Results 1 to 9 of 9
  1. #1
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Removing old ZoneAlarm footprints

    I used to run ZA Pro but got rid of it for Comodo probably a year ago. I removed ZA Pro using add/remove but as usual, it didn't all go away. There is a VSMON service left that won't uninstall, no matter what I try (even though the file it tries to call is long gone). And there is what is called the "Zone Labs Client in the HKLM key (again the underlying file is long gone).

    The service won't allow itself to be uninstalled and the client entry keeps recreating itself whenever I delete it.

    Any ideas on how to clean out this garbage for good. Is there a way to log into the local machine account (which is what I think I might have to do)?

  2. #2
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Removing old ZoneAlarm footprints

    I don't think you will get a short and simple answer on this one in the Lounge, but of course there could be a registry cleaning approach to this one.

    There are bunches of threads over at ZoneAlarm User Forum in the Installation, Uninstall and Upgrade board.

    I have not, myself, moved from ZA to another FW, or the other way around. And during all the years either have installed the upgrade over the previous installed, or done a first install at OS install time.

    The general tip for those who need to uninstall ZA in an upgrade process not working, or for that matter removing, has been to add /clean to the uninstall path. And adding /rmlicense to remove the license. See How to Perform a Clean Install.

    But since you didn't uninstall ZA with the /clean switch, I think you could look at tips over at their forum.

    Here is one "sticky" tip in the Installation, Uninstall and Upgrade board: Re: unable to uninstall zone alarm completely

    Look at Plan-B; search for some files in Safe Mode (if files left), then maybe have to use some registry cleaner.

    A similar tip, but mentioning the whole process, from removing "Load ZoneAlarm at startup" in Control Center via Windows CP Add or Remove Programs, and on to removing left over files (if any) and left over registry keys (if any).
    New, easier uninstall instructions 2006-08-29 [ Edited ]

  3. #3
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Removing old ZoneAlarm footprints

    This is the key I can't get rid of of:
    HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesvsmon

    I've tried a lot of things but so far no success. I no longer have the ZA software on my client so can't try to run any type of deinstall. I guess I could download the free version, install it and then remove it and see if this works. But I don't really feel like jumping through all those hoops, don't know if it would work either.

    When I cleaned ZAP out of the system, I had to do it manually, which is one of the reasons I decided to get rid of it (that had happened a number of times before and was always an hours long process to manually get rid of everything). And frankly, ZAP support sucked. I was lucky to get an answer at all and if I did get a reply and it actually made sense, well then wow, that was a bonus!

    Registry cleaning programs haven't been able to stop this VSMON service or clean it. I can't manually stop it or deinstall it either.

    I can usually get rid of anything by going into regedit and taking ownership of the key(s) and then setting the permissions to allow me to delete it. However, VSMON service is protecting itself somehow and every time I change the permissions, they get changed back and I am not allowed to delete the keys. I am sure they do this to protect against hackers turning off the firewall.

    There must be some way to get rid of this thing. It doesn't create any problems but I find it annoying.

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Removing old ZoneAlarm footprints

    To the best of my knowledge ControlSet001 is only used if you boot the Last Known Good configuration. Usually the relevant information comes from the CurrentControlSet key and sub-keys. So I would ignore ControlSet001, since I suspect it will be overwritten 'at some point' by a 'backup' of CurrentControlSet.

    Doesn't explain why you can't remove the Servicesvsmon key though... Obviously ZoneAlarm is being rather sneaky. Have you tried booting in Safe Mode and attempting to delete/registry clean/etc?
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  5. #5
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Removing old ZoneAlarm footprints

    I am no expert in this area, but no, ControlSet001 is not necessarily used if you boot Last Known Good Configuration (I would even think the number 002 is more common for LKGC.). And I would put it the opposite way; the CurrentControlSet sub key is just that, a pointer, to the current control set. OK, it shows what was loaded at boot, but it doesn't define what is loaded, that is done in the numbered control sets.

    The number of control sets can vary depending on how many times one changes major system settings (and numbers can be sequential or not).

    Which control set that is used for what is defined in the sub key: HKLMSYSTEMSelect

    One of the numbered (001, 002 etc.) is the default at boot, the other one is the Last Known Good Configuration.

    Cause, as the Select sub key shows (following values):
    -Current, points to the currently used, i.e. defines CurrentControlSet, (last set used to start) and this one is changed when using Windows tools, CP etc. during session, or actually CurrentControlSet is updated and thus the set that Current points to (001 etc.).
    -Default, points to the default control set, used next time you boot (same as current), if you don't select Last Known Good Configuration.
    -Failed, well, a failed control set. Updates when someone selects Last Known Good Config.
    -LastKnownGood, pointer to the last working control set.

    Say the entry "Current" shows 0x00000001, that means ControlSet001 is current, and was used at boot time. Thus CurrentControlSet points to ControlSet001.

    Say "Default" shows 0x00000001, indicates that ControlSet001 is used by default at boot time (if the user doesn't select Last Known ...).

    Failed, on my PC shows "0", no failed control set.

    LastKnownGood, on my PC, shows 0x00000002, pointing to ControlSet002, which would be used if I select Last Known Good config. during boot.

    So, CurrentControlSet you refers to, is a pointer to the control set that was used to boot the PC, no matter what way that was done. If you change something with tools, CP etc. you edit CurrentControlSet but the changes are made to the control set used (for example ControlSet001).

  6. #6
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Removing old ZoneAlarm footprints

    What a lot I have forgotten over the years...
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  7. #7
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Removing old ZoneAlarm footprints

    As mentioned, have you tried Safe Mode? Do you have MS Sysinternals "Autoruns"? If not download a copy here, it is useful. Under Options it can be good to select "Hide Microsoft Entries", to get a cleaner view.

    The vsmon is on the Services tab, OK. But, on the Drivers tab, next right, on a ZA system you will find vsdatant (vsdatant.sys, TrueVector Device Driver). The Drivers tab lists the same key as Services: HKLMSYSTEMCurrentControlSetServices

    That's the Zone Labs entries I have running auto, beside the Zone Lab Client in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, i.e. the Control Center in the tray (Notification area, whatever).

    Over to the registry, do you have this key?
    HKLMSYSTEMControlSet001Servicesvsdatant
    or these
    HKLMSYSTEMControlSet001EnumRootLEGACY_VSMON
    HKLMSYSTEMControlSet001EnumRootLEGACY_VSDATANT

    HKLMSYSTEMControlSet002EnumRootLEGACY_VSMON
    HKLMSYSTEMControlSet002EnumRootLEGACY_VSDATANT

    And I assume you (or uninstall process) have removed ZA entries in HKLMSOFTWAREMicrosoftWindowsCurrentVersionSharedDl ls, on the other hand I don't know if it is any problem if left, probably not in this case.

    When you say you have tried a lot of things, I assume you have looked at the different kinds of lists of files and registry entries that should be removed (if left), over at ZA Forum.

    In general, if something can't be deleted (and you've tried to take ownership, and it inherits to the sub keys you want), something must be running at boot time preventing you, I understand you know this. And of course, one must not have tweaked ones account, permissions etc. whatever that may be, so that the PC doesn't work as normal. So even if I tell you how you can run as System, and delete what can't normally be removed (perhaps), that will not change anything if it is put back by something else, still left.

    Drivers and services are often loaded in groups, and of course they may depend on each other. In the vsmon key (HKLMSYSTEMControlSet001Services) you can find a value name DependOnGroup with value data IF it depends on another service in a another group to be loaded. My entry is empty, so for vsmon there is no depend on group.

    Then you have the value DependOnService; shows which services must be loaded before this service (vsmon). Of course MS services can be in this entry (such as Remote Procedure Call), but it also shows vsdatant, a service that belongs to ZA, mentioned above.

    HKLMSYSTEMControlSet001Servicesvsdatant
    Shows that vsdatant belongs to group PNP_TDI (group of drivers, OS et al), and DependOnService shows vsdatant depends on TCPIP loading.

    This info. can sometimes be used to troubleshoot, since if one doesn't start, those depending will not either, but in your case the other way round. You probably don't only have vsmon left.
    ________________
    TDI: transport driver interface, for drivers, used to communicate with different network transport protocols.
    PNP_TDI is a group of drivers related to TDI

  8. #8
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Removing old ZoneAlarm footprints

    Good call on this, Argus.
    Following your tips should get rid of this.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  9. #9
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Removing old ZoneAlarm footprints

    OK, I was finally able to get rid of the remaining old ZAP footprints by going into Safemode. Thanks for reminding me of this option.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •