It's almost funny how compleatly and utterly broken my computer is.

I can normally can handle everyday "house-keeping" and ad removing, by myself.

But since my Zonelabs fire wall broke down a few weeks ago my pc has been shot to pieces with viruses, hi jackers ans trojans, and i simply cannot repair it by myself.

first of all I tried to remove and re-install My Firewall, but it didn't work becasue of an error blaming "TrueVector"
so I decided to go into my programmes folder and literally erase zone labs in order to reinstall it, this didnt work wither.

Now I can't install Zone labs at all becasue when I try to disable or delete TrueVector (aka "vsmon") it says its been used by another programme or person, even though I tried to delete it in safe mode and with no programmes running at all. it;s almost as if there is an invisible user keeping vsmon going just to prevent me from installing zone labs.


whats worse, now nothing will work on my desktop nor will any applications run.
I tried download the AVG anti virus programme someone posted at the top of this thread, but when I click run, and error screen appears and says application not found.

can anyone help?

Reinstall the windows.
It look like a repair would be for a long time:
Insert the HD in another PC and scan it for viruses and spyware/adware to clean it from nasties).
Then use some kind of regcleaner software.
Look in the register(regedit) for anything, that zonealarm left (HKCU\software) and in startup (HKCU\software\run\microsoft\windows\run).
Don't forget for (HKLM\software and HKLM\software\run\microsoft\windows\run)

for a start, enable windows firewall at least, then go get adaware and its latest updates file from here [just in case anything you have intereferes with contacting lavasoft site]:
http://www.download.com/Security-Spy...0.html?tag=dir
http://www.download.com/Ad-Aware-SE-...-10237235.html
Unzip this second file and drop it into the lavasoft\Ad-Aware SE personal folder to overwrite the existing definitions file...
and run it from SAFE mode, as an administrator.
Actually, if you're really ept with a puter, run Safe mode with command only and drop in this line
"E:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" including the "", but replacing E with your drive letter. That may not quite be the path to where you put Adaware, but you check that and alter the line to suit.
Run Adaware with its defaults as downloaded, do a complete system scan and remove all problems.

Then from that first link get HijackThis, place it in a new folder next to your program files, open it by dclicking the .exe and run a scan in normal mode. Post the logfile here. [Close ALL apps and any explorer windows before you commence the HT scan].

Thank folks, even though it was only my first post you were fast to help,
I managed to install AVG later that same night , I right clicked the installer for it and chose "open to..." i dont know why but doing it that way still worked, I'm not a pro, but I guessed that the system 32 file that performed that task was still working.

I tried to install norton anti virus the same way, but after the initial clicking on the installer, you need to do more clicking to finish the installation and so it fail.

Anyways, when I "open to'ed" the AVG anti virus, it loaded up and I immediatly scanned and removed the offending 8 medium, and 3 high risk files.

then I serched for the .dll file that one of the Worms had broken, and I replaced it.

now my pc was actually operational again I ran a registry repair scan, an Ad Aware scan, and various other scans like junk removal, and then I defragged.


The reason Im back here (besides seeing if anyone one replied to my problem, and to thank them if they did)
is becasue TrueVector (aka vsmon) is still not budging, i need a programme that will force delete the file, because it says a programme is using it but no programme is. and unless I can get rid of it I won't be able to install Zone Alarm again.

Thank again for the advice the first time round. that "hijack this" seems like a good programme, I'll download it and see what it's about

my Hijack this log looks like this btw:

Logfile of HijackThis v1.99.1
Scan saved at 18:22:24, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\Explorer.EXE
C:\windows\system32\LEXPPS.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\windows\System32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "G:\PSP\COMMON\ErrorSafeFreeInstall.exe" -nag
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CF33791-036E-4CB3-8D61-14995D6C0D43}: NameServer = 194.46.192.141 194.46.192.142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: st3d - C:\windows\
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)
O20 - Winlogon Notify: wvusrpo - wvusrpo.dll (file missing)
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

I think, that the problem is in services, because that file vsmon could be a service, which is there just for configuration. The SW hijack don't identify it as a anomaly.



I suggest to ask on some kind of zone-alarm forum for help.

First go control panel, add/remove pgms and remove Zonealarm if it is there.
....to remove an executable or other file before it starts, you have the tool right there. Hijack this. Dclick the .exe to open it, select Open Misc tools Section button, then Delete a file on Reboot. Navigate to windows\system32\Zonelabs folder. Select vsmon.exe and press Open, and then Yes to reboot now. Don't fool around with this tool.
Then just go in to system32 yourself and delete the whole Zonelabs folder. That should clear out the Truevector problem and allow you to reinstall Zonealarm.
But that hijackthis log. Hmmm. there is some cleaning to do. I'll get back to you on it, or someone will.
[there are other specialised exe killers out there, such as Killbox, but HT should do the trick here..]

Start hijackthis and press Scan only. Place checks against the following entries if they still exist, and then Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "G:\PSP\COMMON\ErrorSafeFreeInstall.exe" -nag
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: st3d - C:\windows\
O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)
O20 - Winlogon Notify: wvusrpo - wvusrpo.dll (file missing)
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)

Navigate to program files folder and delete the C:\Program Files\Uniblue folder.

Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.5.0.10 is current....

Now, in normal mode, start hijackthis again and Scan and Save a log file. Post it.

Some info for me..... may i ask how you removed these three files?
winhoo32.dll wvusrpo.dll xcttgs.dll -they are all O20 entries, shown as file missing. Did AVG do it?

First of all, it is a good idea to run only one resident virus scanner. Two of them will conflict and cause more problems for you. Remove either Norton or AVG (if it were me, I'd stick with AVG).

There is a program out there called "brute force uninstaller". I have used this on occasion to remove stubborn nasties from customer computers.

Be sure to turn of system restore to clear any malware from the system volume information folder.

When you finally get this machine clean, turn on system restore again and keep your computer clean by downloading and keeping updates current on the following programs:

AVG free anti-virus
AdAware SE
Spybot Search and Destroy
Spywareblaster
Ccleaner

I have also been recently testing a product called Prevx1 (an all-in-one malware scanner that recogizes suspected malware by the type of process it is). This is a very impressive program and appears to be a great one-shot solution. I still have not abandoned all of my other free scanners yet, but they get almost no use now that Prevx 1 is installed. Highly advise everyone to try it out.

Good luck,

-Kev

Hmm, a few questions to answer.

i did try everything ot delete zone labs, from going to the actual foler in both Safe more and normal mode and deleting it, I also tried to "shred" the offending files. but no good.

I dont exacltly know how it happened, but once I had Ran AVG, ran a scan that solved some registry problems, and de fragged, I then managed to install Zone alarm without a problem, I'm guessing that AVG destroyed the programme that was keeping vsmon running. And because I rebooted, the programme wasn;t started and true vector was not activated.

and as for those other files yes, I assume AVG removed them.

Thanks for the Hijack this info, I will do that in a few minutes one I finish download some file for collage.