Logfile of HijackThis v1.99.0
Scan saved at 21.43.47, on 24/01/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\V0400Mon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
C:\Users\Vincenzo\AppData\Local\qswsgiu.exe
C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Users\Vincenzo\Desktop\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: P2P Max IT Toolbar – {d22b76bb-abbd-4eb6-9bbb-f387bf27f76b} – C:\Program Files\P2P_Max_IT\tbP2P_.dll
R3 – URLSearchHook: Softonic Italia Toolbar – {4edd5c14-2d22-4d7a-9748-c975a7fd933b} – C:\Program Files\Softonic_Italia\tbSoft.dll
O1 – Hosts: ::1 localhost
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 – BHO: Softonic Italia Toolbar – {4edd5c14-2d22-4d7a-9748-c975a7fd933b} – C:\Program Files\Softonic_Italia\tbSoft.dll
O2 – BHO: Spybot-S&D IE Protection – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: Groove GFS Browser Helper – {72853161-30C5-4D22-B7F9-0BBC1D38A37E} – C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file)
O2 – BHO: Guida per l’accesso a Windows Live – {9030D464-4C02-4ABF-8ECC-5164760863C6} – C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 – BHO: P2P Max IT Toolbar – {d22b76bb-abbd-4eb6-9bbb-f387bf27f76b} – C:\Program Files\P2P_Max_IT\tbP2P_.dll
O3 – Toolbar: P2P Max IT Toolbar – {d22b76bb-abbd-4eb6-9bbb-f387bf27f76b} – C:\Program Files\P2P_Max_IT\tbP2P_.dll
O3 – Toolbar: Softonic Italia Toolbar – {4edd5c14-2d22-4d7a-9748-c975a7fd933b} – C:\Program Files\Softonic_Italia\tbSoft.dll
O4 – HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 – HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 – HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 – HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 – HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 – HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 – HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 – HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 – HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 – HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 – HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 – HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 – HKLM\..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 – HKLM\..\Run: [V0400Mon.exe] C:\Windows\V0400Mon.exe
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 – HKLM\..\Run: [C:\Windows\system32\V0400Cvw.dll] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0400Cvw.dll
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 – HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 – HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 – HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 – HKCU\..\Run: [Creative Live! Cam Manager] “C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe”
O4 – HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
O4 – HKCU\..\Run: [qswsgiu] “c:\users\vincenzo\appdata\local\qswsgiu.exe” qswsgiu
O4 – Global Startup: Server di rete.lnk = C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
O8 – Extra context menu item: E&sporta in Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 – Extra button: Inserisci blog – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra ‘Tools’ menuitem: Inserisci &blog in Windows Live Writer – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra button: Invia a OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra ‘Tools’ menuitem: I&nvia a OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: eBay – {C08CAF1D-C0A3-40D5-9970-06D067EAC017} – http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?IT (file missing)
O9 – Extra button: (no name) – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search & Destroy Configuration – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 – Options group: [INTERNATIONAL] International*
O13 – Gopher Prefix:
O16 – DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) – http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 – Protocol: grooveLocalGWS – {88FED34C-F0CA-4636-A375-3CB6248B04CD} – C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 – Protocol: livecall – {828030A1-22C1-4009-854F-8E305202313F} – C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 – Protocol: ms-help – {314111C7-A502-11D2-BBCA-00C04F8EC294} – C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 – Protocol: msnim – {828030A1-22C1-4009-854F-8E305202313F} – C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 – Protocol: wlmailhtml – {03C514A3-1EFB-4856-9F99-10D7BE1653C0} – C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 – Filter hijack: text/xml – {807563E5-5146-11D5-A672-00B0D022E945} – C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 – Service: Agere Modem Call Progress Audio – Agere Systems – C:\Windows\system32\agrsmsvc.exe
O23 – Service: avast! iAVS4 Control Service – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: ConfigFree Service – TOSHIBA CORPORATION – C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 – Service: Symantec Lic NetConnect service – Unknown – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 – Service: @%SystemRoot%\ehome\ehstart.dll,-101 – Unknown – %windir%\system32\svchost.exe (file missing)
O23 – Service: InstallDriver Table Manager – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 – Service: NBService – Nero AG – C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 – Service: @%SystemRoot%\system32\qwave.dll,-1 – Unknown – %windir%\system32\svchost.exe (file missing)
O23 – Service: @%SystemRoot%\system32\seclogon.dll,-7001 – Unknown – %windir%\system32\svchost.exe (file missing)
O23 – Service: TOSHIBA Optical Disc Drive Service – TOSHIBA Corporation – C:\Windows\system32\TODDSrv.exe
O23 – Service: TOSHIBA Power Saver – TOSHIBA Corporation – C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 – Service: TOSHIBA Bluetooth Service – TOSHIBA CORPORATION – c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 – Service: Ulead Burning Helper – Ulead Systems, Inc. – C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 – Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 – Unknown – %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

when running spybot it spends hours going through “virtumonde” but does not list the files as problems to be solved at the end of the analysis.

does this mean that the virtumonde is benign or should I remove it anyway … ?

Thanks

Colin