Hello.

I seem to have got a malware from an exe I downloaded from emule while looking for a certain application.

When I ran the exe it didn't lool like what it was supposed to be, though it was disguised to look like a real app. I deleted the folder and the .zip, but by then it had done its dirty work.

Now, from time to time, I get a dialog popping up warning me that a website is trying to send a cookie. BUT I have no browser open! I'm connected on ADSL and using emule at the time.

The Task Manager shows IEXPLORE.exe running. It seems to be located in Prefetch.

This is by no means the first malware I've picked up from emule, but the others have been handled by McAfee. I think.

Here's my hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 2:26:11 PM, on 1/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\OV530EM.exe
C:\Program Files\QuickTime713\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\IP Operator\IPOperator.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\user\Desktop\emule and Mods\emuleMorphXT\xpmule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Start Menu\MAINTENANCE\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime713\qttask.exe" -atboottime
O4 - HKLM\..\Run: [.nvsvc] C:\DOCUME~1\user\LOCALS~1\Temp\t7654.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: *Copy to Image Visual Photo++ Favorite* - C:\Program Files\Visual Photo++\image.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe



Thanks for your support.

G'day and welcome to the forum, I hate to be an I told you so, but downloading junk from places like eMule is about the fastest way there is to get infected. If you have not resolved the issue elsewhere, let's start like this:

C:\Documents and Settings\user\Desktop\emule and Mods\emuleMorphXT\xpmule.exe <<< are you sure this program is safe?

1) Read the instructions: "BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
Choose one of the free online scans and run it, be sure to save the scan results.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [.nvsvc] C:\DOCUME~1\user\LOCALS~1\Temp\t7654.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

ATF-Cleaner will probably get this, but I wish to be sure, navigate to that TEMP folder and delete all of the contents (not the folder)

C:\DOCUMENT & SETTINGS~1\user\LOCALS~1\Temp\t7654.exe <<< delete the contents of the folder in red.

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date, download the newest version and uninstall all old versions of Java in Add Remove programs.

Restart the computer and post the online antivirus scan results and a new HJT log. Tell me how the computer is running.

Cheers

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
This program is obsolete and useless and should be uninstalled, I will post suggestions from experts a bit latter, but if you wish to continue with a free Microsoft product, this is the program they replaced that one with:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Thanks very much for your suggestions.

Over the past couple of days I read the advice given to others on the forum, and ran some of the scans etc suggested for them. Things seem much better, after removing 6 serious threats, about 75 medium, and 1 low. !

I've also installed 2007 McAfee suite.

Even so, over the coming days I'll follow your advice and give you some new results, to see how things are going now.

BTW, yes, I do trust xpmule. I have followed that modder's work, and had some discussions with him. But I DON'T trust the applications downloaded from emule. There's a very high rate of "things which are not what they seem", probably over 10%.

Two of my symptoms (now cleared up) may be worth mentioning, as they are very similar to PaulWeller's: The malware removed spybotSD from my system, and also I was unable to boot into Safe Mode.

Thanks again. I trust you had an enjoyable New Year celebration.


Pij

Thanks for the feedback, be careful following advice for other folks infections, their fix is often tailored to their infection. I can comment little since I did not receive:

Restart the computer and post the online antivirus scan results and a new HJT log. Tell me how the computer is running.
I will suggest this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=safe+p2p+downloading

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Here's the on-screen report from the online scan. I forgot to enter email details - I'll have to run it again if this is not sufficient data.


Scan Results: 119085 files scanned. 5 viruses were detected.
File Infection Status Path
126087364.exe Win32/Higlieder.H infected C:\WINDOWS\exefld\
40161839.exe Win32/Higlieder.H infected C:\WINDOWS\exefld\
55344731.exe Win32/Higlieder.H infected C:\WINDOWS\exefld\
70504630.exe Win32/Higlieder.H infected C:\WINDOWS\exefld\
85581830.exe Win32/Higlieder.H infected C:\WINDOWS\exefld\

I forgot to mention - while cleaning & scanning etc, it seemed that the IEXPLORE issue was caused by

hldrrr.exe

hiding in system32 folder.

Thanks for that information, only I can't get Google to supply information about any of that no matter how I search. This is the only item Google shows:
http://www.computerpech.nl/forum/index.php?page=view&cat_id=6&sub_cat=4&threadid=1221 I can make out bagle virus:

What online scan found this stuff? I would like to see more of the scan results and know the name of the program. It's unusual for Google not to return information unless this is a very new virus/trojan?

Please also follow the directions in this link:
http://forums.security-central.us/showthread.php?t=3165

I would like a look at a Blightlight scan result in case this is a rootkit infection:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
__________________________________________________________
That's all the information you can provide about the program finding the item and the scan results if possible. I don't need to see cookies, recycle bins or System Restore Files. The scan results from AVG Anti-Spyware, the Blacklight scan results and a new HJT log. Please add any information you think will help.

Thanks

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [.nvsvc] C:\DOCUME~1\user\LOCALS~1\Temp\t7654.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"




OK, have done.





5) RIGHT Click on Start then click on Explore. Locate and delete these items:

ATF-Cleaner will probably get this, but I wish to be sure, navigate to that TEMP folder and delete all of the contents (not the folder)

C:\DOCUMENT & SETTINGS~1\user\LOCALS~1\Temp\t7654.exe <<< delete the contents of the folder in red.




t7654 no longer appeared in Temp folder.




O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
This program is obsolete and useless and should be uninstalled,


OK, will do.

That sounds like Bagle, see these: C:\Windows\System32\hldrrr.exe
http://www.bleepingcomputer.com/startups/hldrrr.exe-14993.html
http://fileinfo.prevx.com/spyware/qqe21e23592428-HLDR16820740/HLDRRR.EXE.html
http://www.sarc.com/avcenter/venc/data/trojan.tooso.r.html
http://www.castlecops.com/s12994-hldrrr.html

Prevx is the only tool that I have found so far to remove it. Have you tried to delete it manually?

You can try this tool if you wish:
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\hldrrr.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

If that does not do it, then Prevx offers a free trial. Keep me posted.

Thanks

Thanks for that information, only I can't get Google to supply information about any of that no matter how I search. This is the only item Google shows:
http://www.computerpech.nl/forum/index.php?page=view&cat_id=6&sub_cat=4&threadid=1221 I can make out bagle virus:

What online scan found this stuff? I would like to see more of the scan results and know the name of the program. It's unusual for Google not to return information unless this is a very new virus/trojan?


Thanks

I think it was Gmer that tipped me off to the invisible process (it certainly wasn't showing in Task Manager). I searched for the filename, made system files visible, erased it manually. The problems began, I seem to recall, after opening an archive identical to "C:\Program Files\eMule\Incoming\sorting\software pc 2007Jan\Asf-Avi-Rm-Wmv Repair v1.82 Crack Registration Code.zip/Crack/RepairVideo.exe -> Trojan.Small : Cleaned with backup (quarantined)." [Part of AVG log] Perhaps the offending .exe was installed by the Trojan.Small?

Sorry, I didn't save the Gmer log. I figured most of you (wonderful) helpers had gone on holidays, so I gathered what info I could and did what I could without waiting for advice.

Looks like an attempt at something illegal to me?
Crack Registration Code.zip/Crack/

Thanks for those links - very interesting reading.

The hldrrr.exe still showed up in a fresh HJ log, but HJ could not delete it. I tried the tip about deleting on reboot, but the exe did not appear on the navigation window. I'm now installing Prevx.

I'm back - sort of. While cleaning up, something messed up my internet access. I thought it might have been because I erased Windows Messenger, but now I've re-installed Windows XP and I still can't access the internet. My ISP tech help ran thru stuff with me, but he couldn't get it working either - except in safe mode, which I am on now.

I'll have to get the Internet access working again, I suppose, before I can continue with cleaning up my spyware etc. Thanks again for your assistance.

At least now I CAN boot in safe mode, which I couldn't before the re-install. I know I've wiped a lot of malware with the cleaners you recommended, but I can't be sure at this stage whether they are all cleaned up until I post new logs for you.

The ISP tech suspects my connectivity problem may be due to anti-mal-ware activity of some kind. Do you have any suggestions what I shoud un-install to try to get things working properly?

Pij

I un-installed Prevx and disabled all options within McAfee, though Mcshield and Mcproxy still show in the Task Manager. Upon re-start, I have proper internet connection again. One by one, I'll re-enable things incl Windows firewall.

Should I post a new hijackthis log now?

I could not suggest anything without seeing a current HJT log. Last I heard from you, you were trying to run Prevx. Were you successful?

http://www.onecomputerguy.com/networking/troubleshoot_internet.htm
http://support.microsoft.com/kb/314095
http://pcpitstop.com/internet/

Here is a possible solution, but it is a use at your own risk tool:
http://www.snapfiles.com/get/winsockxpfix.html

Thanks

Hey, that's a fast reply! Timezones can have advantages, I suppose.

Yes, I ran prevx, as I recall, and yes I think it did find the hldrrr etc - but my internet problems started around that time too, so with trying to fix that and then re-installing Windows I can't keep events straight in my mind.

It looks very much as though prevx caused my internet connection problem. When I ran the uninstaller, Spybot Resident noted a "Browser Helper" change. I thought that might be related to why my browsers were not working, though pings worked, and auto-update type downloads were working. I don't think I'd like to try prevx again unless I really HAD to!

So, a new HJT log is called for? Okay, will do.

Logfile of HijackThis v1.99.1
Scan saved at 1:23:28 PM, on 9/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\OV530EM.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\IP Operator\IPOperator.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Anti Malware\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O2 - BHO: (no name) - {CE57DA55-F491-45C6-B3DB-6C98E4B17CDC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {7435856C-6CA1-45CF-A00D-82178387F223} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: *Copy to Image Visual Photo++ Favorite* - C:\Program Files\Visual Photo++\image.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe

First let me apologize, for some reason I did not get the notification that you posted on 1/8. Looking at the HJT log now. As far as Prevx goes, I use it when I run into a item especially tough item to remove. I have never heard of it causing an internet problem and even tested it on my computer for a while. I suppose anything is possible?

Logfile of HijackThis v1.99.1 Scan saved at 1:23:28 PM, on 9/01/2007

You can use HJT to remove these old Secretmaker lines
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
O2 - BHO: (no name) - {CE57DA55-F491-45C6-B3DB-6C98E4B17CDC} - (no file)
O2 - BHO: (no name) - {CE57DA55-F491-45C6-B3DB-6C98E4B17CDC} - (no file)

You need an update on your Java program, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\<<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.

That is all I see, let me know how you are running now.

Thanks

Thanks for the good news. I'll do the fixes suggested, of course, but it's nice to know the nasty stuff is all gone. As far as performance is concerned, my browser is no longer hijacked, thanks, etc.

I've got just 2 current issues, however. Firstly, my media players don't seem right - WMP especially - tries to download (unsuccessfully) codecs when I open media files which SHOULD play OK.

Second issue is a general sluggishness of performance. Even when there's just 1 application running, it behaves like several are running. Perhaps all those McAfee processes slowing things down?

Thanks very much for your help.

As far as McAfee goes, I use it myself and refused to allow the update having seen how all of that stuff has been slowing others computers. I will run VSO until the subscription is over and drop them myself. They are getting worse that Norton. In order to compensate you are going to need to maintain a spotless computer. Keep your maintenance current, and allow nothing to start that does not need to.
http://netsquirrel.com/msconfig/

Here are ideas that may help you to enhance performance:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471

Firstly, my media players don't seem right - WMP especially - tries to download (unsuccessfully) codecs when I open media files which SHOULD play OK. Out of my area, I can suggest you uninstall the media player and install it again to see if that fixes the problem. You might also try System File Checker:
http://www.updatexp.com/scannow-sfc.html

You can also try a media player help forum:
http://www.google.com/search?hl=en&lr=&q=media+player+help+forum&btnG=Search

Safe surfing...Phil

I erased those 3 leftover bits of secretmaker (how did you know that's what they were?) - I assumed you meant
O3 - Toolbar: (no name) - {7435856C-6CA1-45CF-A00D-82178387F223} - (no file)
for the third one.

Also updated JRE as advised.

I erased those 3 leftover bits of secretmaker (how did you know that's what they were?) - I assumed you meant
O3 - Toolbar: (no name) - {7435856C-6CA1-45CF-A00D-82178387F223} - (no file)
for the third one.

Also updated JRE as advised.

Thanks for catching that error and yes, that's what I meant. The clipboard must not have cleared. CastleCops: http://www.castlecops.com/
which is a standard for so many of our lists, post the CLSID lookup to the left in Security Central:
http://www.castlecops.com/CLSID.html

Thanks

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.