Hello y'all
I wonder if someone can please help me? I keep getting a box pop up telling me I have a critical registry error and corrupted files. It is trying to redirect me to www.registrycleanerxp.com. I think it's probably malware? So I've done my Ad Aware and AVG and crap cleaner in normal mode and in safe mode and still it keeps popping up. How can I solve this/ get rid of this?
I'm running Win 2000 on a P4 with IE6
Thanks for your advise

Fi

Try this page...I hope it helps:
http://www.exterminate-it.com/malpedia/remove-registrycleanerxp

When you get done with Dwight's excellent (as usual) suggestion, you might also download and run RegScrubXP
which will get rid of all the junk in the registry. I use it extensively, and it cleans the registry very well for me, not to mention everyone's computer that I've suggested it to. All you need to do is install, then click 3 buttons, the "RegScrubXP finds problems" button, then the "Select all problems" button, then the "Fix selected problems" button. I usually run it 3 times right after the other to be sure it gets it all. Good luck!

chris

Hello again
I've tried exterminate-it and regscrubxp now. Exterminate-it, I did manually first of all and then subscribed to it and did an automatic clean up. Shut down and rebooted and was greeted by my critical error pop up from registrycleanerxp. I've just run regscrubxp and I'm still getting the pop ups. Seems there's another one from key32.com as well as registrycleanerxp.com. It's really annoying as I'm getting the 'page cannot be found' all the time on the internet and these random pop ups. I've run both of these clean ups in Safe mode too.
I just got my WinME changed to Win 2000 and these problems all seem to have happened since then (2 days ago). When I brought the computer home I put AVG back on it and it immediately picked up 4 Trojan horses and this stuff above. Do you think this has come from the disc the shop used to change my OS with? I'm normally quite vigilant with my clean ups and virus checks.
Thanks to you Dwight and Vansrme for your suggestions so far

Fi

Firecow
Its an annoying Popup that has Latched onto your computer and Has attacted some more "Pals"
You can Trap the Address from displaying with SpywareBlaster which Has Been updated the Other day to Version 4

Go to www.Javacoolsoftware.com to download a copy (choose Majorgeeks(Florida) from the choices of download sites)
The other"Way in" To Protect is the Anti virus route and the Avast! A/V Program does a brilliant Job, Updates daily
www.avast.com/eng/avast_4_home.html (Download Link here)

PS Both are Free

NOTE..Cannot recommend Ad-Aware as Recent versions Have been a bit unstable


Also Download ccleaner from www.ccleaner.com and run that on the Registry (cleaner)link, that should sweep out some of the clutter . The main cleaner can also be used and is Very Powerful but You must Untick on the Check boxes Before you start(especially Cookies ,History and Menu Ordering OK ) Otherwise it will take you a while to rebuild the Data

Question? ...Have you Windows Messenger on? This is a way they Land on the computer

Have not got the Disable switch location details for Win 2000
On XP Its located in Windows Services in the Administrative Tools folder in the Control Panel
Look for the "Gears" Icon(labeled Services)

firecow
Please get rid of registrycleanerxp, check this link out, its another form of junk itself, and is trying to scare you into buying their software. After you get rid of it, run regscrubxp again, and you should be ok.

http://www.411-spyware.com/registrycleanerxp

chris

Hi Chris
I haven't used registrycleaner.com at all. In fact I haven't been to the website, but my Win 2000 was installed by a computer shop in our town, I guess they have used it at some point? I just can't get rid of the pop ups and can't seem to find it in files or registry or anything. None of the cleaners are detecting it now, but it must here somewhere............

Try this program, the free version:

http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0

It works well for me to get rid of junk like registrycleanerxp.

chris

Hello again Chris
Just tried AVG again, still got my pop ups
I wonder is there any one here that could interpret my Hijack This report? And guide me through it?
Please please. I'm running out of time, I'm emigrating tomorrow!

Fi

Post your highjack log here and we'll take a look at it and see if we can offer any advice.

Dwight

Here's my latest Hijack This report.
I'd be really grateful if someone could guide me through this
Thank you for all the help so far

Fiona

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:15, on 10/03/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB6745BB-91BB-4CB9-90B1-732995461014}: NameServer = 212.139.132.36 212.139.132.37
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3162 bytes

Before removing anything, check the Configuration to ensure that backups are being made. The "default" value is to make backups, so if you didn't change the default when you installed the program, then it should be set to automatically make backups.

Try "checking" and then fixing these two entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


When that is done, restart the computer and see if that helps.

Post again if the problem remains exactly the same of if there is any difference noted.

Does this computer have any Symantec products currently running? Check the Control Panel/Add-Remove Programs list to see if any of the Norton or Symantec products are currently installed. If so, please list the exact name of the program.

Dwight

Also, there is another method that you can try which may be quicker...downloading and installing the hosts file. You can read a short blurb about this file here on my site, then if you wish, you can read the instructions and download the file by clicking on the Hosts File link.

You can use the mvps.bat file included in download to automatically install the file, except in Windows Vista installations. For that one, you will need to read the special instructions.

Do you mean to check if Hijacker makes backups? Yes it does make backups.
No there's no Symantec or Norton products on here, although I did go to Symantec to see if they had a fix for registrycleanerxp.
I didn't recognise those 09 extra buttons and the info about them seem to imply they were defunct, so I have deleted them. Rebooted the computer and was greeted once again by the same pop ups The computer is still randomly not opening/ not finding web pages ie it takes 4,5,6,10 refreshes to get Answerpool up.
I have read your Hosts file info. Is it worth installing it before I have got rid of this problem? Will it be damaged by it?
Thank you Dwight (and Chris) for your help and patience with me

In my opinion, the hosts file is the best method to prevent this type of problem. I suggest you give it a try.

Dwight

Hope you don't mind me butting in, firecow, but after you get this sorted out, I recommend from personal experience that you don't continue to rely on free programs for your computer's security.

A good program like McAfee is only about 40 USD a year and likely would have stopped this from happening.

On the other hand, I and my clients have had very good results using a variety of free antispyware/antivirus/firewall applications.

http://dwightblackburn.com#spyware

And I generally recommend against using a fix like McAfee or Norton Internet for home users.

This is ultimately a matter of opinion, I think. I prefer a number of good small applications that do only one thing. Each one either detects and removes problems or even better, prevents them in the first place.

I have spent a great deal of time looking for and trying different applications and have found what I think provides a great deal of protection while requiring only a minimal amount of user input; mainly updating, running and then removing any problems any of these point out.

I do not do any registry cleaner programs and only repair the registry when a specific problem is discovered.

For what it is worth...

quote:

Originally posted by Dwight:
I generally recommend against using a fix like McAfee or Norton Internet for home users.

Hi Dwight, can you explain this a little?

I'm not married to McAfee but since subscribing to it and dumping Zone Alarm and Avast! some time ago, I've had nothing on my computer except tracking cookies. And I visit some dicey sites (music) now that I wasn't able to before because of the malware they tried to load, and sometimes did. Nowadays not a peep.

OK...
Products like McAfee or Norton Internet Security (Symantec) are trying to do everything in the way of system protection.

They are trying to be your AntiVirus.
They are trying to be your Firewall.
They are trying to be your AntiSpyware
They are trying to be your popup blocker.
They are trying to be your content advisor.
They are trying to be your email scanner.
They are trying to be your system settings manager.

Imagine if something goes wrong with one of these functions...your system is badly compromised and the repair process is both lengthy and difficult.

Now imagine that you have a small program that is designed to do just one function. If something goes wrong with that, your entire system is not badly compromised and the repair usually just involves an uninstall/reinstall.

So I use both Lavasoft Ad-Aware (be careful of the spelling, there are some clones trying to trick with programs that are not real but have a similar sounding name), and Spybots. These two detect and remove any problem files they find.

I do not use the immunize function of spybots (Tea Timer), nor the Quick Launch option in order to just keep these as simple as possible.

I use the Ad-Adware, but not the adwatch 2007 option. I use only the manual update.

The second most important one (in my opinion) is the SpywareBlaster. This program prevents problems in the first place. Systems that are updated and protection enabled weekly just don't seem to have problems.

The most important one in this list (in my opinion) is the hosts file. Once again, it just prevents problems from happening by not allowing pages or parts of pages with problems to open. It is a simple text file with a list of sites and problem ads that will not open when the host file is installed.

http://dwightblackburn.com#spyware for free downloads. See http://dwightblackburn.com#hosts for information about this and a link to the download.

For a system with a broadband Internet connection and no router, I believe a good firewall is essential. I like the ZoneAlarm firewall from Zonelabs. Again, I do not use any of the spyblocker add ons, just the basic firewall protection. http://zonelabs.com

AVG is my preferred AntiVirus. Again, just the basic without any of the AntiSpyware/firewall add ons. http://free.grisoft.com

There are other programs out there that are just as good, but I've had good success with this group. I've seen discussions where one person will insist that one product is better than another and so I've looked into many different options, but I keep coming back to these because of long experience and good results.

Note: Spybots, SpywareBlaster and Ad-Aware have all recently been updated and have slightly different installation proceedures. You can install the new version over the top of the old.

I hope this helps!

Dwight