Help remove virus

[simon k]

Thanks Blade I have removed the old java with windows install clean up and i have installed the latest.
I still have no options to remove things via the control panel.
I have ran spybot and it has found 3 bagel items here is part of the report.


--- Search result list ---
Win32.Bagle.hi: [SBI $CD1D5200] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-4215361660-3317487507-1880667130-1008\Software\FirtR

Win32.Bagle.hi: [SBI $C58F5889] System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

 

[Blade81]

You're welcome

I think it's better to run Spybot again after next reboot to see have those findings gone for good.

I still have no options to remove things via the control panel.

Is this the case with all items on the list or only some of them (which one)?

 

[simon k]

It is missing for all items.

 

[Blade81]

Hi

Let's see if this finds anything. It looks like many users how have installed Zonealarm have had similar problems with remove/change buttons.

Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
REGEDIT /E c:\regbatch1.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies"
REGEDIT /E c:\regbatch2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies"
REGEDIT /E c:\regbatch3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

Double-click on fixes.bat file to execute it.


Please post those files (c:\regbatch1.txt & c:\regbatch2.txt & c:\regbatch3.txt) as an attachment here (you can archive those into a zip packet).

 

[simon k]

Thanks. How do i archive as a zip packet?

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate]



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"EnableLUA"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate]



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall]
"ProductType"="Avg75Free"
"DisplayName"="AVG 7.5"
"UninstallString"="C:\\Program Files\\Grisoft\\AVG7\\setup.exe /UNINSTALL"
"DisplayIcon"="C:\\Program Files\\Grisoft\\AVG7\\setup.exe"
"Language"=dword:00000409

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\Directories]
"dir_AvgDir"="C:\\Program Files\\Grisoft\\AVG7"
"dir_AvgData"="C:\\Documents and Settings\\All Users\\Application Data\\Grisoft\\Avg7Data"
"dir_AllUsersAppData_Avg7"="C:\\Documents and Settings\\All Users\\Application Data\\avg7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\Features]
"fea_AVG_Remove"=dword:00000000
"fea_AVG_LeaveInstalled"=dword:00000001
"fea_AVGWin"=dword:00000001
"fea_AVG_Data_Dir"=dword:00000001
"fea_AVG_ResidentShield"=dword:00000001
"fea_AVG_Firewall"=dword:00000000
"fea_AVG_Antispy"=dword:00000000
"fea_AVG_CC_Startup"=dword:00000001
"fea_AVG_Cl"=dword:00000000
"fea_AVG_Bootup"=dword:00000001
"fea_AVG_Languages"=dword:00000000
"fea_AVG_Language_CS"=dword:00000000
"fea_AVG_Language_CZ"=dword:00000000
"fea_AVG_Language_FR"=dword:00000000
"fea_AVG_Language_GE"=dword:00000000
"fea_AVG_Language_HU"=dword:00000000
"fea_AVG_Language_IT"=dword:00000000
"fea_AVG_Language_JP"=dword:00000000
"fea_AVG_Language_NL"=dword:00000000
"fea_AVG_Language_PB"=dword:00000000
"fea_AVG_Language_PT"=dword:00000000
"fea_AVG_Language_PL"=dword:00000000
"fea_AVG_Language_SC"=dword:00000000
"fea_AVG_Language_SK"=dword:00000000
"fea_AVG_Language_SP"=dword:00000000
"fea_AVG_Language_DA"=dword:00000000
"fea_AVG_EmailPlugins"=dword:00000001
"fea_AVG_Bat_plugin"=dword:00000000
"fea_AVG_Exchange_plugin"=dword:00000001
"fea_AVG_Eudora_plugin"=dword:00000000
"fea_AVG_EMC"=dword:00000000
"fea_AVG_Antispam"=dword:00000000
"fea_AVG_Office_2000_plugin"=dword:00000001
"fea_AVGDOS"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall\TextCache]
"@AVG75DesktopLinkAVGW"="AVG 7.5.lnk"
"@AVG75StartupMenuFolderName"="AVG 7.5"
"@AvgDir"="AVG7"
"@GrisoftDir"="Grisoft"
"@LinkAVGCC"="AVG Control Center.lnk"
"@LinkAVGUninstall"="Uninstall AVG.lnk"
"@LinkAVGVV"="AVG Virus Vault.lnk"
"@LinkAVGW"="AVG Test Center.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 2.0.2"
"UninstallString"="\"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\" /uninstall"
"DisplayIcon"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"
"DisplayVersion"="2.0.2"
"Publisher"="TrendMicro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm]
"DisplayName"="ZoneAlarm"
"UninstallString"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zauninst.exe"
"DisplayVersion"="7.0.462.000"
"HelpLink"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\Help\\zaclients.chm"
"Publisher"="Check Point, Inc"
"URLInfoAbout"="http://www.zonelabs.com"
"DisplayIcon"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe,-0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="3.00.00.0000"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Program Files\\MSECACHE\\WICU3\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,31,00,32,00,31,00,36,00,33,00,34,00,42,00,\
30,00,2d,00,32,00,46,00,34,00,42,00,2d,00,31,00,31,00,44,00,33,00,2d,00,41,\
00,44,00,41,00,33,00,2d,00,30,00,30,00,43,00,30,00,34,00,46,00,35,00,32,00,\
44,00,44,00,35,00,32,00,7d,00,00,00
"NoModify"=dword:00000001
"Publisher"="Microsoft Corporation"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:00000131
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,31,00,32,00,31,00,36,00,33,00,34,00,42,\
00,30,00,2d,00,32,00,46,00,34,00,42,00,2d,00,31,00,31,00,44,00,33,00,2d,00,\
41,00,44,00,41,00,33,00,2d,00,30,00,30,00,43,00,30,00,34,00,46,00,35,00,32,\
00,44,00,44,00,35,00,32,00,7d,00,00,00
"URLInfoAbout"=""
"URLUpdateInfo"=""
"VersionMajor"=dword:00000003
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:03000000
"Language"=dword:00000409
"DisplayName"="Windows Installer Clean Up"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}]
"DisplayIcon"="C:\\Program Files\\Java\\jre1.6.0_04\\\\bin\\javaws.exe"
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"="http://java.com"
"DisplayVersion"="1.6.0.40"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,6a,00,61,00,76,00,\
61,00,2e,00,63,00,6f,00,6d,00,00,00
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Documents and Settings\\Simon\\Application Data\\Sun\\Java\\jre1.6.0_04\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,49,00,7b,00,33,00,32,00,34,00,38,00,46,00,30,00,41,00,\
38,00,2d,00,36,00,38,00,31,00,33,00,2d,00,31,00,31,00,44,00,36,00,2d,00,41,\
00,37,00,37,00,42,00,2d,00,30,00,30,00,42,00,30,00,44,00,30,00,31,00,36,00,\
30,00,30,00,34,00,30,00,7d,00,00,00
"NoRepair"=dword:00000001
"Publisher"="Sun Microsystems, Inc."
"Readme"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,4a,00,61,00,76,00,61,00,5c,00,6a,00,\
72,00,65,00,31,00,2e,00,36,00,2e,00,30,00,5f,00,30,00,34,00,5c,00,52,00,45,\
00,41,00,44,00,4d,00,45,00,2e,00,74,00,78,00,74,00,00,00
"Size"=""
"EstimatedSize"=dword:00028e26
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,49,00,7b,00,33,00,32,00,34,00,38,00,46,00,30,00,41,\
00,38,00,2d,00,36,00,38,00,31,00,33,00,2d,00,31,00,31,00,44,00,36,00,2d,00,\
41,00,37,00,37,00,42,00,2d,00,30,00,30,00,42,00,30,00,44,00,30,00,31,00,36,\
00,30,00,30,00,34,00,30,00,7d,00,00,00
"URLInfoAbout"="http://java.com"
"URLUpdateInfo"="http://java.sun.com"
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000006
"WindowsInstaller"=dword:00000001
"Version"=dword:01060000
"Language"=dword:00000000
"DisplayName"="Java(TM) 6 Update 4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0020-0409-0000-0000000FF1CE}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="12.0.6215.1000"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,77,00,77,00,77,00,\
2e,00,6d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,2e,00,63,00,6f,\
00,6d,00,2f,00,73,00,75,00,70,00,70,00,6f,00,72,00,74,00,00,00
"HelpTelephone"=""
"InstallDate"="20080124"
"InstallLocation"=""
"InstallSource"="C:\\Program Files\\MSECache\\O2007Cnv\\1033\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,39,00,30,00,31,00,32,00,30,00,30,00,30,00,\
30,00,2d,00,30,00,30,00,32,00,30,00,2d,00,30,00,34,00,30,00,39,00,2d,00,30,\
00,30,00,30,00,30,00,2d,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,46,00,\
46,00,31,00,43,00,45,00,7d,00,00,00
"NoModify"=dword:00000001
"Publisher"="Microsoft Corporation"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:000065a8
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,39,00,30,00,31,00,32,00,30,00,30,00,30,\
00,30,00,2d,00,30,00,30,00,32,00,30,00,2d,00,30,00,34,00,30,00,39,00,2d,00,\
30,00,30,00,30,00,30,00,2d,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,46,\
00,46,00,31,00,43,00,45,00,7d,00,00,00
"URLInfoAbout"="http://www.microsoft.com/support"
"URLUpdateInfo"=""
"VersionMajor"=dword:0000000c
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:0c001847
"Language"=dword:00000409
"DisplayName"="Compatibility Pack for the 2007 Office system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1]
"Inno Setup: Setup Version"="5.1.12"
"Inno Setup: App Path"="C:\\Program Files\\Spybot - Search & Destroy"
"InstallLocation"="C:\\Program Files\\Spybot - Search & Destroy\\"
"Inno Setup: Icon Group"="Spybot - Search & Destroy"
"Inno Setup: User"="Simon"
"Inno Setup: Setup Type"="full"
"Inno Setup: Selected Components"="main,language,skins,updatedl"
"Inno Setup: Deselected Components"="blind"
"Inno Setup: Selected Tasks"="desktopicon,quicklaunchicon,launchsdhelper,launchteatimer"
"Inno Setup: Deselected Tasks"=""
"DisplayName"="Spybot - Search & Destroy"
"DisplayIcon"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"
"UninstallString"="\"C:\\Program Files\\Spybot - Search & Destroy\\unins000.exe\""
"QuietUninstallString"="\"C:\\Program Files\\Spybot - Search & Destroy\\unins000.exe\" /SILENT"
"DisplayVersion"="1.5.1.15"
"Publisher"="Safer Networking Limited"
"URLInfoAbout"="http://www.safer-networking.org/"
"HelpLink"="http://www.safer-networking.org/index.php?page=support"
"URLUpdateInfo"="http://www.safer-networking.org/index.php?page=download"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"InstallDate"="20080122"

 

[Blade81]

Hi

Instructions below.

How To Zip a file or folder

1. Select the files you want to compress (choose those c:\regbatch1.txt & c:\regbatch2.txt & c:\regbatch3.txt).
2. Right click and choose Send To
3. Slide Right and choose Compressed (zipped) folder
4. Allow the file or folder to compress.
5. You should now see an icon with the same name plus a Zip
* It may even have a zipper on the folder.
6. This is the compressed file that you may post with your reply (you can do this by clicking manage attachments button of additional options in same window you use to post reply).

 

[simon k]

here are the attatachments

 

[Blade81]

Hi

Zonealarm may be the guilty one to those button disappearings (similar issue here).

Did you clear system restore yet? If not you should try to restore system back to point before you installed zonealarm.


1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system checkpoint before zonealarm installation in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.
7. Click OK.

 

[simon k]

Thanks blade

I have already cleared the system restore.

Simon

 

[simon k]

Some of the buttons are thee now but only on the newer programes ie spybot, AVG, zone alarm etc.

Should i remove zone alarm and try different one.

Thanks Simon.

 

[Blade81]

You could try removing zonealarm to see if it fixes the problem. Before you do that switch Windows own firewall on through windows security center.

 

[simon k]

Sory to keep bothering you Blade i am gratefull for all your help. I removed zone alarm which did not fix the missing buttons. Also i am trying to install a windows security update KB923723 which keeps on failing.

 

[Blade81]

Hi Simon

Unfortunately it looks like I'm out of ideas. Since we are concentrated on malware removing and don't have a tech forum here I suggest you to ask for advice at PC Pitstop. It's quite possible someone there knows solution.

 

[simon k]

Ok Blade thanks for all your help.

simon

 

[Blade81]

You're welcome, Simon. I'm sure people at PcPitstop do their best to help you overcome the problem

 

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.