Trying to remove win32:trojano-1079[Trj]

I just did a virus [url=Win@:Trojano-1079{TRj]Win32:Trojano-1079{TRj[/url]}I tried to delete with various spyware programs and trojan removal programs but nothing seems to work. Can someone please help me with this problem-----Please

Hi, I want to let you know that I got the trojano also. I doubt that it is fully gone, but, I haven't seen any alerts for 6 hours. I downloaded all of the programs I am about to mention and then disconnected the internet. TrojanHunter, TrojanRemover, a-Squared, AVG, Spyblaster, Spybot, Ad-Aware, and Avast, I think I am missing one or two. But, I first ran Avast doing a boot time scan, then I ran a-Squared, AVG, Ad-Aware and Spybot all at once. Then the others. THe virus popped back up after my screaming fit, I chose delete on the Avast alert, then rebooted immediately and did another boot time scan using avast. I currently have a-Squared, AVG, Avast and Torjan HUnter running in the system processes, and I also use Sygate firewall. Maybe I am overdoing it, but it's not bugging me now...

Anyway, I'm not done yet, I also used a registry repair program I found on download.com. Then finally, I inserted the Windows XP disc and typed sfc /purgecache. It was a quick little blip, then I typed sfc /scannow. That repairs the necessary Windows files that the trojano made me delete. I hope this helps you. Please let me know if it did. [url=Emilyb49@yahoo.com]Emilyb49@yahoo.com[/url] or if you can still use AOL IM emileeb49 BTW, I can't install a current version on AIM, I had to install an old one. *pout*





Good luck!!

Well, it is now 8 hours from the time I thought it was surely clean, and it came back. I guess my method just keeps it from multiplying in the system until you run one of the programs it screwed with. It got roboform, aim and java for me, I don't know how I'm gonna fix these, but I need to block java from connecting to the net. and it seems to use aim somehow. a-squared got me to realize that, it asked my permission and dummy me let lava connect. So put your firewall on a stronger setting that you have to allow everything access. Then I suggest waiting it out until the computer geniouses figure out a cure for this one.

I to was infected by trojano 1079, missed by Norton but uncovered by Avast - running these together meant that Norton was monitoring on line, and Avast was discovering the virus off line. Removed Norton and then logged on and Avast running as the main on-line monitor caught the trojan as it tried to download itself when accessing the web using Internet Explorer, and switched me off-line to protect, the virus not being downloaded. Using Firefox browser I could surf web normally with no virus alert.

Investigated further and noted that my Internet homepage setting had been changed to About:Blank - here I think lies the problem. Check if you have About:Blank here, if so the way I cleared (so far!) the problem of trojano 1079 appearing was by using CWShredder, a quick to download and free program. I found this info by searching web for "About:Blank" rather than "trojano 1079".

After running this small program 1 file was discovered - I think CWSAboutBlank and deleted using program, I also cleared temp internet files and cookies, before going back on line first using Firefox, then Internet Explorer - horray no trojano 1079 alert this time around! Would recommend that you run CWShredder before going on line using IE to ensure this nasty time-wasting trojan still remains 'shredded' (its wasted hours of my time to get this far!)

Good luck and happy surfing again, Tom
:cool:

Here I am again, and my computer has been clean for about 2 days now. AVG Free has the complete fix for the Trojano1079. I just had it somewhat contained before when I posted.

I, too, had the Trojano 1079 virus. I may have also had some other problems because I was unable to access any Windows programs such as Control Panel and Windows Explorer. I could surf the Net, use email and even use my other programs like Quicken and even MS Word. My homepage was hijacked to "about:blank".

I first tried Symantec's on-line scanning tool. It pointed me to several adware files on my PC but did not mention Trojano 1079 (avast! told me I had the Trojano 1079). When I actually tried using Symantec's "kill" programs for the specific adware files, Symantec told me those files were not on my PC.



I disconnected the internet connection. Tried CWShredder - found nothing. Tried SpySubtract - found nothing. Using Hijack This!, noticed and removed a line that contained "about:blank". Then ran AdAware and found one file. I deleted cookies, temp files and history. Ran avast! and it did not find any infected files.



On reboot, Win32:Trojano 1179 (not a typo) came up in avast!. IE still tried auto opening as it did w/ "about:blank".



Rebooted again. No virus or trojan horse notices came up.



Reconnected to the Net and downloaded AVG and ran a scan. It found viruses. I healed them, and ran AVG again. AVG came back clean. So far, no further problems.



In my "Favorites", I did find several "odd" bookmarks. The addresses were very strange and ended in things like ".cc" Even found a folder that was not mine. I had tried deleting those over the past week but was unsuccessful (they would come back after I closed "Favorites"). After AVG gave me a clean bill of health, I was successful in permanently removing these bookmarks and folder.



Thanks to all for posting your experiences. AVG is my new best friend!

I also found that at system turn-on, windows messanger loaded its self and then my virus alarms would stsrt going off. I had manually gone in and removed messenger from my system months ago. I have now blocked messenger from being hijack and loaded by other programs or viruses.

Go TO: https://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Network/




Good Luck; Crockett

I have run hijack this and this is what i have come up with please HELP!!!!




Logfile of HijackThis v1.99.1
Scan saved at 10:51:02 AM, on 8/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\lexbces.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.atlantatriumphducati.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [1c0a076d] rundll32.exe "C:\WINNT\system32\tbqquovq.dll",b
O4 - HKLM\..\Run: [BM1f3934f1] Rundll32.exe "C:\WINNT\system32\xiqnvaqx.dll",s
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - https://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlantatriumphducati.prv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlantatriumphducati.prv
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlantatriumphducati.prv
O20 - AppInit_DLLs: yrwwqi.dll ijnnpf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\lexbces.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe





Plus whenever im running the hijack this i am getting an Application Error



The instruction at "0x1233293" referenced memory at "0x00000000". The memory could not be "read".

Hello atducati






Click here - ->> [color=#0000ff>https://www.bullguard.com/forum/14/Before-posting-a-log_43561.html[/b]





After You have run the scan tools -



Reboot normally



Post Hijackthis log along with SuperAntiSpyware log, C: combofix TXT in this topic



Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.



NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

[/color]