Nebraska's #1 Voted Computer Repair Company

Completely Remove Puper Malware From Your Computer

Puper is one of the latest malware infections plaguing users on the Internet. It is a particularly difficult piece of malware to remove from your computer. This tutorial will show you how to remove the Puper malware infection from your system.

NOTE: – It is important that you follow the directions on the following pages exactly in order to ensure proper removal of the Puper malware infection. Skipping steps or performing actions out of sequence may result in Puper not being completely removed, allowing it to automatically re-install the parts you do remove . Several of the steps are performed while in safe mode, so you will be unable to access the internet to view this tutorial during those steps.

Puper infects your computer by masquerading as any number of legitimate programs. Once installed on your computer, it constantly runs in the background, making it very difficult to remove. It’s main purpose is to serve as a doorway to other malware, which it downloads to, and installs on, your computer. Some versions of Puper also hijack your searches, redirecting them to a new search page with adds based on that search.

The typical AntiMalware utilities (Adaware, Spybot Search and Destroy, Microsoft AntiSpyware, and Windows Defender) can not remove it on their own because puper is constantly running – even in Safe Mode.

With the introductions out of the way, you will now need to download the repair tools required to remove the Puper spyware infection. There are two tools needed that will repair the infection in your registry. Use the link below to download the first tool and save it to your Windows Desktop. Right click HERE and select “Save As” and save it to your desktop.

Now you need to prepare the smitRem tool for use. To do this, first locate the smitrem.exe file on your desktop. Double click on the file and you will see an extraction window similar to the one on the right. Click on Start and the extractor will create a folder on your desktop called smitrem.

Next you need a spyware removal program. While most spyware removal programs aren’t capable of removing this infection on their own, using one is an integral part of the removal process.

You should also install a secure a secure browser, like Mozilla Firefox. While IE was not directly responsible for your computer being infected by Puper, there are many sites out there that will infect your computer directly through IE, some of which will also be uninstalled by the process we are about to take you through. Some of our tutorials are designed to remove threats that IE is responsible for letting onto your computer.

These two essential tools have been integrated together into a convenient package called the Google Pack. Downloading and installing the Google Pack over a high speed connection will take about 3 minutes, but it is well worth the wait.

Once you have installed Firefox and the spyware removal program, be sure to update each of them. This can normally be done simply by running each program, and then selecting to update that program when it pops up a box asking if you wish to update it. The Google Pack also has an automatic updating feature.

One of the next step involves editing the registry. The registry is very important to your computer, and if a mistake is made in this step, it can cause serious problems. For this reason we recommend that before you complete it, you back up your registry, and that you be very careful with the changes.

Now that you have the tools for the repair prepared, you will need to reboot your computer into Safe Mode. You will need to restart your PC to do this, and will be unable to access the internet while in safe mode, so be sure to print out the remainder of this tutorial, or copy it to notepad, as well as the help article on how to reboot your computer into safe mode, so that you can reverse the process.

Now you will use the tool you downloaded to your desktop. Locate the smitrem folder on your desktop and double click on it to open it. Locate a file in the folder named “runthis.bat” and double click on it to launch it. Click “Yes” on any security warnings that pop up. Follow the on-screen directions to move through the smitrem tool.

Once it has completed, the tool will exit and an automatic disk cleanup will be launched. This cleanup can take anywhere from minutes to hours to run, so be patient and do not interrupt it.

Next, run Adaware. As a part of the installation process, an icon should have been placed on your desktop or in your start menu. Use one of these to open the program, and run it’s scan. This scan may also take some time. It is important that you do not run these programs at the same time, as they may interfere with each other.

If you find any matches, highlight the task by right clicking on it, and then selecting “End Process Tree.” End any and all matches you find, because there could be more than one. As you end the processes, be sure to click “Yes” to any warning boxes that pop up.

The next step involves editing the registry. The registry is very important to your computer, and if a mistake is made in this step, it can cause serious problems. For this reason we recommend that before you complete it, you back up your registry, and be very careful with the changes.

Next you need to make sure that all traces of Puper have been removed. The following instructions assume that for some reason sitRem and Adaware were not able to remove the infection from your computer. If they instruct you to terminate a process or delete a registry key that does not exist, don’t worry. This is a good thing. If you don’t need to edit the registry, that means that Puper has been removed. Do not make any alterations to the registry other than the ones you are instructed to make here.

To do this you must end the puper tasks. By design, the tasks are difficult to identify. First, press the “ctrl” + “alt” + “del” keys at the same time. The Task Manager window should now appear. Click on the “Processes” tab. Under Process Name, look for any of the tasks listed below in the list in your computer.

  • popuper.exe
  • intmonp.exe
  • shnlog.exe
  • nvctrl.exe

Next, click Start -> Run. Then type REGEDIT, and click OK. Navigate to and delete the following subkeys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\(Default) = “”
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\(Default) = “”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\InprocServer32\(default) = %system%\hp.tmp
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\InprocServer32\ThreadingModel = “Apartment”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\ProgID\(Default) = “VMHomepage.1”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\Programmable\(Default) = ” “
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\VersionIndependentProgID\{Default) = “VMHomepage”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\VMHomepage\CurVer = “VMHomepage.1”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\VMHomepage\CLSID = “{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}”
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\VMHomepage.1\CLSID = “{cf673b59-8e6f-4a0b-b1b9-3224d24f6800}”

Next, delete the following files and folders in Explorer if found:

  • C:\WINDOWS\system32\wgwwwtuc.dll
  • C:\Windows\System32\dxmpp.dll
  • C:\WINDOWS\SYSTEM32\winrvc32.dll
  • C:\Documents and Settings\tbaxter\My Documents\?ecurity\
  • C:\Program Files\orrs\
  • puper.dll
  • hhk.dll
  • msvol.tlb
  • popuper.exe
  • intmonp.exe
  • shnlog.exe
  • nvctrl.exe
  • hp[xxxx].tmp

Now, just reboot your computer in normal mode, and you’re done!

Share this post