Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1884
  • Last Modified:

Trojan Virus sent, along with software offers to fix???

This morning when I tried to access the internet, the only address that would come up was www.404dns.com.  My home page was changed to about:blank, and things just would not work.  My Mcaffee seems to have found it.  Whenever I access the internet, Mcaffee brings up a message " Trojan Found and Cleaned".  However, it must keep coming back because everytime I access the internet, I get the same message.  I have scanned my system and McAffee doesn't find anything.  In the meanwhile, a yellow triangle alert comes up in my system tray with warnings about a virus = worm_attack.  If I click on it, I go to a site offering adware software for sale to eliminate this virus.  Also, my home page continues to be reset to about:blank.  What a mess!  Can anyone help???
0
eastert
Asked:
eastert
  • 8
  • 4
  • 3
2 Solutions
 
eastertAuthor Commented:
More info:  Whenever I open IE, I automatically go to www.securityuptodate.net, even though my home page keeps being reset to about: blank.
0
 
war1Commented:
Greetings, eastert !

1. Looks like you have several programs.  To take care of About:Blank problem, use AboutBuster:
http://www.malwarebytes.org/AboutBuster.zip

2. To take care of icon to sell adware software, use SmitFraudFix http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip 

3. To check what remaining problems that you may have, run HijackThis
http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
rpggamergirlCommented:
Hi,
AboutBuster pretty much remove common AboutBlank variants.

1. Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.

2. Or can we look at your hijackthis log first? Hijackthis log could tell us what variants of Aboutblank is present in your system. there might be another infection also present.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rpggamergirlCommented:
I didn't see your post war1 sorry.
0
 
war1Commented:
No problem here, rpggamergirl. We posted about the same time. I have done the same to you before. :-)
0
 
rpggamergirlCommented:
eatert,
It's better if we could see your hijackthis log to check if you have smitfraud before you use smitfraudfix.
Using SmitfraudFix if you're not infected with smitfraud will remove your desktop background.


Hijackthis log is an excellent diagnostic tool that can tell us what malware is present in your system and give you thr right tool to fix it.
0
 
rpggamergirlCommented:
I seem to do this prequently war1, while typing if i refreshed before posting all my text disappears, :)
0
 
eastertAuthor Commented:
Hi, Everyone

Boy, do I appreciate your help!  Here is the logfile from HijackThis.

It should still be here http://www.hijackthis.de/logfiles/6f966404e598c44127db09cb92f21520.html

  Entry   Kind
(Safe, Nasty, Unknown)     Description     Tip
  Logfile of HijackThis v1.99.1    
Safe.   Shows the version of HijackThis an. The newest version is: v1.99.1!
   This should be the newest version. (v1.99.1)
  Platform: Windows XP SP2 (WinNT 5.01.2600)      
   
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)    
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
   This should be the newest version. (6.00.2900.2180)
  C:\WINDOWS\System32\smss.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\winlogon.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\services.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\lsass.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\Explorer.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\brsvc01a.exe    
Safe.   running process. (brsvc01a.exe)
Brother Drucker
   
 
  C:\WINDOWS\system32\spoolsv.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\brss01a.exe    
Safe.   running process. (brss01a.exe)
Brother Druckertreiber
   
 
  C:\WINDOWS\system32\atmclk.exe    
Nasty   This entry was classified from our visitors as bad.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\dcomcfg.exe    
Nasty   This entry was classified from our visitors as bad.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\windows\system\hpsysdrv.exe    
Safe.   running process. (hpsysdrv.exe)

   
 
  C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe    
Safe.   running process. (hpqcmon.exe)
Hewlett-Packard Digital Imaging
   
Possibly nasty! According to our database this process runs normally in c:\programme\hewlett-packard\digital imaging\unload\! Check if you know this process and arrange a viruscheck where required.
  C:\WINDOWS\System32\hphmon05.exe    
Safe.   running process. (hphmon05.exe)
Part of Hewlett-Packard
   
 
  C:\HP\KBD\KBD.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\VTTimer.exe    
Safe.   running process. (VTTimer.exe)
A device driver for VIA/S3G UniChrome IGP graphics controller and VIA/S3G KM400/KN400 graphics card. It is located in WINDOWSSYSTEM on Windows 95/98/ME and WINDOWSSYSTEM32 on Windows XP and WINNTSYSTEM32 on Windows NT/2000 Viaarena
   
 
  C:\WINDOWS\LTMSG.exe    
Safe.   running process. (LTMSG.exe)
One of the "popular" WinModem series. WinModems use software rather than hardware - hence putting a load on the CPU. Needed if you have it for loading the drivers. See here for more WinModem information
   
 
  C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPClient.exe    
Nasty   running process. (IPClient.exe)
Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isnt required - see here for more information. This one constantly "phones home" and wastes resource - hence the "X" status
   This is a nasty process! You should fix it and try to delete it manually!
 
  C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPMon32.exe    
Safe.   running process. (IPMon32.exe)
Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isnt required - see here for more information
   Not dangerous, but unnecessary.
 
  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe    
Safe.   running process. (ViewMgr.exe)
Viewmgr.exe is a filename used by Viewpoint which looks for updates to Viewpoint products. The confusion over viewmgr.exe comes from Trojans or viruses that use the same executable name (.exe) as that of viewmgr.
   
 
  C:\WINDOWS\ALCXMNTR.EXE    
Nasty   running process. (ALCXMNTR.EXE)
Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers
   This is a nasty process! You should fix it and try to delete it manually!
 
  C:\WINDOWS\system32\dla\tfswctrl.exe    
Safe.   running process. (tfswctrl.exe)
Hewlett-Packard DLA Packet Writing Software
   
Possibly nasty! According to our database this process runs normally in c:\winxp-e\system32\dla\! Check if you know this process and arrange a viruscheck where required.
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe    
Safe.   running process. (HPWuSchd2.exe)
Part of Hewlett-Packard
   
Possibly nasty! According to our database this process runs normally in c:\programme\hewlett-packard\hp software update\! Check if you know this process and arrange a viruscheck where required.
  C:\Program Files\HP\hpcoretech\hpcmpmgr.exe    
Safe.   running process. (hpcmpmgr.exe)

   
 
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe    
Safe.   running process. (realsched.exe)
Checks for updates for RealPlayer
   
 
  C:\Program Files\dvd43\dvd43_tray.exe    
Safe.   running process. (dvd43_tray.exe)
DVD43 is "a small tool that integrates into Windows and overrides CSS copy-protection found on DVD movies."
   Not dangerous, but unnecessary.
 
  C:\Program Files\support.com\bin\tgcmd.exe    
Unknown   running process. (tgcmd.exe)
See above. This part ensures the software is installed correctly (similar to an installation wizard) as reported by Cox. Regarded as spyware by some as it has the ability to retrieve user information. Whether it does so depends upon the provider. "tgcmdprovidersbc" is for SBC Yahoo DSL. One Toshiba user reports problems with hibernate on his laptop if disabled - hence the "U" recommendation
   This is a unknown process.
 
  C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe    
Safe.   running process. (MpfTray.exe)

   
 
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\McAfee.com\VSO\mcvsshld.exe    
Safe.   running process. (mcvsshld.exe)

   
 
  C:\Program Files\McAfee.com\VSO\oasclnt.exe    
Safe.   running process. (oasclnt.exe)
McAfee.com VSO
   
 
  c:\progra~1\mcafee.com\vso\mcvsescn.exe    
Safe.   running process. (mcvsescn.exe)

   
 
  C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe    
Safe.   running process. (PSFree.exe)
PopUp Stopper
   
 
  C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe    
Safe.   running process. (RoboTaskBarIcon.exe)

   
 
  C:\Program Files\Messenger\msmsgs.exe    
Safe.   running process. (msmsgs.exe)
MSN Messenger
   
 
  C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe    
Unknown   running process. (PlaxoHelper.exe)

   This is a unknown process.
 
  C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe    
Unknown   running process. (BackWeb-1940576.exe)

   This is a unknown process.
 
  C:\Program Files\Accord\SmartWorks 2.0 - Personal Edition Project Planner\server\Swserver.exe    
Unknown   running process. (Swserver.exe)

   This is a unknown process.
 
  C:\Palm\HOTSYNC.EXE    
Safe.   running process. (HOTSYNC.EXE)

   
Possibly nasty! According to our database this process runs normally in c:\programme\palm\! Check if you know this process and arrange a viruscheck where required.
  C:\WINDOWS\system32\drivers\KodakCCS.exe    
Safe.   running process. (KodakCCS.exe)

   
 
  c:\program files\mcafee.com\agent\mcdetect.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe    
Safe.   running process. (mcvsftsn.exe)

   
 
  C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe    
Safe.   running process. (hptskmgr.exe)
Bestandteil von Hewlett Packard Software
   
Possibly nasty! According to our database this process runs normally in c:\program files\hp\hpcoretech\comp\! Check if you know this process and arrange a viruscheck where required.
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  c:\PROGRA~1\mcafee.com\agent\mctskshd.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe    
Safe.   running process. (MpfService.exe)
McAfee Software
   
 
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe    
Safe.   running process. (MpfAgent.exe)
McAfee Software
   
 
  C:\Program Files\Internet Explorer\iexplore.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\HijackThis 1.99.1\HijackThis.exe    
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/   
Safe.   This page has been identified as safe.
   
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =    
Safe.  
   
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank    
Safe.   This page has been identified as safe.
   
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast    
Safe.   This page has been identified as safe.
   
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost    
Safe.   This page has been identified as safe.
   
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00%
   
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([53707962-6F74-2D53-2644-206D7942484F] - Result: 53707962-6F74-2D53-2644-206D7942484F) has been checked. Hit rate: 100,00%
   
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([5CA3D70E-1895-11CF-8E15-001234567890] - Result: 5CA3D70E-1895-11CF-8E15-001234567890) has been checked. Hit rate: 100,00%
   
  O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([724d43a9-0d85-11d4-9908-00400523e39a] - Result: 724d43a9-0d85-11d4-9908-00400523e39a) has been checked. Hit rate: 100,00%
   
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00%
   
  O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp    
Nasty   Entries found in this registry zone are potentially nasty. This application ([f79fd28e-36ee-4989-aa61-9dd8e30a82fa] - Result: F79FD28E-36EE-4989-AA61-9DD8E30A82FA) has been checked. Hit rate: 61,11%
   Must be fixed!
  O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll    
Unknown   Entries found in this registry zone are potentially nasty. This application ([40D41A8B-D79B-43d7-99A7-9EE0F344C385] - Result: 40D41A8B-D79B-43d7-99A7-9EE0F344C385) has been checked. Hit rate: 100,00%
   Unknown application.
  O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([724d43a0-0d85-11d4-9908-00400523e39a] - Result: 724D43A0-0D85-11D4-9908-00400523E39A) has been checked. Hit rate: 83,33%
   
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([BA52B914-B692-46c4-B683-905236F6F655] - Result: BA52B914-B692-46c4-B683-905236F6F655) has been checked. Hit rate: 100,00%
   
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. Hit rate: 97,22%
   
  O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll    
Nasty   Entries found in this registry zone are potentially nasty. This application ([736b5468-bdad-41be-92d0-22ae2ddf7bcb] - Result: 736B5468-BDAD-41BE-92D0-22AE2DDF7BCB) has been checked. Hit rate: 55,56%
   Must be fixed!
  O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe    
Safe.   Hewlett-Packard
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe    
Safe.   Application that implements the Intel Hotkey command.
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe    
Safe.   Part of Hewlett-Packard
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe    
Safe.   Hewlett-Packard related
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe    
Safe.   Part of Hewlett-Packard
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE    
Safe.   Hewlett Packard Software
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [VTTimer] VTTimer.exe    
Safe.   A device driver for VIA/S3G UniChrome IGP graphics controller and VIA/S3G KM400/KN400 graphics card. It is located in WINDOWSSYSTEM on Windows 95/98/ME and WINDOWSSYSTEM32 on Windows XP and WINNTSYSTEM32 on Windows NT/2000 Viaarena
Hit rate: 32,47 % (result)
   
  O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7    
Safe.   One of the "popular" WinModem series. WinModems use software rather than hardware - hence putting a load on the CPU. Needed if you have it for loading the drivers. See here for more WinModem information
Hit rate: 72,22 % (result)
   
  O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe    
Safe.   Multimedia Keyboard companion on HP computers. If this is prevented from starting, then some keyboard functionality will be lost.
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPClient.exe" -l    
Nasty   Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isnt required - see here for more information. This one constantly "phones home" and wastes resource - hence the "X" status
Hit rate: 87,50 % (result)
   Must be fixed!
  O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPMon32.exe"    
Safe.   Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isnt required - see here for more information
Hit rate: 86,36 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe    
Safe.   Viewmgr.exe is a filename used by Viewpoint which looks for updates to Viewpoint products. The confusion over viewmgr.exe comes from Trojans or viruses that use the same executable name (.exe) as that of viewmgr.
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE    
Nasty   This entry was classified from our visitors as bad.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [Windows Generic Proc] procmsg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe    
Safe.   Part of Sonic Solutions DVD/CD Suite / HP's packet writing software
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r    
Safe.   StorageGuard from Veritas (this version by Sonic). Free utility that integrates with Backup MyPC (formerly Backup Exec Desktop), Simple Backup and MS Backup. Provides system tray access and background monitoring - warning you of files that havent recently been backed up. Required unless you backup manually on a regular basis or have scheduled backups
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [stratas] lockx.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"    
Safe.   HP software updates. If a shortcut doesn\'t exist create your own and run it manually
Hit rate: 94,44 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"    
Safe.   Checks the internet for updated drivers/utilities for your HP product - update manually. Disabling will remove the error "Windows can\'t shutdown the computer because hpcmpmgr.exe can\'t be ended"
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot    
Safe.   Part of RealPlayer
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe    
Safe.   DVD43 is "a small tool that integrates into Windows and overrides CSS copy-protection found on DVD movies."
Hit rate: 85,71 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server    
Safe.   See above. This part ensures the software is installed correctly (similar to an installation wizard) as reported by Cox. Regarded as spyware by some as it has the ability to retrieve user information. Whether it does so depends upon the provider. "tgcmdprovidersbc" is for SBC Yahoo DSL. One Toshiba user reports problems with hibernate on his laptop if disabled - hence the "U" recommendation
Hit rate: 66,67 % (result)
   
  O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe    
Safe.   McAfee Personal Firewall
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe    
Safe.   From McAfee VirusScan On-line. The Agent is a red M icon that appears in the Windows system tray or Notification Area (if youre running Windows XP). If you dont see the agent icon, VirusScan Online may not be installed
Hit rate: 95,00 % (result)
   
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe    
Safe.   From McAfee VirusScan On-line. Automatically updates your virus definitions. Leave enabled unless you regularly update these definitions
Hit rate: 87,12 % (result)
   
  O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask    
Safe.   McAfee
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe    
Safe.   McAfee VirusScan On-line. See also McAgentExe
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe    
Safe.   McAfee.com VSO
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\RunServices: [Windows Generic Proc] procmsg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\RunServices: [stratas] lockx.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook    
Safe.   NVidia Nview
Hit rate: 100,00 % (result)
   
  O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"    
Safe.   Microsoft Money
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\Xtras\mssysmgr.exe    
Safe.   Simple Star PhotoShow_Deluxe photo editing and organizing software; makes it easy to send and share digital photos.. Bundled with software from Nero, ComCast, SnapFish, MacroMedia and others.
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"    
Safe.   PopUp Blocker
Hit rate: 100,00 % (result)
   
  O4 - HKCU\..\Run: [Windows Generic Proc] procmsg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"    
Safe.   Roboform - password manager and web form filler. Will work without this startup entry, as the "active" component is an integrated Internet Explorer browser plugin
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKCU\..\Run: [stratas] lockx.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background    
Safe.   Windows Messenger utility. If you don\'t use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"
Hit rate: 100,00 % (result)
   
  O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\RunServices: [Windows Generic Proc] procmsg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe    
Safe.   HP digital imaging monitor; can apparently be launched manually.
Hit rate: 96,43 % (result)
   Not dangerous, but unnecessary.
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - Global Startup: SmartWorks Server.lnk = C:\Program Files\Accord\SmartWorks 2.0 - Personal Edition Project Planner\server\Swserver.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html    
Safe.   The entry &Google Search has been identified as safe.
   If the entry '&Google Search ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html    
Safe.   The entry &Translate English Word has been identified as safe.
   If the entry '&Translate English Word ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html    
Safe.   The entry Backward Links has been identified as safe.
   If the entry 'Backward Links ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html    
Safe.   The entry Cached Snapshot of Page has been identified as safe.
   If the entry 'Cached Snapshot of Page ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html    
Safe.   The entry Customize Menu has been identified as safe.
   If the entry 'Customize Menu ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000    
Safe.   The entry E&xport to Microsoft Excel has been identified as safe.
   If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html    
Safe.   The entry Fill Forms has been identified as safe.
   If the entry 'Fill Forms ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html    
Safe.   The entry RoboForm Toolbar has been identified as safe.
   If the entry 'RoboForm Toolbar ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html    
Safe.   The entry Save Forms has been identified as safe.
   If the entry 'Save Forms ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html    
Safe.   The entry Similar Pages has been identified as safe.
   If the entry 'Similar Pages ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html    
Safe.   The entry Translate Page into English has been identified as safe.
   If the entry 'Translate Page into English ' is not needed anymore, it should be fixed.
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)    
Unnecessarily   The entry has been identified as safe.
   If the entry '' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)    
Unnecessarily   The entry Sun Java Console has been identified as safe.
   If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)    
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.
   To be fixed if the entry '' is unknown.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)    
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.
   To be fixed if the entry 'MaxSpeed ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html    
Safe.   The entry Fill Forms has been identified as safe.
   If the entry 'Fill Forms ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html    
Safe.   The entry Fill Forms has been identified as safe.
   If the entry 'Fill Forms ' is not needed anymore, it should be fixed.
  O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html    
Safe.   The entry Save has been identified as safe.
   If the entry 'Save ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html    
Safe.   The entry Save Forms has been identified as safe.
   If the entry 'Save Forms ' is not needed anymore, it should be fixed.
  O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)    
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.
   To be fixed if the entry 'ComcastHSI ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html    
Safe.   The entry RoboForm has been identified as safe.
   If the entry 'RoboForm ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html    
Safe.   The entry RoboForm Toolbar has been identified as safe.
   If the entry 'RoboForm Toolbar ' is not needed anymore, it should be fixed.
  O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)    
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.
   To be fixed if the entry 'Support ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)    
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.
   To be fixed if the entry 'Help ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe    
Safe.   The entry AIM has been identified as safe.
   If the entry 'AIM ' is not needed anymore, it should be fixed.
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Messenger has been identified as safe.
   If the entry 'Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Windows Messenger has been identified as safe.
   If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
  O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab   
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab   
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab   
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://www.msishopper.net/Site/ICResources/ImageUploader3.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab   
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab   
Safe.   This entry has been identified as safe.
   
  O18 - Filter: text/html - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll    
Nasty   Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
   Should be fixed.
  O18 - Filter: text/plain - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll    
Nasty   Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
   Should be fixed.
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (brsvc01a.exe) was identified as a good one.
  O23 - Service: dcfssvc (Dcfssvc) - Unknown owner - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe (file missing)    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (dcfssvc.exe) was identified as a good one.
  O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (KodakCCS.exe) was identified as a good one.
  O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (mcshield.exe) was identified as a good one.
  O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (mcupdmgr.exe) was identified as a good one.
  O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (MpfService.exe) was identified as a good one.
  O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (nvsvc32.exe) was identified as a good one.


This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
0
 
war1Commented:
eastert,

Atmclk.exe is a process by SpyFalcon and SpywareQuake.  Both of which can be fix by SmitFraudFix. Follow the instuctions that I posted above to run SmitFraudFix.

Then post the HijackThis log again. You should not have posted the HijackThis log here.  Instead, run an an analysis at http://hijackthis.de  then save the result and post a link to the result here.  

Also run run AboutBuster to remove About:Blank mailware.
0
 
rpggamergirlCommented:
You do have Smitfraud infection, so you  do need SmitfraudFix as well.(SpyFalcon can sometimes persists, let us know if it does)

Fix these entries with hijackthis by putting a check next to them and clicking "Fix Checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [Windows Generic Proc] procmsg.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [Windows Generic Proc] procmsg.exe    
O4 - HKLM\..\RunServices: [stratas] lockx.exe  
O4 - HKCU\..\Run: [Windows Generic Proc] procmsg.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\RunServices: [Windows Generic Proc] procmsg.exe
O18 - Filter: text/html - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll
O18 - Filter: text/plain - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll


Delete these files, you may need to show hidden files and folders first:
C:\WINDOWS\System32\procmsg.exe
C:\WINDOWS\System32\lockx.exe  
C:\WINDOWS\System32\msdoh.dll
0
 
rpggamergirlCommented:
Forgot:
Uninstall "Security Toolbar" if listed in Add/Remove Programs

and delete its folder if its still present, smitfraudfix might remove it too.
C:\Program Files\Security Toolbar

This one below hijackthis can't remove but SmitfraudFix will.
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp    
0
 
rpggamergirlCommented:
Afterwards try running Blacklight to make sure no other rootkit like nasties or hidden files present there:

1. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

2. You could also try running MS removal tool and see if it finds more SDBot variants:
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
0
 
eastertAuthor Commented:
OK.  I ran the smitfraud tool and about buster.  I have rerun hijack this and here is the link....http://www.hijackthis.de/logfiles/f1991712dd0ddc1e532cb56520bd5e5c.html

Things are already working better.  What do I need to do next?

Many, many thanks!
0
 
rpggamergirlCommented:
The entries that I posted to be removed are still there, please remove them.
0
 
war1Commented:
Glad your computer is running faster. Put a check mark by the following items in HijackThis log and click "Fix Checked".  These are similar to what rpggamergirl posted above.

O4 - HKLM\..\Run: [Windows Generic Proc] procmsg.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [Windows Generic Proc] procmsg.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O18 - Filter: text/html - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll
O18 - Filter: text/plain - {32836A8C-6E2F-40F6-86BB-31973566A705} - C:\WINDOWS\System32\msdoh.dll

IPClient.exe is installed with your Verizon DSL and monitors the connection. It is not harmful. Some considers it spyware.

C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPClient.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Voyager ATX Agent\IPClient.exe" -l
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now