Can't delete a trojan horse.

I have used several different antivirus's and still cant delet this trojan, I have ran SpyBot S&D, then ran the Highjack program. I trojan file is in my Windows Dir. its sachost.exe. I also found a antivirus software that detected it and it sed it was trojanspy.win32.tofger.al, Thanks

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Jerry\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~3\Spyware-Cop.exe" /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2828b0067f2fcf2f3c01/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.943900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi, jat35us

Welcomed to Wilders Security Forums.

Best post over in Hijack Cleaning:-
Adware, Spyware & Hijack Cleaning

Take Care,
TheQuest

 

Hello there and welcome to the forum!
I see your new thread is there where the HijackThis experts will take care of it.
https://www.wilderssecurity.com/showthread.php?p=186462#post186462
We could have moved your thread to that location, to spare you reposting
Which scanner found your trojan?
Could you please be so kind as to locate the trojan onj your system, zip it and submit it to submit@diamondcs.com.au please, as we always advise to do with all suspicious files?
You might have to close your scanner temporary to be able to get that file for zipping.

Do you also use TDS for a full system scan?
If not, get it at www.diamondcs.com.au , install, reboot, back to that download page for the last radius update , start TDS, and do a full system scan with all other scanners completely closed and unnecessary programs closed while you might like to get a coffee as it can take a while.
If you get any alerts in the bottom console in the end please rightclick on one of them and choose "save to text" and the scandump.txt will show up for you; be so kind as to paste those finds in your next posting! before you close that window so we can tell you what to do with the files.

 

Why can't you disable/delete this registry entry ...

HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe

and delete the following file (after! having it sent to DCS)

C:\WINDOWS\sachost.exe

?

 

Let's see what the forum experts in the HiJackThis forum make of it; before that i never comment on the HJT log as i'm no expert in that field.

 

Hi All,

There are two antivirus's that found it, AVG found it but the other one identified it better "Kaspersky Anti-virus Personal". I will try to zip the file if I can.

 

Yes please do if you can! Thanks in advance!
Did you also install TDS to try with that too?
KAV and TDS work very fine together, and add to the layered protection on your system!

A description of tofger:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tofger.html
But as there are many versions by now this URL doesn't give all the current info for your file, but it gives some ideas what you're dealing with.
As it's a keylogger as well among others i guess you will like to make sure there is no connection with it; so besides TDS (if you like) also get Port Explorer, so you see if there is unwelcome traffic and with which application where on your system and to which outside location while you can kill it instantly (traffic of application)
Depending on the finds and advices in the HJT forum and cl;ensing you might have to change all your passwords etc, but awaiting the HJT results first.

 

Well I downloaded the TDS file, but now my computer keeps restarting, and i can't do anything. I guess I will have to just wipe the system out and reload everything. I do thank you for all the help. I will wait to do this if you have any sugestions on what I can do to avoid having to do that.

Thanks again.

 

That doesn't sound good at all!
Are you able to get into safe mode (press F8 during startup a few times) and uninstall TDS?
Something must have gone really wrong here!
How far did you get with the Hijackthis cleansing?
I see only the thread where they're waiting for your complete HijackThis log (check all options to scan, that make the log so also your version and system info are included in the log)


If you installed TDS, did you make sure all other antivirus was completely closed? And after installing TDS did you reboot?

Did you get any error messages somewhere?

This sachost.exe has to do with it but you can't just delete it just like that; it needs to be stopped and removed in a special order, then the regkey must be deleted and then after a reboot in safe mode you can delete the file, if i am well informed but please don't do these things unless the HijackThis experts tell you exactly how and what, and please post your complete HijackThis log, they're waiting for it the whole day already!
That file is a keylogger and backdoor, so you might be hacked and people playing on your system and rebooting you etc, just till you get so frustrated till you do wipe the system all unnecessary, so please post your complete HijackThis log so we can get any further!
thanks a lot!

 

I never got a chance to install TDS, It started to restarart before I had a chance to install it. I can get into safe mode, but what do I do then.

 

I ran TDS in safe mode, and it deleted the virus sachost.exe. System seems to running great.

 

Were you also able to delete the registry keys from that?
Can you please again post a complete HijackThis log in the other thread so the experts can look with you if you're really clean, as there were a few things to be fixed if i remember well.
This was your thread https://www.wilderssecurity.com/showthread.php?p=186462#post186462

What more did TDS find then the sachost.exe?

 

Sounds good, when posting a Hijack This log, we will help you remove any leftover registry entries.. and as a bonus any adware/spyware or browser hijackers too