HJT log - please evaluate

By pars17crabs
Oct 26, 2006
  1. To whom it may concern:

    I have completed the various recommended procedures for eliminating trojans/spyware/websearch, and now I would like you to view my hijackthis log to determine if I should take any further steps. I understand you are doing this on your own time, and will be quite greatful whenever you have some time to do this.

    In general my computer seems much better now, however there is one thing that is still raising a flag. Ad-Watch SE Plus automatically loads when Windows 2000 starts up, and it immediately finds a "continuous stream" of Registry modification detected. The stream continues until I switch the program to "inactive."

    Finally, I also ran Ad-Aware Plus SE and it did not find any threats...not to mention that I forgot to save the log file...therefore, the log is not attached.

    Thank you kindly.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    It appears you`re running more than one antivirus programme. This is not recommended and can cause conflicts. Uninstall one of them ASAP.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.>

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.>

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.>

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).


    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).


    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tovlq.dll/sp.html#14044

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tovlq.dll/sp.html#14044

    O4 - HKCU\..\Run: [Xudcdklu] C:\WINNT\system32\j?vaw.exe

    O4 - HKCU\..\Run: [Halt] "C:\Program Files\rlsh\eatc.exe" -vt wnew

    O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = irvingindustries.internal
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = irvingindustries.internal
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = irvingindustries.internal

    Only fix the above 017 entries, if you don`t recognise the domain, or they don`t belong to your ISP.

    O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\SpySheriff<Delete the entire folder.
    C:\Program Files\rlsh\eatc.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG antispyware log and let me know how your system is running.

    Regards Howard :wave: :wave:

    This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Edit: Forgot to add a file/folder for deletion, done now.
  3. pars17crabs

    pars17crabs TS Rookie Topic Starter

    Much appreciated, Howard.

    Your instructions seem straightforward, but I am running into a problem. I cannot enter safe mode under the normal account, only administrator. The computer in question is actually a co-workers computer. Our tech support team here explained to me why I can only enter safe mode as an administrator, but I cannot remember the specifics. I also read the suggested tutorial (from bleepingcomputer), but that does not offer a solution.

    Will this affect the rest of the procedure? Or do I need to find a way to boot into safe mode under the normal account?

    Thank you
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try the instructions from normal mode and reboot the computer afterwards.

    Let me know if you have any problems.

    Regards Howard :)

    This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Ps: I have added a further file for deletion. See my edit in my post above.
  5. pars17crabs

    pars17crabs TS Rookie Topic Starter

    To save you a bit of typing time, I should let you know that I am running Windows 2000 here, so System Restore does not apply.

    I followed the above instructions in normal mode, but I had trouble finding the processes/files/directories. Here is the list of processes on the computer; there are no matches with the ones you listed:

    System Idle Process

    As for the files/directories I am supposed to delete, I was unable to find any of them, but I did find 5 files/directories named "Spysheriff," and I deleted those. Hidden and System files/folders were definately turned on.

    Regarding the 017 entries in HJT, they belong to our ISP so I left them alone.

    I have attached the new HJT log, but I believe it is identical to the previous one. I also attached the Ad Aware log.

    The system appears to be running fine, with the exception of previously mentioned AdWatch problem (infinite Registry Modifications).

    Thank you.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, it`s time to get tough with these infections.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Don`t worry too much if you can`t get into safe mode. Follow as many of the instructions as you can.

    Regards Howard :wave: :wave:

    This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...