Yet another Virtumonde.dll thread

S

Shadowcat

New member
Hi, I have this problem on my work pc and it keeps coming back every time I run Spybot-Search and Destroy. Causing login problems and Firefox to often be slow / not work at all for some pages... Any help is appreciated!

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14:38, on 22/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec\SCS3\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\SCS3\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec\SCS3\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec\SCS3\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\SCS3\Symantec Client Firewall\SymSPort.exe
C:\WINNT\itlm\tlmagent.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Symantec\SCS3\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\DSentry.exe
C:\WINNT\system32\DNHlp32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.nokia.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.connecting.nokia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.connecting.nokia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.connecting.nokia.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NOKIA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SCS3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SwdisUsrPCN.4GBD01921] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env4GBD01921"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ee361ec4] rundll32.exe "C:\WINNT\system32\estufiyr.dll",b
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [DNHelper32] C:\WINNT\system32\DNHlp32.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [Profiler] C:\CONFIGS\PROFILER.CMD (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [Profiler] C:\CONFIGS\PROFILER.CMD (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Profiler] C:\CONFIGS\PROFILER.CMD (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Profiler] C:\CONFIGS\PROFILER.CMD (User 'Default user')
O4 - Global Startup: Update Nokia TermBanks.lnk = C:\Program Files\MOT\Update\TBUpdCli.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\system32\shdocvw.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://search.nokia.com
O14 - IERESET.INF: START_PAGE_URL=http://www.connecting.nokia.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.connecting.nokia.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NOE.Nokia.com
O17 - HKLM\Software\..\Telephony: DomainName = NOE.Nokia.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NOE.Nokia.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = noe.nokia.com,europe.nokia.com,ntc.nokia.com,nmp.nokia.com,americas.nokia.com,china.nokia.com,apac.nokia.com,research.nokia.com,nee.nokia.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = noe.nokia.com,europe.nokia.com,ntc.nokia.com,nmp.nokia.com,americas.nokia.com,china.nokia.com,apac.nokia.com,research.nokia.com,nee.nokia.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec\SCS3\Symantec AntiVirus\DefWatch.exe
O23 - Service: HTTP Poster Service (HTTP Poster) - Nokia - C:\WINNT\system32\HTTP_Poster.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec\SCS3\Symantec Client Firewall\ISSVC.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec\SCS3\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec\SCS3\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec\SCS3\Symantec Client Firewall\SymSPort.exe
O23 - Service: Tivoli License Mgr Agent - Unknown owner - C:\WINNT\itlm\tlmagent.exe

--
End of file - 9848 bytes
 
Last edited by a moderator:
Hi Shadowcat

Do you have permission from your IT service to ask help from here?
 
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top