HJT log - please evaluate

[pars17crabs]

To whom it may concern:

I have completed the various recommended procedures for eliminating trojans/spyware/websearch, and now I would like you to view my hijackthis log to determine if I should take any further steps. I understand you are doing this on your own time, and will be quite greatful whenever you have some time to do this.

In general my computer seems much better now, however there is one thing that is still raising a flag. Ad-Watch SE Plus automatically loads when Windows 2000 starts up, and it immediately finds a "continuous stream" of Registry modification detected. The stream continues until I switch the program to "inactive."

Finally, I also ran Ad-Aware Plus SE and it did not find any threats...not to mention that I forgot to save the log file...therefore, the log is not attached.

Thank you kindly.

 

[howard_hopkinso]

Hello and welcome to Techspot.

It appears you`re running more than one antivirus programme. This is not recommended and can cause conflicts. Uninstall one of them ASAP.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

rlsh
SpySheriff

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

j?vaw.exe
eatc.exe
SpySheriff.exe
winstall.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tovlq.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tovlq.dll/sp.html#14044

O4 - HKCU\..\Run: [Xudcdklu] C:\WINNT\system32\j?vaw.exe

O4 - HKCU\..\Run: [Halt] "C:\Program Files\rlsh\eatc.exe" -vt wnew

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = irvingindustries.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = irvingindustries.internal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = irvingindustries.internal

Only fix the above 017 entries, if you don`t recognise the domain, or they don`t belong to your ISP.

O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINNT\tovlq.dll/sp.html#14044
C:\WINNT\system32\j?vaw.exe
C:\Program Files\SpySheriff<Delete the entire folder.
C:\winstall.exe
C:\Program Files\rlsh\eatc.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as well as an AVG antispyware log and let me know how your system is running.

Regards Howard :wave: :wave:


This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Edit: Forgot to add a file/folder for deletion, done now.

 

[pars17crabs]

Much appreciated, Howard.

Your instructions seem straightforward, but I am running into a problem. I cannot enter safe mode under the normal account, only administrator. The computer in question is actually a co-workers computer. Our tech support team here explained to me why I can only enter safe mode as an administrator, but I cannot remember the specifics. I also read the suggested tutorial (from bleepingcomputer), but that does not offer a solution.

Will this affect the rest of the procedure? Or do I need to find a way to boot into safe mode under the normal account?

Thank you

 

[howard_hopkinso]

Try the instructions from normal mode and reboot the computer afterwards.

Let me know if you have any problems.

Regards Howard

This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ps: I have added a further file for deletion. See my edit in my post above.

 

[pars17crabs]

To save you a bit of typing time, I should let you know that I am running Windows 2000 here, so System Restore does not apply.

I followed the above instructions in normal mode, but I had trouble finding the processes/files/directories. Here is the list of processes on the computer; there are no matches with the ones you listed:

Ad-watch.exe
avgas.exe
ccApp.exe
ccEvtMgr.exe
ccSetMgr.exe
CSRSS.exe
Defwatch.exe
explorer.exe
firefox.exe
guard.exe
LSASS.exe
mstask.exe
qttask.exe
regsvc.exe
Rtvscan.exe
Savroam.exe
SERVICES.exe
SMSS.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
System
System Idle Process
TASKMGR.exe
VPtray.exe
VTTimer.exe
w3dbsmgr.exe
winlogon.exe
WinMgmt.exe

As for the files/directories I am supposed to delete, I was unable to find any of them, but I did find 5 files/directories named "Spysheriff," and I deleted those. Hidden and System files/folders were definately turned on.

Regarding the 017 entries in HJT, they belong to our ISP so I left them alone.

I have attached the new HJT log, but I believe it is identical to the previous one. I also attached the Ad Aware log.

The system appears to be running fine, with the exception of previously mentioned AdWatch problem (infinite Registry Modifications).

Thank you.

 

[howard_hopkinso]

Ok, it`s time to get tough with these infections.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Don`t worry too much if you can`t get into safe mode. Follow as many of the instructions as you can.

Regards Howard :wave: :wave:


This thread is for the use of pars17crabs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.