Solved

Spyware Cyberlog -x trojan attacked my PC, how can I get rid of this?

Posted on 2007-11-18
46
4,466 Views
Last Modified: 2013-11-08
I did not realized that my Trend Micro had expired since October.  I just found out when my kids told me that they are getting a lot of pop ups regarding the spyware.  One of the pop ups is the Spyware.Cyberlog-x trojan, a malware treat.  I installed the trial version of the Alarm Zone and the AVG trial version but it did not help.  Now, I cannot run my PC using the regular log on because I run out of memory due to this problem.  I have a stop error msg. 0x0000007E (0xc000005,0x804E4337,0xF79B5BBC,0xF79B58B8.  Something to do with my physical memory being dump.

I did a search and came across this software Softspy-SE v4.33.  I installed this under the safe mode and ran it.  It detected a lot of errors and some high risk trojans.  My question now is it's asking me to register and purchase the software for $40.00 to continue on removing the spyware.  Is this a legitimate software to begin with?  What can I do to fix this problem?  I can only run my computer now under the Safe Mode.  Please advise, thanks.  

My PC is running Windows XP Media Center SP2.
0
Comment
Question by:alopez1104
  • 17
  • 12
  • 9
  • +1
46 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 20310443
Try running SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). You might have to manually start the Windows Installer service in safe mode in order to install SUPERAntiSpyware.
0
 

Author Comment

by:alopez1104
ID: 20310465
Is this Free Software or I have to purchase this for $29.99 in able for me to use it?
0
 

Author Comment

by:alopez1104
ID: 20310486
I am trying to install the software but I got a message "the system administrator has set policies to prevent the installation" I am logged on as Administrator in Safe Mode?  Please help.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 20310489
I wouldn't pay any scanners that won't remove any nasties for free, there are a lot of free trials software out there.
There are a lot of free ones too, good ones. SUPERAntispyware is good, and also DrWebCureIt and they are free to remove nasties that it finds.

Download and install DrWebCureit:
http://download.drweb.com/drweb+cureit/

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.


There are also other free tools for specific infections, like smitfraudfix etc.
You can also try SDFix, this will also remove a lot of SDBot/IRCBot variants.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop upload the contents of the results file "Report.txt"

Once you can start normally, scan with Hijackthis and show us the resulting log.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310490
No, there's a freeware and a shareware version. The link I gave you is for the free version. The freeware version doesn't have realtime scanning but it can scan for and remove spyware.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20310506
Can you run Hijackthis?

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.

You can either upload the log to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste to this site::
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310507
Also, in safe mode, you should be able to click your start menu, click "Run...", type in "services.msc", press Enter, right-click "Windows Installer", and click "Start". Or you should be able to run "net start msiserver". You should then be able to run the SUPERAntiSpyware installer.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310512
rpggamergirl, I though you said the new HijackThis has some glitches or something and I thought you said to use 1.99. Is the new version fixed?
0
 

Author Comment

by:alopez1104
ID: 20310556
Guru, running the Windows Installer in services did not work.  I got a message "could not start the windows installer on Local Computer. Error 1084 This service cannot be started in Safe Mode."  I am in Safe Mode Networking right now.  I will now try the suggestion of Wizard, see if I can install  and run it.  
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310573
:) Well, "Wizard" is much better with computers and everything else than me. She will be able to help you. I'd like to try to figure out how to get SUPERAntiSpyware to work in safe mode. Have you tried the "Administrator" account in safe mode and your own account?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310579
Try running:
C:\Program Files\SUPERAntiSpyware\BootSafe.exe
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310589
Never mind, that's for something else.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20310621
I think I figured it out.
I found:
http://support.microsoft.com/kb/895141
and
http://www.jsifaq.com/SF/Tips/rh9233.htm

They're for Windows 2003 but they should work for XP. Please try them, I just want to figure out how to get SUPERAntiSpyware working in safe mode! Thank you
0
 

Author Comment

by:alopez1104
ID: 20310638
Guru, I did run the program under Administrator account in Safe Mode but I don't know why I don't have that privillege to install it? Only, that program.  However, I was able to Download and install DrWebCureit:
I run the program under Express Scan.  I deleted some malicious files, rebooted the pc but I am still getting that message " Critical System Warning, Your system is probably infected with latest version of spyware cyberlog-x"  Now I rerun the DrWeb using the Complete Scan.  I am seeing some trojan files that I did not see before when I run it under Express Scan.  I will keep you posted after the Complete Scan is finish.  Thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20310671
Orangutang,
TrendHijackthis is now stable and is better than 1.99.1 because it shows one more line, location where new hijackers hooks into.


alopez1104,
Try running SDFix as well, it will remove variants of SDBot/IRCBot and much more, and also fix reg entries modified by nasties, like those restrictions.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20310709
Once you're able to run scanners in normal mode, we'll do Combofix to check if there's anything left to remove.

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you, attach the log for us to look at.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20313056
Hey rpg, wasn't sure if you were aware of the issues with CF at this point. The current version expired on the 19th and will not run. I believe the beta will go to the 20th. As you probably know sUBs put in this expiration to keep users from running old versions. But he has not uploaded and new version and right now no one seems to know what's going on. This is very unfortunate. We'll have to go at these I think with Vundofix, SDFix, and Avenger when needed.
0
 

Author Comment

by:alopez1104
ID: 20313156
I restarted my pc after deleting all the trojans.  I will give you the updates tonight when I log on in Normal Mode.  I have to go to work.   So IndiGenus, are u suggesting to just wait until the 20th to run the CF that Wizard is suggesting? Thanks.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20313235
No, I don't think you will have the option to run CF at all, unless it's updated. You could try but I don't think the versions at either of those links will run at this point, until the developer updates them.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20316832
Nov 16th was my info last updated. And it was suggested that users of Beta version should revert to standard version.
This seems to be happening when Vundo is present that CF throws an error that it cannot obtain system privileges but CF runs regardless.


Today:
sUBs is away or offline still, so no one knows what's happening.
I just check, and saw the notice, not to use Combofix till further notice.
0
 

Author Comment

by:alopez1104
ID: 20317090
Wizard, I am currently running the SDfix.  The DrWeb cleaned some of the trojans but not the cyberlog-x.  After running the SDFix do you want me to post the Hijack Report here?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317117
Upload to EE-Stuff.com please, or to any hosting sites and just post back the link here.
Also the SDFix.txt please.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 370 total points
ID: 20317118
cyberlog-x is likely Vundo. Without combofix the next alternative is Vundofix.

Download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click Yes
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317166
Have you run smitfraudfix, or anyone suggested smitfraudfix yet?
This also sounds like a smitfaud infection, but without any log to look at, we can't be sure.

No harm in running smitfraudfix anyway.(removing your desktop background would be the only likely downside if you're not infected with smitfraud) or wait till we see your hijackthis log.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process;
0
 

Author Comment

by:alopez1104
ID: 20317451
okay, the Dr. Web, SDFix, Smithfraudfix, Vundofix were all run under Safe Mode. but it did not work.  I am still getting the cyber log-x and also some system alert malware treats.  Also, when I run it under normal mode, it's stopping the windows from downloading to prevent damage to the pc.  and a msg. physical memory dump ....these msgs are all in the BSOD screen.  I can only run the windows under Safe Mode.

Regarding the report posting, I am having problem posting the logs.  I don't know how the ee-expert.com works.  Everytime I upload the files, it disappears and it's telling me that the title is incorrect.  Please advise, thanks.
0
 

Author Comment

by:alopez1104
ID: 20317561
when I post, it keeps on telling me invalid question.  all I did was cut and paste the title to the question text box.
0
 

Author Comment

by:alopez1104
ID: 20317584
Sorry guys, I have to post this here, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:32 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {760dba1f-e4a8-432a-f2c4-13beecd276d4} - {4d672dce-eb31-4c2f-a234-8a4ef1abd067} - C:\WINDOWS\system32\ktmnnneh.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {8A05E010-60B1-41EB-AC87-5F84CF18EA73} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tazrylge.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tazrylge.dll
O4 - HKLM\..\Run: [PCI TV Card Remote Control Applet] C:\WINDOWS\713xRMT.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\878RMTMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [f04c826d] rundll32.exe "C:\WINDOWS\system32\odpbwyvr.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\ADMINI~1\Desktop\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Administrator\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\whufmtby.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147067613750
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: tazrylge - C:\WINDOWS\SYSTEM32\tazrylge.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DomainService -   - C:\WINDOWS\system32\whufmtby.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10130 bytes
0
 

Author Comment

by:alopez1104
ID: 20317588
Here is the SmithFraud log:


SmitFraudFix v2.253

Scan done at 20:45:40.56, Mon 11/19/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ADE98A92-9B4F-4E50-8655-31C3E11F2115}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ADE98A92-9B4F-4E50-8655-31C3E11F2115}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{ADE98A92-9B4F-4E50-8655-31C3E11F2115}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{ADE98A92-9B4F-4E50-8655-31C3E11F2115}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

0
 

Author Comment

by:alopez1104
ID: 20317679
So far, I logged on in Normal Mode and no error msg regarding trojan is popping up.  I am doing the Windows Update, just in case.  The only error I rec'd after the desktop setting is Error Loading C: \Windows\systems 32\odpbwyvr.dll   Access Denied. I rebooted again and the error is gone.  When all these are fixed, should I keep my Zone Alarm?  Right now I have the 15 day free trial.
0
 

Author Comment

by:alopez1104
ID: 20317740
Right now my Zone Alarm is automatically doing the Virus/Spyware Scan.  No trojan msg. popping up yet. I think the last two softwares that I installed and run have something to do with the fix, VundoFix.exe and SmithFraudfix.  I will keep an eye on this and let you know if everything is all okay.  
0
 
LVL 22

Assisted Solution

by:orangutang
orangutang earned 30 total points
ID: 20317825
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317975
Is the Hijackthis log you posted above the result of the scan done before you ran Vundofix and smitfraudfix???
I assume you ran Hijackthis before Vundofix and Smitfraudfix right? because the hijackthis log is still showing bad entries.....

the "error loading" is because of this entry below, when the reg entry is still present but the file is already removed then it throws out an "error loading"
O4 - HKLM\..\Run: [f04c826d] rundll32.exe "C:\WINDOWS\system32\odpbwyvr.dll",b
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317991
>>should I keep my Zone Alarm?  Right now I have the 15 day free trial.<<
Zone alarm is good, keep it till the free trial is over (or buy it later)
I only have the ZA free firewall, and SUPERAntispyware for antispyware, and free Avast for antivirus. But we have Kaspersky on other pcs.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20319125
Good point on HJT rpg. Also, the last run of HJT is in Safe Mode. We should get one run in Normal Mode if possible, so we can see everything. I assume there are still Vundo entries left that need to be cleaned up with HJT.
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 370 total points
ID: 20319129
Oh sorry, also, was VundoFix run again in Normal Mode? You said you ran it in Safe Mode but it did not work. But did you run it in Normal Mode. You may want to scan again just to make sure.
0
 

Author Comment

by:alopez1104
ID: 20320880
1. The Hijackthis log posted was the result of the scan done after I ran Vundofix and smitfraudfix in Safe Mode.
2.  I am still getting the error loading "C:\WINDOWS\system32\odpbwyvr.dll"  after logging on in Normal Mode.  Should we put the file back since I am getting this error during the desktop? How?
3.  The Zone Alarm is running on its own and detecting some trojans and spyware.  I deleted all these files.  I restarted the computer and logged on in Normal Mode again.  The error loading is still there, after clicking okay to cancel it, I don't see anymore errorslike the cyber-x.   The Zone Alarm still runs on schedule.
Do you suggest that Kaspersky is much better?  I think I tried that on my computer before and it froze my computer and slowed down my internet connection, specially the gaming site.  The SUPERAntispyware and Avast, are these separate softwares on top of the Kaspersky or Zone Alarm? And, are they free? Should I have these installed in my PC?
4.  When all these are fix, should I now remove all the anti-virus software that I used recently in Safe Mode? You know, the Vundofix, DrWeb, NDfix, etc.?
5. Do you want me to provide you another HJT rpg in Normal Mode and paste it here again?
6. Will I run the Vundo again in Normal Mode or wait for your reply until you see the HJT?

Thanks guys!



0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 370 total points
ID: 20321573
""2.  I am still getting the error loading "C:\WINDOWS\system32\odpbwyvr.dll"  after logging on in Normal Mode.  Should we put the file back since I am getting this error during the desktop? How?""

That's because it is still be called out in the registry. No you don't want that file back, it's no good.

Have HJT fix these if present, then reboot and post a new HJT log run in NORMAL MODE. There may be more because the last run of HJT was in Safe Mode, or some of the items I posted may be missing.

Remove this service first:
Click Start-> Run..
Enter the following commands one at a time into the window and click OK each time.

sc stop DomainService
sc delete DomainService

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: {760dba1f-e4a8-432a-f2c4-13beecd276d4} - {4d672dce-eb31-4c2f-a234-8a4ef1abd067} - C:\WINDOWS\system32\ktmnnneh.dll
O2 - BHO: (no name) - {8A05E010-60B1-41EB-AC87-5F84CF18EA73} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tazrylge.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tazrylge.dll
O4 - HKLM\..\Run: [f04c826d] rundll32.exe "C:\WINDOWS\system32\odpbwyvr.dll",b
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O20 - Winlogon Notify: tazrylge - C:\WINDOWS\SYSTEM32\tazrylge.dll
O23 - Service: DomainService -   - C:\WINDOWS\system32\whufmtby.exe

Then close all windows except this one and press Fix checked. Now reboot and post a fresh HJT log from Normal Mode.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20324915
Oh, yeah, sorry about posting the Vundo link.
0
 

Author Comment

by:alopez1104
ID: 20325712
The error loading is gone after following the instruction of Indigenus.  Below is the fresh log of HJT in Normal Mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:37 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\878RMTMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [PCI TV Card Remote Control Applet] C:\WINDOWS\713xRMT.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\878RMTMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\ADMINI~1\Desktop\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147067613750
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9386 bytes

Please let me know what else I need to get rid off so that my pc performance as well is faster.  Looks like we are almost close to the end of this problem.  Thanks.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20325734
C:\WINDOWS\878RMTMon.exe
seems suspicious
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 370 total points
ID: 20326836
>""C:\WINDOWS\878RMTMon.exe
seems suspicious""<

Good point. alopez1104:, do you have a TV tuner card that you run on this PC? I think it's related to that but want to make sure.

Not seeing anything else too malicious. Severals notes though...

1. You have no Antivirus program. You need to get one ASAP. There are several free for personal use ones that are good. Certainly better than nothing. Here are 3:

http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free - AVG AntiVirus
http://www.avast.com/eng/avast_4_home.html - Avast Antivirus Home Version--Free
http://www.free-av.com/ - Antivir Personal - Free

After installing, update and run a complete system scan.

2. I would recommend you remove all the Viewpoint "stuff" unless you use it. Make a long story short it's pretty much garbage and is only slowing you down. Use Add or Remove Programs and uninstall ANYTHING that notes Viewpoint, toolbar, media player, ect... There will probably be more than one entry.

3. If you still want to increase performance use msconfig and disable items from running at start up.

How much RAM do you have? Here are some other tips.

http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html  
http://www.microsoft.com/windowsxp/using/setup/expert/northrup_restoreperf.mspx
http://tweakhound.com/xp/xptweaks/supertweaks1.htm
0
 

Author Comment

by:alopez1104
ID: 20327478
Yes, but no longer using it.

1. I just uninstalled the free version of the AVG.  Should I installed it back? Which on of the three are good?  I thought the Zone Alarm takes care of the Antivirus as well because this software runs or scans viruses everyday?

2. What is the use of View Point anyway?

3.  RAM is 1 GB.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20327640
If you have the Zone Alarm suite with AV then no need for another AV. In fact, don't use 2. I thought you just had the firewall, my mistake.

Viewpoint:
Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components.
Again, if you don't know what it is then you are likely not using it and should remove.

Well that's plenty of RAM. But you do have quite a bit running. Take look through those links I gave and see if anything in there helps.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20329425
Yeah, never mind. C:\WINDOWS\878RMTMon.exe seems valid.
0
 

Author Comment

by:alopez1104
ID: 20330183
Indigenus, the links that you provided are very informative.  I will definitely use these sources.  Thank you for all your help guys.   All of you contributed your expertise and I really appreciate it.   I would say that the original problem has been solved.  I will just do a little more cleanup to enhance my system.  Thank you again.
0
 

Author Closing Comment

by:alopez1104
ID: 31409888
Glad to have excellent troubleshooters.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now