Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Deleting entries from registry

Started by virusesaredrivingmecrazy , Nov 25 2004 04:58 PM

  • Please log in to reply

#1
virusesaredrivingmecrazy
Posted 25 November 2004 - 04:58 PM

virusesaredrivingmecrazy

    Member

  • Member
  • PipPip
  • 12 posts
I had been having problems with viruses for awhile, but I downloaded zonealarm firewall about two weeks ago and I haven't had a problem since. My problem however is that I still have entries from viruses in my registry that won't delete no matter what I do. They aren't really a problem it's just annoying that I can't get rid of them. The programs they correspond to don't even exist on my hard drive.
Here's a log:

Logfile of HijackThis v1.98.2
Scan saved at 3:57:56 PM, on 11/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 25 November 2004 - 05:05 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

svhost.exe
svchos.exe
WINL0G0N.exe

Reboot normally and post new log.

-=jonnyrotten=- <_<
  • 0

#3
virusesaredrivingmecrazy
Posted 25 November 2004 - 05:51 PM

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The files didn't exist and the entries did not delete when I selected fix checked

Logfile of HijackThis v1.98.2
Scan saved at 4:49:20 PM, on 11/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

#4
-=jonnyrotten=-
Posted 25 November 2004 - 06:58 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Try booting in safe mode and try the same procedure for removing the entries. Also run a search for the files. Winl0g0n looks like the "O"'s are zeros too. If that doesn't work you will need to turn off system restore and boot into safe mode to remove them.

-=jonnyrotten=- <_<
  • 0

#5
virusesaredrivingmecrazy
Posted 26 November 2004 - 11:13 AM

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I tryed it in safe mode but it still didn't work
I also searched for the files and they don't exist
How do I turn off system restore??
  • 0

#6
-=jonnyrotten=-
Posted 26 November 2004 - 11:37 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Wait, I just noticed something you should try before turning off system restore... The log says they are services. Click "Start", "Run", type "services.msc" without the quotes. Scroll down the list and look for:

Windows Synchronization Manager
Microsoft Windows Update
Windows NT Update Manager

THEY MUST BE EXACTLY AS SHOWN

Right click each one when you find it and click properties. Click "stop" and then in the drop down list choose "disabled". Apply it and click "ok" after doing all that reboot and remove the entries in safe mode and run scan again and make sure they are still disabled by going into services.msc.

Post new log with any info.

-=jonnyrotten=- <_<
  • 0

#7
-=jonnyrotten=-
Posted 26 November 2004 - 12:24 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
WINL0G0N.exe >>> W32.Shoho@mm <<mass mailing worm
svhost.exse >>> Backdoor.Socksbot <<Trojan Horse
svchos.exe >>> Backdoor.Sdbot.AC <<Trojan Horse

I just found this information. There's removal instructions too, but since you cannot edit your registry the instructions are no good.......yet. I advise you to go into Outlook Express or whatever your local mail program is and in your address book make a new entry and name it "0000" all zeros with no address or anything else, and save it. This way when this mass mailing worm starts at the top of your address list it cannot mail to the first entry and therefore has to start over. Again and again, but not mailing anything. Next you need to do this:

Please run a free online virus scan here (tick the "Auto Clean" checkbox): Needs to be run with Internet Explorer.
http://housecall.antivirus.com/

And a free trojan scan here: (you will have to download the 30 day trial of "The Cleaner" here)
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

-=jonnyrotten=- <_<
  • 0

#8
virusesaredrivingmecrazy
Posted 28 November 2004 - 10:11 AM

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, I checked in services but none of those entries exist either.
I scanned online and everything was clean.
Ive already used up my 30 day trial of the cleaner about a week ago, but the last time I ran it everything was clean.
  • 0

#9
Yarnouth
Posted 28 November 2004 - 10:32 AM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Lets see a new Hijack This log.
  • 0

#10
virusesaredrivingmecrazy
Posted 28 November 2004 - 10:56 AM

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.98.2
Scan saved at 9:55:37 AM, on 11/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svchos.exe
O4 - HKLM\..\RunServices: [Windows NT Update Manager] WINL0G0N.exe
O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
  • 0

#11
Yarnouth
Posted 28 November 2004 - 11:08 AM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Please locate the files:
svhost.exe
svchos.exe
WINL0G0N.exe

Look in:
C:\Windows\WINL0G0N.exe for example
Let me know if you find them there.
  • 0

#12
virusesaredrivingmecrazy
Posted 28 November 2004 - 11:33 AM

virusesaredrivingmecrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ive looked everywhere for those files...
Ive tried searching, looking through all the folders, but they just don't exist...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP