Hi there.......you should disable SpyBot's TeaTimer now, as it may block fixes we try to make.

===========

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download WinsockFix and unzip it. Then double-click on it to run it.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Recycler\WINLOGON.EXE
C:\WINNT\system32\scagent.exe
C:\winnt\vcsystem.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [cmsound] c:\winnt\vcsystem.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\system32\vbsys2.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Recycler\WINLOGON.EXE
C:\winnt\vcsystem.exe
C:\WINNT\httpfilter.dll
C:\WINNT\system32\vbsys2.dll
C:\WINNT\system32\scagent.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

 

Thanks for the quick reply, I don't know how you guys do it, you get so many posts.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:04:12 PM, on 2/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Recycler\WINLOGON.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.kooee.com.au:8080
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eTrust Antivirus Admin Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe


End of KRC HijackThis Analyzer Log.
====================================================================

 

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

 

It still seems to either have something, or what was there has corrupted something, say the TCP/IP settings.

Tried browsing, tried email and I also tried updating programs.
None are able to use the connection.

 

Try removing the Internet Protocol (TCP/IP) in the Properties for your Network Connection. Then reinstall it again.

If that fails, I suggest posting this in the Internet/Online category. There should be more help there since this category should be only dealing with Security related issues.