Can't delete this trojan.

Discussion in 'adware, spyware & hijack cleaning' started by jat35us, May 30, 2004.

Thread Status:
Not open for further replies.
  1. jat35us

    jat35us Registered Member

    Joined:
    May 29, 2004
    Posts:
    6
    have used several different antivirus's and still cant delet this trojan, I have ran SpyBot S&D, then ran the Highjack program. A trojan file is in my Windows Dir. its sachost.exe. I also found a antivirus software that detected it and it sed it was trojanspy.win32.tofger.al, Thanks

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Documents and Settings\Jerry\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
    O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~3\Spyware-Cop.exe" /s
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...swdir8d196a.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2828b00...ip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...38066.943900463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Jat,

    Welcome to Wilders !

    On the top, You need to move HijackThis.Exe to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Jat, it will help immensely if you post a COMPLETE log. All portions of the log contain VITAL information about your Operating System and browser, and about the version of HijackThis you are using. This information is needed to determine what may be a legitimate file or not, since every version of Windows has a different load of "must-have" files.

    You missed the top portion of the log which is something like this ..
    Please post that complete log as a reply in this thread (don't start another one).

    With Thanks !
    Newkid !
     
Thread Status:
Not open for further replies.