my co-worker has infected your computer @ work...I have been able to get into the divice manager and find out that there is 5 viruses..when I turn on the comp, all I get is the wallpaper, no shortcuts, no tool bar @ the bottom...nothing. I tried to download another anti-virus program..it lets me download but not install it...Here is what HIJACK THIS is telling me what is running.....can anyone help...THX

hijackthis Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:59:26 PM, on 1/4/2080

Platform: windows XP sp3 (winNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:

C:\WINDOWs\system32\smss.exe C:\WINDOWs\system32\winlogon.exe C:\WINDOWs\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWs\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWs\system32\svchost.exe

c:\program Files\symantec\symantec Endpoint protection\smc.exe c:\program Files\common Files\symantec shared\ccSvcHst.exe C:\WINDOWs\system32\spoolsv.exe C:\WINDOWs\system32\taskmgr.exe C:\WINDOWS\system32\netmsg32.exe

c:\program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\imeshare32.exe C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Fighters\sfus.exe

c:\Program Files\Fighters\FighterSuiteService.exe C:\WINDOws\inetcommwow.exe

c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

RO - HKCU\software\Microsoft\Internet Explorer\Main,start Page = http://www.google.caj

R1 - HKLM\software\Microsoft\Internet Explorer\Main,Default_page_uRL http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_search_URL http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\software\Microsoft\Internet Explorer\Main,search Page = http://go.microsoft.com/fwlink/?LinkId=54896

RO - HKLM\software\Microsoft\Internet Explorer\Main,start page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - uRLSearchHook: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} Àc:\program Files\Elf_1.13\tbElf_.dll

F2 - REG:system.ini: userInit=C:\WINDOWS\system32\userinit.exe 02 - BHO: (no name) - {1331BOBA-6425-450F-B1E1-B469DFF197Bf} C:\WINDOWS\system32\atrace32.dll

02 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\common Files\Adobe\Acrobat\Activex\AcroIEHelpershim.dll

02 - BHO: Realplayer Download and Record plugin for Internet Explorer 8{3049c3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and settings\All users\Application Data\Real\Realplayer\BrowserRecordplugin\IE\rpbrowserrecordplugin.dll

02 - BHO: conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\program Files\ConduitEngine\conduitEngine.dll

02 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} ˆc:\program Files\Microsoft office\office12\GrooveshellExtensions.dll

02 - BHO: cc6af6c - {910253F6-A03D-85FO-684C-A76FBD54C1D2} HC:\WINDOWs\system32\kbdsw32.dll

02 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}  c:\program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.d11

02 - BHO: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program Files\Elf_1.13\tbElf_.dll

02 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program Files\Ask.com\GenericAskToolbar.dll

02 - BHO: Java(tm) plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} c:\Program Files\Java\jre6\bin\jp2ssv.dll

Page 1


02 - BHO: JQSIEStartDetectorlmpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} Hc:\program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

03 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) 03 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

03 - Toolbar: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files\Elf_1.13\tbElf_.dll

03 - Toolbar: conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program Files\conduitEngine\conduitEngine.dll

03 - Toolbar: Frostwire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} Øc:\Program Files\Ask.com\GenericAskToolbar.dll

04 - HKLM\ .. \Run: [IMJ PMIG8 .1J "e: \WINDOWS\IME\ i mj p8_1 \IMJ PMIG. EXE" /spoi 1 /RemAdvDef /Migration32



04 - HKLM\ .. \Run: [GrooveMoni torJ "e: \program Fil es\Mi crosoft office\office12\GroOveMonitor.exe"

04 - HKLM\ .. \Run: [Googl e Qui ck Search BOxJ "e: \program Fi 1 eS\Googl e\Qui ck Search Box\GoogleQuicksearchBox.exe" /autorun

04 - HKLM\ .. \Run: [igfxtrayJ C:\WINDOWs\system32\igfxtray.exe 04 - HKLM\ .. \Run: [igfxhkcmdJ C:\WINDOWs\system32\hkcmd.exe 04 - HKLM\ .. \Run: [igfxpersJ C:\WINDOWs\system32\igfxpers.exe

04 - HKLM\ .. \Run: [Adobe Reader speed LauncherJ "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

04 - HKLM\ .. \Run: [Adobe ARMJ "e:\program Files\common Fi 1 eS\Adobe\ARM\1. O\AdobeARM. exe"

04 - HKLM\ .. \Run: [TkBellExeJ "e:\program Files\common Files\Real\update_oB\realsched.exe" -osboot

04 - HKLM\ .. \Run: [QuickTime TaskJ "e:\program Files\QuickTime\qttask.exe" -atboottime

04 - HKLM\ .. \Run: [SunJavaupdateSchedJ "C:\Program Files\common Files\Java\Java update\jusched.exe"

04 - HKLM\ .. \Run: [CCAPpJ "e:\program Files\common Files\symantec shared\ccApp.exe" 04 - HKLM\ .. \Run: [sfagentJ c:\program Files\Fighters\sfagent.exe

04 - HKLM\ .. \Run: [ati2dvagwow.exeJ C:\WINDows\ati2dvagwow.exe

04 - HKLM\ .. \Run: [dsquerywow.exeJ C:\WINDOWs\dsquerywow.exe

04 - HKLM\ .. \Run: [igfxdowow.exeJ C:\WINDOWs\igfxdowow.exe

04 - HKLM\ .. \Run: [dgsetupwow.exeJ C:\WINDOws\dgsetupwow.exe

04 - HKLM\ .. \Run: [inetcommwow.exeJ C:\WINDows\inetcommwow.exe

04 - HKCU\ .. \Run: [ctfmon.exeJ C:\WINDOWS\system32\ctfmon.exe

04 - HKCU\ .. \Run: [swgJ "e: \prog ram Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

04 - HKLM\ .. \policies\Explorer\Run: [RTHDBPLJ C:\Documents and

Setti ngs\mark\Appli cation Data\syswin\lsass.exe

04 - startup: OneNote 2007 Screen clipper and Launcher.lnk = c:\Program Files\Microsoft office\office12\ONENOTEM.EXE

08 - Extra context menu item: E&xport to Microsoft Excel Àres://c:\PROGRA-1\MICROS-2\office12\ExCEL.EXE/3000

08 - Extra context menu item: Google sidewiki ... - res://c:\program Files\Google\Google

Tool bar\component\Googl eTool barDynami c_mui_en_60D60977 07281E79.dll/cmsidewiki .html 09 - Extra button: send to OneNote - {2670000A-7350-4f3c-8081-5663EEOC6C49} 8C:\PROGRA-1\MICROS-2\office12\ONBttnIE.dll

09 - Extra 'Tools' menuitem: S&end to OneNote `{2670000A-7350-4f3c-8081-5663EEOC6C49} - C:\PROGRA-1\MICROS-2\office12\oNBttnIE.dll 09 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) 09 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) 09 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} ˜C:\PROGRA-1\MICROS-2\office12\REFIEBAR.DLL

09 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} PC:\WINDowS\Network Diagnostic\xpnetdiag.exe

09 - Extra 'Tools' menuitem: @xpsp3res.dll ,-20001 èPage 2

hijackthis {e2e2dd38-d088-4l34-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe 09 - Extra button: Messenger - {FB5F19l0-FllO-lld2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

09 - Extra 'Tools' menuitem: Windows Messenger 0{FB5F19l0-FllO-lld2-BB9E-00C04F795683} - c:\program Files\Messenger\msmsgs.exe 016 - DPF: {03F998B2-0EOO-llD3-A498-00l04B6EB52E} (MetaStreamctl class) Phttp://components.metastream.com/MTsInstallers/MetaStream3.cab

016 - DPF: {22945A69-ll9l-4DCF-9E6F-409BDE94DlOl} (EModelNonversionSpecificviewcontrol class) @http://www.3dpublisher.net/swservice/eDrawingsEnglish.cab

018 - Protocol: grooveLocalGws - {88FED34C-FOCA-4636-A375-3CB6248B04CD} - c:\program Files\Microsoft office\office12\Groovesystemservices.dll

020 - AppInit_DLLS: C:\WINDOWs\system32\kbdsw32.dll

022 - SharedTaskScheduler: Browseui preloader {438755C2-A8BA-llDl-B96B-00AOC903l2El} - C:\WINDOWs\system32\browseui .dll

022 - sharedTaskScheduler: component categories cache daemon {8C746lEF-2B13-lld2-BE35-3078302c2030} - C:\WINDOWs\system32\browseui .dll

023 - service: Atheros configuration service (ACS) - unknown owner ØC:\WINDOWs\system32\acs.exe (file missing)

023 - service: symantec Event Manager (CcEvtMgr) - symantec corporation - c:\Program Files\common Files\Symantec shared\ccsvcHst.exe

023 - service: symantec settings Manager (ccSetMgr) - symantec corporation Xc:\Program Files\common Files\symantec Shared\ccsvcHst.exe

023 - service: COM+ system Application (COMSysApp32) - CodeGear øC:\WINDOWs\system32\netmsg32.exe

023 - Service: Google software updater (gusvc) - unknown owner - c:\Program Files\Google\common\Google updater\Googleupdaterservice.exe (file missing)

023 - service: InstallDriver Table Manager (IDriverT) - Macrovision corporation àc:\program Files\common Files\Installshield\Driver\ll\Intel 32\IDriverT.exe

023 - Service: Java Quick Starter (JavaQuickstarterservice) - Sun Microsystems, Inc. - c:\program Files\Java\jre6\bin\jqs.exe

023 - Service: Jumpstart wifi protected setup (jswpsapi) - unknown owner àc:\program Files\NETGEAR\WNlllv2\jswpsapi.exe (file missing)

023 - service: Liveupdate - symantec corporation øC:\PROGRA~l\Symantec\LIvEUP~l\LUCOMS~l.EXE

023 - Service: Symantec Management Client (smcservice) - Symantec Corporation ¸c:\Program Files\symantec\symantec Endpoint protection\smc.exe

023 - service: sPAMfighter update Service - sPAMfighter ApS - c:\program Files\Fighters\sfus.exe

023 - service: Suite service - sPAMfighter ApS - c:\Program Files\Fighters\Fightersuiteservice.exe

023 - Service: Symantec Endpoint Protection (symantec Antivirus) - symantec corporation - c:\program Files\symantec\symantec Endpoint protection\Rtvscan.exe

6 Years
Discussion Span
Last Post by jholland1964

Rob, hi...
First, try this:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Second: could you rerun Hijackthis please, but before posting, in Notepad uncheck Format > Wordwrap. Too many entries are on the one line otherwise, and it is thus difficult to scan.

Edited by gerbil: n/a


Hi gerbil..

The computer that is infected is the one @ work, using mine @ home right now. I tried to run Malaware, not letting me. I was only able to run Hijack this, print it @ work, scan and post here @ home. I am not able to run any program that will do a virus check @ work. I'm thinking that if anyone is able to see something in Hijackthis file that doesn't belong I might be able to run a scan.


There is plenty in Hijackthis... :( Some of it I cannot be sure about, so... two sections:
The first, to me, are unnecessary ..er... baggage. I would uninstall if possible, and ensure these folders are deleted:
c:\program Files\Ask.com\
c:\program Files\Elf_1.13\
C:\Program Files\Fighters\
and these are fixed:
02 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program Files\Ask.com\GenericAskToolbar.dll
03 - Toolbar: Frostwire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} Øc:\Program Files\Ask.com\GenericAskToolbar.dll
02 - BHO: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program Files\Elf_1.13\tbElf_.dll
03 - Toolbar: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files\Elf_1.13\tbElf_.dll
R3 - uRLSearchHook: Elf 1.13 Toolbar - {b80f591e-fe9a-46cf-a13e-180377240586} c:\program Files\Elf_1.13\tbElf_.dll
04 - HKLM\ .. \Run: [Googl e Qui ck Search BOxJ "e: \program Fi 1 eS\Googl e\Qui ck Search Box\GoogleQuicksearchBox.exe" /autorun
04 - HKLM\ .. \Run: [sfagentJ c:\program Files\Fighters\sfagent.exe
Anyway, your choice on those.
These must be fixed, they are your problem:
F2 - REG:system.ini: userInit=C:\WINDOWS\system32\userinit.exe
02 - BHO: (no name) - {1331BOBA-6425-450F-B1E1-B469DFF197Bf} C:\WINDOWS\system32\atrace32.dll
02 - BHO: cc6af6c - {910253F6-A03D-85FO-684C-A76FBD54C1D2} C:\WINDOWs\system32\kbdsw32.dll
02 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
03 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
03 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
04 - HKLM\ .. \Run: [TkBellExeJ "e:\program Files\common Files\Real\update_oB\realsched.exe" -osboot
04 - HKLM\ .. \Run: [ati2dvagwow.exeJ C:\WINDows\ati2dvagwow.exe
04 - HKLM\ .. \Run: [ati2dvagwow.exeJ C:\WINDows\ati2dvagwow.exe
04 - HKLM\ .. \Run: [dsquerywow.exeJ C:\WINDOWs\dsquerywow.exe
04 - HKLM\ .. \Run: [igfxdowow.exeJ C:\WINDOWs\igfxdowow.exe
04 - HKLM\ .. \Run: [dgsetupwow.exeJ C:\WINDOws\dgsetupwow.exe
04 - HKLM\ .. \Run: [inetcommwow.exeJ C:\WINDows\inetcommwow.exe
04 - HKLM\ .. \policies\Explorer\Run: [RTHDBPLJ C:\Documents and Settings\mark\Application Data\syswin\lsass.exe
020 - AppInit_DLLS: C:\WINDOWs\system32\kbdsw32.dll
and these must be deleted:
C:\Documents and Settings\mark\Application Data\syswin\lsass.exe

Good luck. Rerun hijackthis, and ensure that notepad is set correctly this time. My brain hurts...

Edited by gerbil: n/a


Good heavens! This is a WORK computer? This person should be fired, but that is not my business I guess. Can you boot the computer using Safe Mode with networking? If so try using that to do these steps. If you cannot do that then these rkill files can be downloaded to a flash drive and put onto the infected computer from there. If you have to use a flash drive then download all copies onto it but try them one at a time. You only need to get one of them to work but once it works DON'T reboot the computer because the infection processes will begin again. So get them stopped using the directions below and then run MBA-M

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* * Double-click on the Rkill desktop icon to run the tool.

* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know

Once rkill does stop the running process then attempt to update MBA-M and run a Full Scan with it. Have it Remove Everything found and then reboot the computer.

Post back here with the MBA-M log.
There WILL be multiple other steps so be prepared after posting that log to receive other instructions.

Edited by jholland1964: n/a


But..............he may have written it like this: My co-worker is an idiot :D

Edited by crunchie: n/a


I would like to thank everyone that has posted a reply, but I am not going to attempt to fix the computer anymore. On wednesday my co-worker confrimed that he is an idiot. Knowing what I was tring to do and that it would take a couple of days, he decided to take out the inturnal battery. The guy didn't even know how to reset the day & time. So now the system won't start up and is stuck in a loop. I have washed my hands and informed the G.M. Again...thank you all and I will make sure that this co-worker dosen't go near MY work computer..



Oh my word!!! Well you can at least be thankful that it wasn't YOUR computer! Since you HAVE informed your GM about this, you might also tell the GM this person was using the BUSINESS computer to do P2P file sharing and very likely the reason it is infected. This is evident from the listing for Frostwire in the logs. So it is also likely these were illegal, according to the copyright laws, downloads.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.