Registry won't delete entries

[Guest]

--
Sherman R. Buck
Abstraxts Studio & Gallery
301 W. Holly Street U-1
Bellingham, WA 98225
http://shermanbuck.comI've got some problems with regedit not deleting
entries. I have one entry from a trojan (removed) but it still loads; I have
one from PC Tools Reg Mechanic, which I uninstalled and reinstalled, but it
still runs on startup, even though its not set to do so, PC tech told me to
delete it and every time I do, it goes right back in; The last one I get a
message on startup after logging in: Windows cannot find
c\windows\is-LOLEC.exe
low priority:startup item is invalid - set.to delete
INNO SetupRegFile.0000000001="C\windows\is-LOLEC.exe"Reg
Location:HKEY_local.machine\Software\Microsoft\Windows\CurrentVersion\RunOnce

I've been to Microsoft's site to read up on the exact procedures to delete
entries and followed them to a T, yet they all reinstall again. How is that
possible? The instructions state go to the entry, right click on it and
delete. That's all they say. Is there something else they have forgotten to
add here that would be the problem? I have XP pro SP2 with all updates. I am
getting frazzled with this issue unresolved. The INNO has to do with INNO
Setup and I've installed the latest version of it, yet it still pops up at
start up after logging in.

Sherman
--
Sherman R. Buck
Abstraxts Studio & Gallery
301 W. Holly Street U-1
Bellingham, WA 98225
http://shermanbuck.com

 

[George Hester]

Look for HijackThis by Merlin. Run that after which post the report back
here.

http://www.spywareinfo.com/~merijn/downloads.html

 

[DanS]

George's assumptions are probably correct that you've got spyware/adware on
your PC that you don't know is running and is recreating those keys as soon
as you remove them.

HiJack this will tell you what you have on your system, but not the best
for removing everything.

Use AdAware, Spybot, and M$ AS, all in safemode, and that SHOULD get rid of
the problems....

 

[Malke]

George's assumptions are probably correct that you've got
spyware/adware on your PC that you don't know is running and is
recreating those keys as soon as you remove them.

HiJack this will tell you what you have on your system, but not the
best for removing everything.

Use AdAware, Spybot, and M$ AS, all in safemode, and that SHOULD get
rid of the problems....

Actually, HijackThis (by Merijn - not "Merlin") does not remove
anything. It shows you what is there. Hence the instructions to post
the HJT log to a specialty forum where you'll get the expert attention
(and time - it takes a lot of time to analyze HJT logs) needed. Here
are some forums for HJT logs:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

The OP may want to run through these malware removal steps
systematically first:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke

 

[DanS]

Actually, HijackThis (by Merijn - not "Merlin") does not remove
anything.

Not true. It allows removing registry enties, and IE BHO's, and such.

But it does not remove the underlying packages that may be responsible
for them.

 

[Malke]

DanS wrote:

Not true. It allows removing registry enties, and IE BHO's, and such.

But it does not remove the underlying packages that may be responsible
for them.

I think this is an issue of semantics - of course HijackThis can be used
to remove things. It does not work the same way as Ad-aware and Spybot
(and other malware removal tools such as Ewido) which use malware
definitions to target suspicious items. HJT shows you what is there and
you have to know what to remove and what to leave alone. That is why it
is only recommended to be used under expert guidance - unless you *are*
an expert, of course, but I don't think the OP is.

Malke

 

[George Hester]

The trouble is even HijackThis (Merijn thanx Malke) cannot find everything.
If the OP has a rootkit there is really nothing that can be done. The OP can
check for Rootkits at SysInternals:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

[Wesley Vogel]

Ya gonna have pcbutts look at the log?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[George Hester]

I bet I know more about that log then you do Wesley Snipes.

 

[Bob I]

Hijack logs are not appropriate or welcome in this group. Either post
them to a group designated for them or handle it in your e-mail.

 

[George Hester]

Well we aim to please you Bob I.. As far as I know anything the op can
provide us to help him is appropriate for this newsgroup. But pleasing Bob I
is so much more important. Thx for the head's up.

 

[Guest]

Actually I have intermediate experience or better in some areas. I've run
every free malware, spyware mentioned, and purchased Spy Doctor, along with
running MS spyware beta, which I think is garbage personally, and ran them in
safe mode and to cover my butt, I contacted Spy Doctor and followed their
instructions, the same ones I'd done to a T and still nothing. They asked for
a HijackThis log and found nothing, the same thing I found after scouring
through it. I've run the most newest version of Rootkey Revealer and saved
the log, with one discrepancy, but have no idea where to go to get some
feedback on it. I'm going to redo all the steps to recheck for the upteenth
time before sending in the Hijack This log and the Rootkit log. My original
problem with the Reg Mechanic entry not deleting was because it kept running
a scan on startup, when it wasn't set to do so, and now the newest version of
Spy Doctor is doing the same silly assed thing, running on startup when its
not checked off to do so.

Thanks for the help.

Sherman
--
Sherman R. Buck
Abstraxts Studio & Gallery
301 W. Holly Street U-1
Bellingham, WA 98225
http://shermanbuck.com

 

[Bob I]

You can lose the sarcasm, it's not me to worry about. You definitely
will suffer verbal abuse from many folks who have already killfiled you,
if Hijack logs start appearing here.

 

[George Hester]

It may have been sarcasm but I cannot please all and I really have no
intention to. Verbal abuse doesn't bother me and the more that killfile me
the less verbal abuse I have to deal with. It really does not bother me. I
asked for the log because that is the best way I can help them.. If that is
upsetting to the killfile junkies really Bob that's good. The killfile
junkies just don't like to have their lack of civility and manners pointed
out to them and that is how they keep their feathers in pristine shape.

 

[George Hester]

I am no good with the Rootkit Revealer logs I will be the first to admit.
But I do know if it does not come back saying no rootkit evidence was found
then you have a problem. I have seen these Rootkits come in and install and
it is not a pretty sight. Because I know when that happens it is time for a
new install. I try to find the stuff but it is too hard. They put themselves
in Registry locations that HijackThis was not made to look in besides the
fact they hide themselves using the Windows API. You have to look for them
from a remote machine.

Now as for the HijackThis logs yes I could have been able to analyze that
well enough. But if you had an expert ask for it and they looked at it then
probably all that can be done with it has been done.

As for the other applications you are using a Rootkit will make them all
null and void. You probably don't need my personal opinion on them so I
will just leave it at that. I'd reinstall and never surf the Net (meaning
going to unknown places that specialize in this crap like free web-hosting
sites or any domain registered by Go-Daddy) unless you use an account that
is a locked down account no permissions to do antything.