Help remove virus

**simon k** · 2008-01-24, 20:29

Thanks Blade I have removed the old java with windows install clean up and i have installed the latest.
I still have no options to remove things via the control panel.
I have ran spybot and it has found 3 bagel items here is part of the report.

--- Search result list ---
Win32.Bagle.hi: [SBI $CD1D5200] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-4215361660-3317487507-1880667130-1008\Software\FirtR

Win32.Bagle.hi: [SBI $C58F5889] System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

**Blade81** · 2008-01-24, 20:39

You're welcome

I think it's better to run Spybot again after next reboot to see have those findings gone for good.

I still have no options to remove things via the control panel.

Is this the case with all items on the list or only some of them (which one)?

**simon k** · 2008-01-24, 20:41

It is missing for all items.

**Blade81** · 2008-01-24, 22:42

Hi

Let's see if this finds anything. It looks like many users how have installed Zonealarm have had similar problems with remove/change buttons.

Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
REGEDIT /E c:\regbatch1.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies"
REGEDIT /E c:\regbatch2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies"
REGEDIT /E c:\regbatch3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

Double-click on fixes.bat file to execute it.

Please post those files (c:\regbatch1.txt & c:\regbatch2.txt & c:\regbatch3.txt) as an attachment here (you can archive those into a zip packet).

**simon k** · 2008-01-24, 23:43

Thanks. How do i archive as a zip packet?

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"EnableLUA"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall]
"ProductType"="Avg75Free"
"DisplayName"="AVG 7.5"
"UninstallString"="C:\\Program Files\\Grisoft\\AVG7\\setup.exe /UNINSTALL"
"DisplayIcon"="C:\\Program Files\\Grisoft\\AVG7\\setup.exe"
"Language"=dword:00000409

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\Directories]
"dir_AvgDir"="C:\\Program Files\\Grisoft\\AVG7"
"dir_AvgData"="C:\\Documents and Settings\\All Users\\Application Data\\Grisoft\\Avg7Data"
"dir_AllUsersAppData_Avg7"="C:\\Documents and Settings\\All Users\\Application Data\\avg7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\Features]
"fea_AVG_Remove"=dword:00000000
"fea_AVG_LeaveInstalled"=dword:00000001
"fea_AVGWin"=dword:00000001
"fea_AVG_Data_Dir"=dword:00000001
"fea_AVG_ResidentShield"=dword:00000001
"fea_AVG_Firewall"=dword:00000000
"fea_AVG_Antispy"=dword:00000000
"fea_AVG_CC_Startup"=dword:00000001
"fea_AVG_Cl"=dword:00000000
"fea_AVG_Bootup"=dword:00000001
"fea_AVG_Languages"=dword:00000000
"fea_AVG_Language_CS"=dword:00000000
"fea_AVG_Language_CZ"=dword:00000000
"fea_AVG_Language_FR"=dword:00000000
"fea_AVG_Language_GE"=dword:00000000
"fea_AVG_Language_HU"=dword:00000000
"fea_AVG_Language_IT"=dword:00000000
"fea_AVG_Language_JP"=dword:00000000
"fea_AVG_Language_NL"=dword:00000000
"fea_AVG_Language_PB"=dword:00000000
"fea_AVG_Language_PT"=dword:00000000
"fea_AVG_Language_PL"=dword:00000000
"fea_AVG_Language_SC"=dword:00000000
"fea_AVG_Language_SK"=dword:00000000
"fea_AVG_Language_SP"=dword:00000000
"fea_AVG_Language_DA"=dword:00000000
"fea_AVG_EmailPlugins"=dword:00000001
"fea_AVG_Bat_plugin"=dword:00000000
"fea_AVG_Exchange_plugin"=dword:00000001
"fea_AVG_Eudora_plugin"=dword:00000000
"fea_AVG_EMC"=dword:00000000
"fea_AVG_Antispam"=dword:00000000
"fea_AVG_Office_2000_plugin"=dword:00000001
"fea_AVGDOS"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\TextCache]
"@AVG75DesktopLinkAVGW"="AVG 7.5.lnk"
"@AVG75StartupMenuFolderName"="AVG 7.5"
"@AvgDir"="AVG7"
"@GrisoftDir"="Grisoft"
"@LinkAVGCC"="AVG Control Center.lnk"
"@LinkAVGUninstall"="Uninstall AVG.lnk"
"@LinkAVGVV"="AVG Virus Vault.lnk"
"@LinkAVGW"="AVG Test Center.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 2.0.2"
"UninstallString"="\"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\" /uninstall"
"DisplayIcon"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"
"DisplayVersion"="2.0.2"
"Publisher"="TrendMicro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm]
"DisplayName"="ZoneAlarm"
"UninstallString"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zauninst.exe"
"DisplayVersion"="7.0.462.000"
"HelpLink"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\Help\\zaclients.chm"
"Publisher"="Check Point, Inc"
"URLInfoAbout"="http://www.zonelabs.com"
"DisplayIcon"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe,-0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="3.00.00.0000"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Program Files\\MSECACHE\\WICU3\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,31,00,32,00,31,00,36,00,33,00,34,00,42,00,\
30,00,2d,00,32,00,46,00,34,00,42,00,2d,00,31,00,31,00,44,00,33,00,2d,00,41,\
00,44,00,41,00,33,00,2d,00,30,00,30,00,43,00,30,00,34,00,46,00,35,00,32,00,\
44,00,44,00,35,00,32,00,7d,00,00,00
"NoModify"=dword:00000001
"Publisher"="Microsoft Corporation"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:00000131
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,31,00,32,00,31,00,36,00,33,00,34,00,42,\
00,30,00,2d,00,32,00,46,00,34,00,42,00,2d,00,31,00,31,00,44,00,33,00,2d,00,\
41,00,44,00,41,00,33,00,2d,00,30,00,30,00,43,00,30,00,34,00,46,00,35,00,32,\
00,44,00,44,00,35,00,32,00,7d,00,00,00
"URLInfoAbout"=""
"URLUpdateInfo"=""
"VersionMajor"=dword:00000003
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:03000000
"Language"=dword:00000409
"DisplayName"="Windows Installer Clean Up"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}]
"DisplayIcon"="C:\\Program Files\\Java\\jre1.6.0_04\\\\bin\\javaws.exe"
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"="http://java.com"
"DisplayVersion"="1.6.0.40"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,6a,00,61,00,76,00,\
61,00,2e,00,63,00,6f,00,6d,00,00,00
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Documents and Settings\\Simon\\Application Data\\Sun\\Java\\jre1.6.0_04\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,49,00,7b,00,33,00,32,00,34,00,38,00,46,00,30,00,41,00,\
38,00,2d,00,36,00,38,00,31,00,33,00,2d,00,31,00,31,00,44,00,36,00,2d,00,41,\
00,37,00,37,00,42,00,2d,00,30,00,30,00,42,00,30,00,44,00,30,00,31,00,36,00,\
30,00,30,00,34,00,30,00,7d,00,00,00
"NoRepair"=dword:00000001
"Publisher"="Sun Microsystems, Inc."
"Readme"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,4a,00,61,00,76,00,61,00,5c,00,6a,00,\
72,00,65,00,31,00,2e,00,36,00,2e,00,30,00,5f,00,30,00,34,00,5c,00,52,00,45,\
00,41,00,44,00,4d,00,45,00,2e,00,74,00,78,00,74,00,00,00
"Size"=""
"EstimatedSize"=dword:00028e26
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,49,00,7b,00,33,00,32,00,34,00,38,00,46,00,30,00,41,\
00,38,00,2d,00,36,00,38,00,31,00,33,00,2d,00,31,00,31,00,44,00,36,00,2d,00,\
41,00,37,00,37,00,42,00,2d,00,30,00,30,00,42,00,30,00,44,00,30,00,31,00,36,\
00,30,00,30,00,34,00,30,00,7d,00,00,00
"URLInfoAbout"="http://java.com"
"URLUpdateInfo"="http://java.sun.com"
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000006
"WindowsInstaller"=dword:00000001
"Version"=dword:01060000
"Language"=dword:00000000
"DisplayName"="Java(TM) 6 Update 4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0020-0409-0000-0000000FF1CE}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="12.0.6215.1000"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,77,00,77,00,77,00,\
2e,00,6d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,2e,00,63,00,6f,\
00,6d,00,2f,00,73,00,75,00,70,00,70,00,6f,00,72,00,74,00,00,00
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Program Files\\MSECache\\O2007Cnv\\1033\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,39,00,30,00,31,00,32,00,30,00,30,00,30,00,\
30,00,2d,00,30,00,30,00,32,00,30,00,2d,00,30,00,34,00,30,00,39,00,2d,00,30,\
00,30,00,30,00,30,00,2d,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,46,00,\
46,00,31,00,43,00,45,00,7d,00,00,00
"NoModify"=dword:00000001
"Publisher"="Microsoft Corporation"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:000065a8
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,39,00,30,00,31,00,32,00,30,00,30,00,30,\
00,30,00,2d,00,30,00,30,00,32,00,30,00,2d,00,30,00,34,00,30,00,39,00,2d,00,\
30,00,30,00,30,00,30,00,2d,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,46,\
00,46,00,31,00,43,00,45,00,7d,00,00,00
"URLInfoAbout"="http://www.microsoft.com/support"
"URLUpdateInfo"=""
"VersionMajor"=dword:0000000c
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:0c001847
"Language"=dword:00000409
"DisplayName"="Compatibility Pack for the 2007 Office system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1]
"Inno Setup: Setup Version"="5.1.12"
"Inno Setup: App Path"="C:\\Program Files\\Spybot - Search & Destroy"
"InstallLocation"="C:\\Program Files\\Spybot - Search & Destroy\\"
"Inno Setup: Icon Group"="Spybot - Search & Destroy"
"Inno Setup: User"="Simon"
"Inno Setup: Setup Type"="full"
"Inno Setup: Selected Components"="main,language,skins,updatedl"
"Inno Setup: Deselected Components"="blind"
"Inno Setup: Selected Tasks"="desktopicon,quicklaunchicon,launchsdhelper,launchteatimer"
"Inno Setup: Deselected Tasks"=""
"DisplayName"="Spybot - Search & Destroy"
"DisplayIcon"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"
"UninstallString"="\"C:\\Program Files\\Spybot - Search & Destroy\\unins000.exe\""
"QuietUninstallString"="\"C:\\Program Files\\Spybot - Search & Destroy\\unins000.exe\" /SILENT"
"DisplayVersion"="1.5.1.15"
"Publisher"="Safer Networking Limited"
"URLInfoAbout"="http://www.safer-networking.org/"
"HelpLink"="http://www.safer-networking.org/index.php?page=support"
"URLUpdateInfo"="http://www.safer-networking.org/index.php?page=download"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"InstallDate"="20080122"

**Blade81** · 2008-01-25, 17:02

Hi

Instructions below.

How To Zip a file or folder

1. Select the files you want to compress (choose those c:\regbatch1.txt & c:\regbatch2.txt & c:\regbatch3.txt).
2. Right click and choose Send To
3. Slide Right and choose Compressed (zipped) folder
4. Allow the file or folder to compress.
5. You should now see an icon with the same name plus a Zip
* It may even have a zipper on the folder.
6. This is the compressed file that you may post with your reply (you can do this by clicking manage attachments button of additional options in same window you use to post reply).

**simon k** · 2008-01-25, 17:58

here are the attatachments

**Blade81** · 2008-01-25, 19:31

Hi

Zonealarm may be the guilty one to those button disappearings (similar issue here).

Did you clear system restore yet? If not you should try to restore system back to point before you installed zonealarm.

1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system checkpoint before zonealarm installation in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.
7. Click OK.

**simon k** · 2008-01-25, 20:08

Thanks blade

I have already cleared the system restore.

Simon

**simon k** · 2008-01-25, 20:30

Some of the buttons are thee now but only on the newer programes ie spybot, AVG, zone alarm etc.

Should i remove zone alarm and try different one.

Thanks Simon.

Thread: Help remove virus

Thread Tools

Display

Posting Permissions