[Cleokatrah]

Hello all you sexy brainiacs. I've done something stupid and contracted a virus I can't get rid of. I have run the following programs:
CC Cleaner
Registry Mechanic
Spybot
Adaware
ZoneAlarm scan

I did this over the course of 2 days, and virtumondo was found and repaired, supposedly. Also found were these two DLLs which were showing as harmful in my spyprotector scan. One was removed successfully, the other returns. I remove it with hijack and it automatically comes back. I try removing it with spy protector and I get an error message. It is interfering with both IE and Firefox, in that searching through google, yahoo, or dogpile is near impossible, and I cannot load your forums (hence my kind friend here is posting in my place).

I run Windows XP, with service pack 2
Here is my Hijack log and my last Registry Mechanic log (I don't have the first one, sorry; I've run it twice.), with the troublesome dll bolded.

Thank you so very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:34 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\Security Task Manager\SpyProtector.exe
C:\WINDOWS\system32\Rundll32.exe
C:\program files\Logitech\SetPoint\SetPoint.exe
C:\program files\common files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\WINDOWS\system32\ZoneLabs\avsys\Monitor.exe
C:\WINDOWS\system32\winlogon.exe
C:\program files\Trillian\trillian.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\opnNDvsr.dllO4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spy Protector] C:\program files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKLM\..\Run: [BM7b5485d2] Rundll32.exe "C:\WINDOWS\system32\cdonthrw.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\program files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/....I.cab55579.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co....side_web18.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/....y.cab55579.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10....s/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/....t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi....?1189555271953
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi....?1189555264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft....ree/asinst.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/....l.cab55579.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akama....l/SymDlBrg.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn....o.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/....y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: opnNDvsr - C:\WINDOWS\SYSTEM32\opnNDvsr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8035 bytes


----------------------------------------------------------------------------------------------------
Registry Mechanic 6.0.0.780
----------------------------------------------------------------------------------------------------
Engine: 2.0.0.560
----------------------------------------------------------------------------------------------------
Start of Scan
5/17/2008 5:20:39 PM

Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 576456
MEMORY TOTAL: 1048048
VIRTUAL FREE: 2014628
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP 5.1 (Build 2600)

----------------------------------------------------------------------------------------------------
Running processes: Process ID
----------------------------------------------------------------------------------------------------
[System Process] 0
System 4
smss.exe 444
csrss.exe 768
winlogon.exe 792
services.exe 836
lsass.exe 848
svchost.exe 1000
svchost.exe 1080
svchost.exe 1172
StyleXPService.exe 1200
svchost.exe 1228
vsmon.exe 1248
ScanningProcess.exe 1760
explorer.exe 1796
aawservice.exe 1824
mDNSResponder.exe 180
nvsvc32.exe 332
rundll32.exe 1356
zlclient.exe 1396
SpyProtector.exe 964
rundll32.exe 1416
SetPoint.exe 1652
KHALMNPR.EXE 1776
ScanningProcess.exe 264
Monitor.exe 280
TaskMan.exe 852
RegMech.exe 724
----------------------------------------------------------------------------------------------------
Sections Scanned:
----------------------------------------------------------------------------------------------------
PS - 1
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009133.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatBaseTextureName_txtr_ 1024x1024.png
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatBaseTextureName_txtr_ 1024x1024.png

PS - 2
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009134.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatBaseTextureName_txtr_ alpha_1024x1024.png
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatBaseTextureName_txtr_ alpha_1024x1024.png

PS - 3
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009135.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatNormalMapTextureName_ txtr_1024x1024.png
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f0b0164!body~stdMatNormalMapTextureName_ txtr_1024x1024.png

PS - 4
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009136.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f3f9db6!body~stdMatBaseTextureName_txtr_ 1024x1024.png
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5f3f9db6!body~stdMatBaseTextureName_txtr_ 1024x1024.png

PS - 5
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009140.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5fc356ed!body~stdMatBaseTextureName_txtr_ alpha_1024x1024.png
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\The Sims 2\Downloads\Simpe PNGs\##0x5fc356ed!body~stdMatBaseTextureName_txtr_ alpha_1024x1024.png

PS - 6
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009157.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\Tutorials\MTS2_JWoods_241365_TS2_Object_Crea tion_Tutorial_V2.1_(Milkshape)_-_UPD_22feb06_-_PART_1of2.rar
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\Tutorials\MTS2_JWoods_241365_TS2_Object_Crea tion_Tutorial_V2.1_(Milkshape)_-_UPD_22feb06_-_PART_1of2.rar

PS - 7
Location: C:\System Volume Information\_restore{0D420F82-4F00-4A64-8304-299D22EEC3FA}\RP16\A0009158.lnk
Value : C:\Documents and Settings\Mysti\My Documents\EA Games\Tutorials\MTS2_JWoods_241367_TS2_Object_Crea tion_Tutorial_V2.1_(Milkshape)_-_UPD_22feb06_-_PART_2of2.rar
Parsed : C:\Documents and Settings\Mysti\My Documents\EA Games\Tutorials\MTS2_JWoods_241367_TS2_Object_Crea tion_Tutorial_V2.1_(Milkshape)_-_UPD_22feb06_-_PART_2of2.rar

CC - 8
Location: HKEY_CLASSES_ROOT\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32
Value : (default) = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
Parsed : c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

DEEP - 9
Location: HKEY_USERS\S-1-5-21-507921405-789336058-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517
Value : CachePath = %USERPROFILE%\Local Settings\History\History.IE5\MSHist012008051620080 517\
Parsed : c:\documents and settings\mysti\local settings\history\history.ie5\mshist012008051620080 517

DEEP - 10
Location: HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\ Photoshop
Value : ApplicationPath = C:\program files\Adobe\Adobe
Parsed : c:\program files\adobe\adobe

----------------------------------------------------------------------------------------------------
Registry Mechanic 6.0.0.780
----------------------------------------------------------------------------------------------------

End of Scan
5/17/2008 5:21:52 PM

Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 564396
MEMORY TOTAL: 1048048
VIRTUAL FREE: 2006972
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP 5.1 (Build 2600)

[Advertisements]

Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[Rorschach112]

Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[Cleokatrah]

I love this forum, and that includes all you guys. Thank you so very much for your help and for offering this great service and vast amount of information to the public for free. I refer this place to everyone that I know!

However, because I couldn't load your site, and had to rely on whining to friends to check this thread for me, I also asked (whined) several people to find me some more tech forums, until I found one that I could see and load myself. So I reposted my problem there (with new/more details, sorry!) and am in the process of receiving their help. They are also having me run combofix (though without the recovery installed; should I be alarmed?) and if you want to see the thread's progression it is Here.

After the combofix, I was able to run searches and load your forum again (yay!).

Just so this is clarified, you guys are always my number one choice, and I reposted my problem in another forum because of access issues, not because I mind waiting. And remember that brainiacs are sexy ^_~

I do have a question before you close the thread, if you would be obliging:
Is ATF Cleaner recommended over CC Cleaner, or in tandem to it? Or is CC Cleaner no longer recommended?

Again, Thank You.

[Rorschach112]

Ah you are being helped over there by one of our helpers here. You are in good hands, don't worry. If you have posted at any other sites, please let them know you are being helped as it will save us time.

Is ATF Cleaner recommended over CC Cleaner,

Yes ATF is recommend over CCleaner. Personally you won't find many people here recommending CCleaner. ATF is really great.


JSntgRvr will take care of you over there. Best to ask him any more questions