Can't delete a trojan horse.

Discussion in 'Trojan Defence Suite' started by jat35us, May 29, 2004.

Thread Status:
Not open for further replies.
  1. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    I have used several different antivirus's and still cant delet this trojan, I have ran SpyBot S&D, then ran the Highjack program. I trojan file is in my Windows Dir. its sachost.exe. I also found a antivirus software that detected it and it sed it was trojanspy.win32.tofger.al, Thanks

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Documents and Settings\Jerry\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
    O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~3\Spyware-Cop.exe" /s
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2828b0067f2fcf2f3c01/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.943900463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, jat35us

    Welcomed to Wilders Security Forums.

    Best post over in Hijack Cleaning:-
    Adware, Spyware & Hijack Cleaning

    Take Care,
    TheQuest :cool:
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello there and welcome to the forum!
    I see your new thread is there where the HijackThis experts will take care of it.
    https://www.wilderssecurity.com/showthread.php?p=186462#post186462
    We could have moved your thread to that location, to spare you reposting :)
    Which scanner found your trojan?
    Could you please be so kind as to locate the trojan onj your system, zip it and submit it to submit@diamondcs.com.au please, as we always advise to do with all suspicious files?
    You might have to close your scanner temporary to be able to get that file for zipping.

    Do you also use TDS for a full system scan?
    If not, get it at www.diamondcs.com.au , install, reboot, back to that download page for the last radius update , start TDS, and do a full system scan with all other scanners completely closed and unnecessary programs closed while you might like to get a coffee as it can take a while.
    If you get any alerts in the bottom console in the end please rightclick on one of them and choose "save to text" and the scandump.txt will show up for you; be so kind as to paste those finds in your next posting! before you close that window so we can tell you what to do with the files.
     
  4. _0__0_

    _0__0_ Guest

    Why can't you disable/delete this registry entry ...

    HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe

    and delete the following file (after! having it sent to DCS)

    C:\WINDOWS\sachost.exe

    ?
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Let's see what the forum experts in the HiJackThis forum make of it; before that i never comment on the HJT log as i'm no expert in that field.
     
  6. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    Hi All,

    There are two antivirus's that found it, AVG found it but the other one identified it better "Kaspersky Anti-virus Personal". I will try to zip the file if I can.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes please do if you can! Thanks in advance!
    Did you also install TDS to try with that too?
    KAV and TDS work very fine together, and add to the layered protection on your system!

    A description of tofger:
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tofger.html
    But as there are many versions by now this URL doesn't give all the current info for your file, but it gives some ideas what you're dealing with.
    As it's a keylogger as well among others i guess you will like to make sure there is no connection with it; so besides TDS (if you like) also get Port Explorer, so you see if there is unwelcome traffic and with which application where on your system and to which outside location while you can kill it instantly (traffic of application)
    Depending on the finds and advices in the HJT forum and cl;ensing you might have to change all your passwords etc, but awaiting the HJT results first.
     
  8. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    Well I downloaded the TDS file, but now my computer keeps restarting, and i can't do anything. I guess I will have to just wipe the system out and reload everything. I do thank you for all the help. I will wait to do this if you have any sugestions on what I can do to avoid having to do that.

    Thanks again.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That doesn't sound good at all!
    Are you able to get into safe mode (press F8 during startup a few times) and uninstall TDS?
    Something must have gone really wrong here!
    How far did you get with the Hijackthis cleansing?
    I see only the thread where they're waiting for your complete HijackThis log (check all options to scan, that make the log so also your version and system info are included in the log)


    If you installed TDS, did you make sure all other antivirus was completely closed? And after installing TDS did you reboot?

    Did you get any error messages somewhere?

    This sachost.exe has to do with it but you can't just delete it just like that; it needs to be stopped and removed in a special order, then the regkey must be deleted and then after a reboot in safe mode you can delete the file, if i am well informed but please don't do these things unless the HijackThis experts tell you exactly how and what, and please post your complete HijackThis log, they're waiting for it the whole day already!
    That file is a keylogger and backdoor, so you might be hacked and people playing on your system and rebooting you etc, just till you get so frustrated till you do wipe the system all unnecessary, so please post your complete HijackThis log so we can get any further!
    thanks a lot!
     
  10. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    I never got a chance to install TDS, It started to restarart before I had a chance to install it. I can get into safe mode, but what do I do then.
     
  11. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    I ran TDS in safe mode, and it deleted the virus sachost.exe. System seems to running great.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Were you also able to delete the registry keys from that?
    Can you please again post a complete HijackThis log in the other thread so the experts can look with you if you're really clean, as there were a few things to be fixed if i remember well.
    This was your thread https://www.wilderssecurity.com/showthread.php?p=186462#post186462

    What more did TDS find then the sachost.exe?
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Sounds good, when posting a Hijack This log, we will help you remove any leftover registry entries.. and as a bonus any adware/spyware or browser hijackers too :)
     
Thread Status:
Not open for further replies.