Cannot Remove Program

Hello All!

Please forgive me if I've posted in the wrong forum.

My boy downloaded Morpheus Ultra 5.1 on our home computer. I went into our Control Panel - Add or Remove Programs and selected Change/Remove.

There is a pause, then our ZoneAlarm brings a Security Alert.

A~NSISu_.exe is trying to access the trusted zone.
Identification: Not available in ZoneAlarm
Application: A~NSISu_.exe
Destination: 127.0.0.1ort 2556

I selected "Deny". After that the ZoneAlarm warning goes away and a small blank Internet Explorer window opens up. Then nothing.

I close the IE window and retry removing the program again and the same thing happens.

I've Googled A~NSISu_.exe and have not been able to get any good information on this and whether or not I should "Allow" it.

Can anyone help me with this? I dont want to create a bigger problem but I would like this program off our computer.

Cheers.

 

That file can be part of the uninstaller program but it can also be potentially dangerous. So I'm going to ask the moderators to move your thread to the Malware Forum, where you will receive expert technical assistance with this

 

Thank you Lev.

I've started the Malware removal process now.

I'm having a problem at starting the computer in Safe-mode. I get to the Boot.INI and select SafeBoot "Apply".

I then get a dialog box "System Configuration" An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specific changes.

It then says to Restart computer, but nothing happens.

To go back and give you a bit of history, we learned we had pirated Windows XP Pro and got the popups. We purchased the software from Microsoft inserted the disc and it updated our system. On the pirated version , when we would startup our computer it would go to the blue screen, with the administrators box to select. When we installed the new XP Pro whenever we start our computer the Blue screen appears with "Windows". No box to select. We just click the screen and it starts.

How do I set up or get to Administrators account?

Thanks for all the help.

 

"I HAVE RUN ALL THE STEPS IN THE STICKY"


Thanks for helping me out Chaslang.

I could not get into SafeMode using the start-run-msconfig-safeboot
however I was able to get to safemode by restarting the computer and selecting F8.
This did bring up the startup page with Administrator and Work. I entered my password and did most of the steps in Administrator.

I ran CCCleaner, Spybot S&D, AVG Anti-Spyware, BitDefender.
I could not get a connection when I tried to run PandaScan while in Safemode, so I ran it in normal boot mode.

I ran GetRunKey, ShowNew and HijackThis. I will post these results in my next post.

Thanks,
Global

 

Here are the results of GetRunKey, ShowNew and HijackThis.

One other questions Chaslang, and this could perhaps be answered once the other problems are delt with, but how can I stop certain programs starting when the computer reboots.

Specifically: QuickTime (Not sure if I even need this program)
DVD43
Windows Messenger
Skype
IObitDefrag (Just recently loaded after reading,
"Basic computer maintenance everyone should do", by
Major Attitude)

 

Hello Chaslang,

I uninstalled the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6

I could not get my computer to reboot. Start-Turn Off Computer-Restart. I tried this several times with no luck so I held in the button on my tower to turn off the computer. I waited a few seconds and then turned it back on.

I uninstalled Morpheus Ultra 5.1, and allowed the A~NSISu_.exe program to run. This seems to have worked. It is no longer listed in my Add/Remove Programs list. However, when you click on Start-Programs...Morpheus Ultra is listed.

I installed the current version of Sun Java from the link you provided.

I ran Disable/Remove Windows Messenger and removed Windows Messenger.

I copied the bold text you provided to notepad and saved it as fixME.reg to my desktop. I was sure the "Save as" type was set to "all files" Once I saved it I double clicked on it and allow it to merge with the registry.

I tried to restart my computer but am continuing to have the same issue. Once I click on Restart, nothing appears to happen. Although one of the small icons (SoundMax Control Panel) in the lower right corner of my screen has a red circle with a line through it.

Now regarding the two files you were concerned with, they ring a bell. This is a link to a post on MajorGeeks I sent back on July 16, 2006. You helped me back at that time. I've added a bit of I wrote to you back then.

http://forums.majorgeeks.com/showthread.php?t=97218

4) Major concern last week. We leave our computer on and hooked up to the internet 24/7. We turned on the monitor one day and found five items open or changed.
i) Internet Explorer was open and the address was: http: //badars.phpnet.us/ SpooIs.exe
ii) Our control panel was open and Windows Firewall was hi-lighted.
iii) A black DOS window was open and one line of text caught my eye. C:\WINDOWS>SpooIs.exe -install Access is denied. (I have screen shots of this)
iv) Our AVG had been removed
v) Our Skype name had been changed to something rude.


I've attached the new logs for you to have a look at. If there is anything else you require, please let me know.

Cheers,
Global

 

One additional note Chaslang. After submitting my last post I restarted my computer by turning off the computer at the tower. When the computer rebooted I noticed my HP Director Icon (for my scanner) had changed to the same icon as SpywareBlaster.

I also took note of the icons in the bottom right had corner of my screen.
ATI, Skype, QuickTime, ZoneAlarm, IObit, AVG, Sound Max, Local Area Connection, Volume, Safely Remove Hardware, DVD43 and ATI.

I selected restart and some icons closed.
ATI, QuickTime, AVG, SoundMax, DVD43, ATI

I selected restart again-Nothing Happened.
So I closed Skype in the bottom left.

I selected restart and nothing happened.
I closed IObit in the bottom left and tried Restart.

This time the computer restarted.

Not sure if this info is of any help to you, but thought you should know.

 

Hello Chaslang,

It appears there are no Malware problems. Although my pages load very slowly while I'm surfing. Any thoughts or suggestions?

Could you explain to me what fixME.reg was suppose to do?

I have attached the Spools zip file with this post.

Global

 

Hello Chaslang,

I have run Sophos Anti-Rootkit and attached the requested log.

We have no Playstation Portable on our system.

I have renamed SpooIs.exe to SpooIs.xxx

I will let you know if I notice any problems running anything or getting any error message that may be related to this application being missing. At this point I'm not noticing anything.

I'm running IObit SmartDefrag Beta 2.01

I have run HJT and fixed the requested lines. I then exited HJT and rebooted the computer.

I have attached a new HJT log.

QuickTime and DVD43 still loaded after rebooting the computer.

Cheers,
Global

 

Hello Chaslang,

I have disabled the auto defrag feature of IObit SmartDefrag.

I have disabled Windows Defenders Real time protection.

I have repeated HJT, however no lines remained to be fixed.

I will attach a HJT log.

Web pages still load very slowly.

Cheers,
Global

 

Hello Chaslang,

I opened HJT and fixed the following:

O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab

I have also attached a new HJT log.

We are aware WinVNC is loaded on our computer and it is password protected. My wifes type of work may require her to use this in the near future so we would prefer not to uninstall at this time. Your thoughts?

We primarily use Firefox to browse the web. Although we do use Explorer the odd rare time.

After comparing both browsers they appear to load at the same rate. I will take your advice and call our ISP.

I found that the pages loaded at about the same rate in Safemode.

When do you suggest we re-enable IObit and Windows Defender?

***Here's something odd you might be able to explain to me. When I went into safemode, the logon page came up with Administrator and user named Work. I entered my Administrator password and the desk-top opened. Not all of my icons were on the desktop. Ie: Firefox shortcut was there and Explorer was not.

I logged off and changed to "Work" user. There all my icons from normal boot mode were. Strange.

I should also mention that when I'm in either Administrator or Work and go into msconfig and select safeboot, normal or selective boot, I get the dialog box that says:

An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specific changes.

I look forward to hearing from you Chaslang.

Cheers,
Global

 

Hello Chaslang,

My apologies regarding the HJT log. I've attached it now.

We have a router between our computer and our ISP connection. We have DSL.

After reboot, Windows Defender Real Time Protection was still disabled.

I disabled ZoneAlarm and ran msconfig. When I selected the BOOT.INI tab and checked SAFEBOOT then OK, I recieved the same message.

I have restarted ZoneAlarm.

Cheers,
Global

 

Hello Chaslang,

Windows Defender Real Time Protecting was re-enabled.

You'll forgive me Chaslang but what you said in this quote is a bit over my head.

I called my ISP and they had me goto http://speedtest.telushosting.com/ to run a speed test on my computer. It was called an 8Meg Test to check my Speed Transfer rate. According to them the acceptable rate for a 1.5 Mbits connection, transfer rate : 95 - 195 KB/sec. My system tranfer rate was at 110KB.

They tweeked things at their end and my transfer rate went up to 170 KB/sec. However my IE pages still loaded very slowly.

They then had me bypass my D-Link DI-704UP Router and go straight into my computer from the D-Link DSL-300G ADSL Modem. There was some connectivity problems for a few minutes but now the pages are loading much quicker. I'm happy with the speed.

Does this sound like the router was the problem? Is there anything you can help me with to test to see if the router is shot and if I should get a new one?

The PC Service that built our computer for us had us run our computer through the D-Link DI-704UP Router as a firewall. Our printer is still hooked into the router and it is working fine. We have no other computers currently in our home that would require to be on a network to access the printer.

Should I have any concerns not having the router hooked up as an additional firewall? You have seen several of my HJT logs and know that I have ZoneAlarm installed. Is this fine or are there better firewalls out there that I should look at?

Thanks Chaslang, you have been a world of help so far. My wife and I appreciate all the time and effort you've put in helping us with our issue.

Cheers,
Global