hi i’m new to these forums and i signed because i need some help with this trojan that keeps coming back. i’m using avast anti-virus and each time i get on the internet avast detects it and i have to move it to chest or delete it. it’s always Win 32 trojan. but i’ll get on the internet later on again and the trojan will be back. i’m using windows XP home edition. i’m not that much of a computer wiz so you’ll have to bear with me. thanks in advance.
Hi, welcome to the forums.
Please Help us to Help you In order to help fully we need more information…
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)? - What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.
If you haven’t already got this software (freeware), download, install, update and run it.
ok the virus name is Win 32: Trojano-1239. the location was C:\WINDOWS\system32. the file name was 789tz.dll and the VPS file was 0526-2. i’m using avast v.4.6 home edition. i tried scanning the computer with avast and deleting all the trojans. i also used spybot S.D. and Ad Aware and they found some things so quarantined and deleted them. but the problem came back. i even tried looking for it in the windows folder. like i said before i’m not that good at computers so you’ll have to bear with me.
The reason things come back are either a vulnerability (ensure your OS and browser, etc. are fully up to date), or there are other elements associated with the virus that restore it and there are likely to be run commands in the registry.
The best tool for analysis is hijackthis, so download it and print the tutorial so you can work through step by step.
Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
You should also read this thread Advice & Tools for virus/trojan/malware Removal & Prevention
I would also suggest you switch to a more secure browser such as Firefox which is less prone to this kind of malware.
ok i downloaded the hijackthis but i couldn’t open the tutorial, it said it could not be opened and to check the name again. should i perform a system scan?
p.s. i switched to firefox when i got the spyware because i heard it was much safer using Forefox.
It would be better if you were able to read the HJT tutorial first before using HJT to scan your system, but not absolutely essential.
However, the HiJackThis Tutorial link above (blue text) is working fine, it is just a web page, so you shouldn’t have a problem.
ok when i tried clicking on the tutorial it said tomcoyota.org could not be found, check the name again. i also tried doing the thing on that thread you gave me but it didn’t work.
This is the naked link http://www.tomcoyote.org/hjt/ and I have just visited it and it is working. I note you have made a typo in the domain name in your post but I assume you didn’t type the link in to access the site.
i also tried doing the thing on that thread you gave me but it didn't work.I'm not quite sure what you are trying to indicate here, but if it is the "Advice & Tools for virus/trojan/malware Removal & Prevention" link, that to is working fine.
What browser are you using? How are you trying to access the link (single click, double click, right click context menu, or something else)?
If you can’t get it to work, right click on the link and copy the link location (or similar text depending on your browser), open a new tab or window and paste the link into the URL address window.
ok, the naked link worked for me. i’m gonna go from there thanks. by the way i’m using mozilla firefox now, i was using IE at the time i got the virus.
do you guys want to see the logfile?
Use the on-line HJT analysis link I gave you, if there is anything in the analysis you don’t understand get back to us. Try to work through it so you can learn too, use google for items deemed unknown, etc.
But if you get lost post the contents (cut and paste) of the logfile here (don’t attach it).
ok i used the on-line HJT analysis and it was real helpful. there were only a few errors i couldn’t catch because it asked me to restart the computer. so when i restarted and the message where avast tells me i have a virus didn’t come up. so do you guys think i got rid of it? what about that error?
Sorry, I’m confused now. The on-line analysis of the log file gives you the information so you can decide which items to fix (tick) in the HJT scan and there should be no requirement to restart.
What were the “there were a few errors?” any information no matter how little is better than none, so there is no way I can say anything about an error.
What were you doing that required you to restart?
However, at this point I would be happy that things appear to be OK.
after i fixed the selected items it prompted me to restart my computer. so i ran another online analysis and there were 5 things that the scan didn’t get rid of. i guess i had to restart in order to get rid of them because when i restarted i was able to get rid of them. thanks for the help guys. i was about to go to circuit city or best buy so they could fix it but you guys helped me fix it myself. thanks.
That’s fine, happy to help.
That is the best bit you fixed it and learned into the bargain, now you know how and saved some cash to boot.
so i wake up this morning to find the same message appear. i don’t get it, the log file says i’m all safe except for one unknown which i know is my printer O4 - HKLM..\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe”
the log file says somethings are safe but unnecessary, do i get rid of those things too? plus the logfile said that i still have internet explorer, i removed IE a while back, does it stay there?
and the logfile said this could possibly be nasty C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe but i know that’s my easy CD creator program. should i get rid of it? there are other similar ones to this one like C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
and could you help me out these two:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
i remember when i had IE and the spyware had gotten to me my homepage kept getting changed to about:blank. and it had some nasty links in it. the logfile says these are safe. do you think these could be the problem? sorry for coming back like this but it’s just that i thought i had fixed the problem.