Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Deleting entries from registry


  • Please log in to reply

#1
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Member
  • PipPip
  • 12 posts
I had been having problems with viruses for awhile, but I downloaded zonealarm firewall about two weeks ago and I haven't had a problem since. My problem however is that I still have entries from viruses in my registry that won't delete no matter what I do. They aren't really a problem it's just annoying that I can't get rid of them. The programs they correspond to don't even exist on my hard drive.
Here's a log:

Logfile of HijackThis v1.98.2
Scan saved at 3:57:56 PM, on 11/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

svhost.exe
svchos.exe
WINL0G0N.exe


Reboot normally and post new log.

-=jonnyrotten=- <_<
  • 0

#3
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The files didn't exist and the entries did not delete when I selected fix checked

Logfile of HijackThis v1.98.2
Scan saved at 4:49:20 PM, on 11/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Try booting in safe mode and try the same procedure for removing the entries. Also run a search for the files. Winl0g0n looks like the "O"'s are zeros too. If that doesn't work you will need to turn off system restore and boot into safe mode to remove them.

-=jonnyrotten=- <_<
  • 0

#5
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I tryed it in safe mode but it still didn't work
I also searched for the files and they don't exist
How do I turn off system restore??
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Wait, I just noticed something you should try before turning off system restore... The log says they are services. Click "Start", "Run", type "services.msc" without the quotes. Scroll down the list and look for:

Windows Synchronization Manager
Microsoft Windows Update
Windows NT Update Manager

THEY MUST BE EXACTLY AS SHOWN

Right click each one when you find it and click properties. Click "stop" and then in the drop down list choose "disabled". Apply it and click "ok" after doing all that reboot and remove the entries in safe mode and run scan again and make sure they are still disabled by going into services.msc.

Post new log with any info.

-=jonnyrotten=- <_<
  • 0

#7
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
WINL0G0N.exe >>> W32.Shoho@mm <<mass mailing worm
svhost.exse >>> Backdoor.Socksbot <<Trojan Horse
svchos.exe >>> Backdoor.Sdbot.AC <<Trojan Horse

I just found this information. There's removal instructions too, but since you cannot edit your registry the instructions are no good.......yet. I advise you to go into Outlook Express or whatever your local mail program is and in your address book make a new entry and name it "0000" all zeros with no address or anything else, and save it. This way when this mass mailing worm starts at the top of your address list it cannot mail to the first entry and therefore has to start over. Again and again, but not mailing anything. Next you need to do this:

Please run a free online virus scan here (tick the "Auto Clean" checkbox): Needs to be run with Internet Explorer.
http://housecall.antivirus.com/

And a free trojan scan here: (you will have to download the 30 day trial of "The Cleaner" here)
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

-=jonnyrotten=- <_<
  • 0

#8
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, I checked in services but none of those entries exist either.
I scanned online and everything was clean.
Ive already used up my 30 day trial of the cleaner about a week ago, but the last time I ran it everything was clean.
  • 0

#9
Yarnouth

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Lets see a new Hijack This log.
  • 0

#10
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.98.2
Scan saved at 9:55:37 AM, on 11/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

#11
Yarnouth

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Please locate the files:
svhost.exe
svchos.exe
WINL0G0N.exe


Look in:
C:\Windows\WINL0G0N.exe for example
Let me know if you find them there.
  • 0

#12
virusesaredrivingmecrazy

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ive looked everywhere for those files...
Ive tried searching, looking through all the folders, but they just don't exist...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP