Hi everyone,

I'm trying to help a friend solve a low bandwidth problem with her computer. She tells me that browsing is very slow and that when she is downloading a file, it begins at a fast rate, but then drops so dramatically that she is forced to cancel the download. She is on a PC with an 802.11b wireless connection. There may be multiple reasons for this (such as with the wireless itself), but I was hoping get feedback on her HJT log file so I can begin eliminating potential causes.

Thanks,
Fernando


Here is her log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:45 AM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\MSTask.exe
C:\winnt\system32\catroot\system.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINNT\system32\aspnet32\lsass.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\system32\UMonit2k.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink

TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink

TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: enableIPC.bat
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) -

https://secure.stamps.com/download/us/registration/3_0_0_816/sdcregie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -

https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program

Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd -

C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd -

C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI

Adapter\WLService.exe" "WMP54Gv4.exe (file missing)

Before we dig in to the fix, please tell us if you knowingly installed (or know anything about) the "FireDaemon" program.

I don't know anything about the FireDaemon program, and after looking up some details about it, doubt the user would have installed it either.

I thought as much. FireDaemon is a Windows "service manager" application and in itself isn't malicious. However, it can be installed and (ab)used by malicious programs, which looks like the case here.

First:

C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
Once you've moved HJT to a proper folder, please do the following:


You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Also disable Ad Aware's "Ad Watch" feature, as it may interfere with some of our fixes (you can re-enable it once the system is clean). Close the program after that.

- Open your anti-Virus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.


3. Download and install the CCleaner utility, but don't run it yet.

4. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named "Security 78" or "saveme32" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Repeat the above for the FireDaemon services named "sharonapple" and "winmon6c1"
- Close the Services utility after that.

5. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:

O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe

6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


7. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


8. Run SpyBot, ewido, AdAware, MS Antispyware beta, and your anti-virus program consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.


9. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files if found:

C:\WINNT\system32\aspnet32\lsass.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\system.exe
C:\winnt\system32\catroot\winlogon.exe

C:\winnt\system32\catroot\csrss.exe


10. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.