Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help please

Unread postby km2357 » April 29th, 2008, 2:39 pm

Let's do this to get rid of the 018 line and clear up the Java error messages. Thanks to silver, ndmmxiaomayi and chryssi2001 for their help/suggestions.


Step # 1: Download and run ERUNT
  • You will be downloading ERUNT, a registry backup tool.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.


Step # 2 Download and run the Windows Installer Cleanup utility

Download the Windows Installer Cleanup Utility and save it to your Desktop

Double-click msicuu2.exe to install the utility.

Next, Click 'Start', click 'All Programs' (or 'Programs' on some operating systems), and then click the shortcut for the
Windows Installer Clean Up Utility to open the utility

Once the program is open select Java 2 Runtime Environment, SE v1.4.2 and Java(TM) SE Runtime Environment 6 Update 1 (if found )from the list. Once you have those selected, click Remove, then click OK

Reboot your computer.

In your next post/reply, I need to see the following:

1. A fresh HiJackThis Log
2. Are the two old Java entries still in Add/Remove Programs?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Re: Help please

Unread postby harnage1 » April 29th, 2008, 8:37 pm

The old java programs have been removed from the Add/Remove list.

And the answer to your question, "Did you knowningly download Winsock Packet Editor Pro?"
Yes i did knowingly download the program. Is there a problem with downloading it?

To save you a little bit of reading time, the 018 file has been removed,fixed, or whatever you wish to call it. It is not there anymore.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:12 PM, on 4/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 4927 bytes
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby km2357 » April 29th, 2008, 9:42 pm

Good to see that the 018 line is gone. :)

And the answer to your question, "Did you knowningly download Winsock Packet Editor Pro?"
Yes i did knowingly download the program. Is there a problem with downloading it?


I asked because Kaspersky flagged the program as Sniffer.Win32.WpePro.a. The program has the potential to be a dangerous tool/program, I just wanted to be sure that you knew what it was and had downloaded it yourself.

Has your download speed gone back up to normal or is it still low? If it is still low, the best thing to do would be to contact your ISP about it.

You can now upgrade to Service Pack 2 for Windows XP. Since SP2 is a large file and you are on dial-up, the best thing to do would be to order an SP2 CD-ROM from Microsoft and have them ship it to you.

http://www.microsoft.com/windowsxp/down ... fault.mspx

If you do not want to order through Microsoft, be aware that it will take many hours to download SP2 over dialup.


You can now remove SDFix from your computer. Do the following to do that:

Delete SDFix.exe from your Desktop
Delete the following folder C:\SDFix from your computer.

You can also delete fix.reg from your Desktop as well.

Please open OTMoveIt2.

  • Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
  • Answer Yes to the prompt.
  • The program will ask for a reboot. Answer Yes.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:
  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    • This will remove all restore points except the new one you just created.
    .

    Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

  • Make your Internet Explorer more secure This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it asks you if you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.
    Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

Good luck!


Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby harnage1 » April 29th, 2008, 11:44 pm

I have run the programs you have listed and edited my internet explorer.
Thank you for helping me remove these mother****** programs and such from my computer.
Hopefully i will never have to go this ever again.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Help please

Unread postby km2357 » April 30th, 2008, 2:10 am

You're welcome. Glad I was able to help out. :)
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Help please

Unread postby silver » April 30th, 2008, 3:31 am

This topic is now closed
We are pleased to have been of assistance in getting you clean.

If you have been helped and wish to donate with the costs of this volunteer site, you can do so using this link
Donations For Malware Removal
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware