trial also will get it?)
Anyway I'm a step further now dloaded an info file from symantec which partially restored my reg. (Can start progs now ) Only thing I have to do now is get Admin rights back and ofcourse try to rescue my legal mp3's.

And BJ you're absolutely right (or get demo's from TRUSTED sites. ) I will not let my guard down again

If anyone still has probs with this virus, plz read the article DJGroove is referring to.

http://www.nu2.nu/pebuilder/

That should get you started on the PE disc. It stands for Preinstalled Environment. It allows you to boot a small windows xp environment. At that point, depending on what you installed in the PE environment, you can do things like scan for and remove viruses on the host system. Because you're booting from a CD environment, none of the files are in use and the virus wouldn't get a chance to load...it makes removing them much easier.

Oh, and while you're at it, screw the Norton stuff....go check out Avast. It is definitely one of the best free antivirus programs out there. They also have a PE install for Avast.

http://www.avast.com/eng/avast_bart_cd.html

Enjoy!

funny how linux/unix/and mac are almost never affected by things like these

praise microsoft for making the best os

It took me the whole weekend to clean my system of Nopir.C, I refuse to reinstall the OS and programs, such a pain in the ass, but I did learn my lesson about backing up and downloading new cracks. This time I am going to back-up the registry and do a Norton Ghost of the HD, and keep a minimum of 2 virus programs installed.

I installed 4 anti-virus programs (F-prot, Sophos, Trend, Norton) and ran them all, the best programs seem to be Trend Micro PC-cillin and Norton. I also installed a demo of Trojan Defense Suite TDS-3 (tds.diamondcs.com.au/) to look for trojan back doors. Ad-aware SE and Spybot worked well to find repeating spyware.

I noticed that after Trend PC-cillin finished scanning my system all of a sudden Norton was picking up tons of Hacktool temp files in the temp folder under Windows, I looked in the folder to see if I can do a grouped deletion but I don't see them, so I have to keep clicking OK one-by-one on the Norton deletion window.

Question: If I reinstall WinXP from the CD, it says that all programs will be deleted, but does it keep the data behind such as Outlook e-mail PST file or does it do a reformat?

Do you think I am taking a chance by not re-installing XP? I figure I can trust the virus programs to clean my system, what do you think?

IMAO, running more than one anti virus is a bad idea, as they will fight over each other, i had a trojan and mcafee didn't get rid of it and i went to castle cops and was given a site to upload the file to and Bit Defender found it, so i downloaded it and it gave me 6 hours of problems trying to boot up properly untill i managed to get into start up programs to disable one of the a/v then uninstall it.

@ DJGroove,

Personally if my system had been infected with a virus I would low level reformat my hard drive and would re-install my operating system. This is the only way to positively ensure that all remnants of the virus have been completely removed from your hard drive and that your operating system is operating at its peak efficiency. After completely installing my system I would make a disk image of my system using a disk-imaging program similar to Symantec Norton Ghost.

Also it is advisable not to use multiple anti-virus software due to compatibility conflicts.

Best Regards,
bjkg

DJ G,

I agree about the multiple AV progs. That's not advisable. Some AV's even demand that you use only 1 (they won't install when another one is found)

Did you clean your reg btw? I did a search on mmsete and outlookrem in regedit and deleted the keys. (I unticked them first in msconfig but don't know if it's necesarry).
I'm sure now that I'm not infected anymore and didn't reinstall Window$. When you do make sure you rename your My Documents folder, 'cause it's overwritten. I lost several files thx to this including some pics and other important files.

And concerning Norton I had the same prob. In my temp folder Norton found 23805!!! infected files and I had to click the virus warnings away. (Discoverd it only after I had clicked about 800 times OK ) And this was another virus than the w32.nopir.c.
Only thing I have to do now is try to recover my lost files. Handy recovery couldn't seem to do the trick. Maybe this had something to do with the tmp files? Anyway in H.rec. the deleted folders are also empty.
Am trying other demos (from trusted sites ) atm.

I screwed up something badly, I will uninstall Trend and only use Norton. My latest problem is that my temp directory is filling up with temp files and Norton pops up a window saying each tmp file is a hacktool and asks to delete or quarantine each one separately. There are thousands, I tried to erase them all in the Quanrantine folder but they keep coming back. I did an entire scan of my system and it says that nothing was found except for these tmp files which is in a separate Norton window. I was reading the Norton site and it looks like they added some more instruction lines to getting rid of this Nopir.c plus a updated virus definition. I have almost reach my boiling point which means reformat. This Cyberbob prick needs a good beating and to be ass raped by MJ.

Yes it does sound as a reformat, and only one antivirus.

Finally Success!

Looks like I zapped the Nopir.C virus. After removing the extra virus scanner Trend and following the reg cleanup instructions from Norton, everything is working fine. No more repeat temp files (I think this was a problem caused by having 2 virus scanners competing against each other or it could be the extra quotes that I added in the registry values read next). The final task was to search the regedit for all files of mmsete and outlookrem and delete. Prior to starting this cleanup I noticed that my Outlook was not receiving e-mails from the default account, it was showing a connection error, now everything is resolved.

Another mistake that I did was adding an extra pair of quotes in the registry values, I was typing exactly what it said on the instructions from Norton, but I found this out after noticing no programs were opening, so I figured they used the first set of quotes just to highlight the new values.