I've tried deleting this in safemode and it still says there is a process running it. My hijack log is attached.

Attached Files

hijackthis.txt (7.6 KB, 4 views)

You have an extremely nasty worm on your PC: WORM_RBOT.KX
See for details: http://www.trendmicro.com/vinfo/viru...BOT.KX&VSect=T

I'd advise you to get your PC scanned by Trend-Micro:
http://be.trendmicro-europe.com/cons...all_launch.php

This is not what I have or it's under a different name because I can't find this process or registry keys anywhere

Give Trend a chance to find it for you.

Can't get trend to work for me

Let's try it the 'hard' way:

Boot in Safe Mode.
Switch System restore OFF, see how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
LTMSG.exe
msnmsgr.exe
run.exe
updmgr.exe
wupdater.exe
sysupd.exe
tpjhcc.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common files\updater\wupdater.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
run.exe (could be there twice!)
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
........................................................................... ........................
C:\WINDOWS\LTMSG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - blank (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [LSA] run.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <<== only FIX
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [aosdmnki] C:\WINDOWS\System32\tpjhcc.exe
O4 - HKLM\..\RunServices: [LSA] run.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LSA] run.exe
O4 - HKCU\..\Run: [PRIVANAL] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [LSA] run.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?

Fix ALL those O16 - DPF: entries
Unless thes IPs are from your ISP, fix this O17:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D664147A-525D-4605-B6D4-2A4EC3575F0B}: NameServer = 216.166.216.20,64.40.72.21
........................................................................... ........................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

ONLY after you have done the above, to delete that fish-program,
try DrDelete from http://www.dslreports.com/forum/rem...sware~mode=flat

or KillBox from http://www.bleepingcomputer.com/files/killbox.php