 |  |  |  |  |  |  |  |
Need help with HJT log
 |
Hi everyone,
I'm trying to help a friend solve a low bandwidth problem with her computer. She tells me that browsing is very slow and that when she is downloading a file, it begins at a fast rate, but then drops so dramatically that she is forced to cancel the download. She is on a PC with an 802.11b wireless connection. There may be multiple reasons for this (such as with the wireless itself), but I was hoping get feedback on her HJT log file so I can begin eliminating potential causes.
Thanks,
Fernando
Here is her log file:
Logfile of HijackThis v1.99.1
Scan saved at 11:45:45 AM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\MSTask.exe
C:\winnt\system32\catroot\system.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINNT\system32\aspnet32\lsass.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\system32\UMonit2k.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: enableIPC.bat
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) -
https://secure.stamps.com/download/u...6/sdcregie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
https://java.sun.com/products/plugin...ndows-i586.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -
C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd -
C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd -
C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI
Adapter\WLService.exe" "WMP54Gv4.exe (file missing)
I'm trying to help a friend solve a low bandwidth problem with her computer. She tells me that browsing is very slow and that when she is downloading a file, it begins at a fast rate, but then drops so dramatically that she is forced to cancel the download. She is on a PC with an 802.11b wireless connection. There may be multiple reasons for this (such as with the wireless itself), but I was hoping get feedback on her HJT log file so I can begin eliminating potential causes.
Thanks,
Fernando
Here is her log file:
Logfile of HijackThis v1.99.1
Scan saved at 11:45:45 AM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\MSTask.exe
C:\winnt\system32\catroot\system.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINNT\system32\aspnet32\lsass.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\system32\UMonit2k.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: enableIPC.bat
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) -
https://secure.stamps.com/download/u...6/sdcregie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
https://java.sun.com/products/plugin...ndows-i586.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -
C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program
Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd -
C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd -
C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI
Adapter\WLService.exe" "WMP54Gv4.exe (file missing)
Before we dig in to the fix, please tell us if you knowingly installed (or know anything about) the "FireDaemon" program.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
I don't know anything about the FireDaemon program, and after looking up some details about it, doubt the user would have installed it either.
I thought as much. FireDaemon is a Windows "service manager" application and in itself isn't malicious. However, it can be installed and (ab)used by malicious programs, which looks like the case here.
First:
C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe
The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:
Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
Once you've moved HJT to a proper folder, please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.
1. Download and install these utilities (but do not run scans with them yet):
ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
SpyBot Search & Destroy - http://www.safer-networking.org/
- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.
- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.
- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.
- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Also disable Ad Aware's "Ad Watch" feature, as it may interfere with some of our fixes (you can re-enable it once the system is clean). Close the program after that.
- Open your anti-Virus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.
3. Download and install the CCleaner utility, but don't run it yet.
4. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named "Security 78" or "saveme32" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Repeat the above for the FireDaemon services named "sharonapple" and "winmon6c1"
- Close the Services utility after that.
5. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:
O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe
6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
7. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.
8. Run SpyBot, ewido, AdAware, MS Antispyware beta, and your anti-virus program consecutively; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.
9. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files if found:
C:\WINNT\system32\aspnet32\lsass.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\system.exe
C:\winnt\system32\catroot\winlogon.exe
C:\winnt\system32\catroot\csrss.exe
10. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
First:
C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe
The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:
Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
Once you've moved HJT to a proper folder, please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.
1. Download and install these utilities (but do not run scans with them yet):
ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
SpyBot Search & Destroy - http://www.safer-networking.org/
- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.
- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.
- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.
- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Also disable Ad Aware's "Ad Watch" feature, as it may interfere with some of our fixes (you can re-enable it once the system is clean). Close the program after that.
- Open your anti-Virus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.
3. Download and install the CCleaner utility, but don't run it yet.
4. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named "Security 78" or "saveme32" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Repeat the above for the FireDaemon services named "sharonapple" and "winmon6c1"
- Close the Services utility after that.
5. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:
O4 - HKLM\..\Run: [graphics64a] C:\WINNT\system32\aspnet32\lsass.exe
O23 - Service: Security 78 (saveme32) - Sublime Solutions Pty Ltd - C:\winnt\system32\catroot\lsass.exe
O23 - Service: FireDaemon Service: sharonapple (sharonapple) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe
O23 - Service: FireDaemon Service: winmon6c1 (winmon6c1) - Sublime Solutions Pty Ltd - C:\WINNT\system32\catroot\FireDaemon.exe
6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
7. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.
8. Run SpyBot, ewido, AdAware, MS Antispyware beta, and your anti-virus program consecutively; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.
9. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files if found:
C:\WINNT\system32\aspnet32\lsass.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\catroot\FireDaemon.exe
C:\winnt\system32\catroot\system.exe
C:\winnt\system32\catroot\winlogon.exe
C:\winnt\system32\catroot\csrss.exe
10. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
Last edited by DMR; Dec 12th, 2005 at 3:59 pm.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
|
Similar Threads
- my HJT log, 2 of them for 2 comp (Viruses, Spyware and other Nasties)
- help i've got a HJT log! (Viruses, Spyware and other Nasties)
- another hjt log for jkl (Viruses, Spyware and other Nasties)
- please review hjt log (Viruses, Spyware and other Nasties)
- can somebody pls. help me out with my HJT log.. (Viruses, Spyware and other Nasties)
- My HJT log, please help (about:blank, etc.) (Viruses, Spyware and other Nasties)
- HJT log file for your scrutiny please... (Concerning Bridge.dll) (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Stupid popups.. redirects.. yyy65.html
- Next Thread: Removing Hijack file
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
