Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Flush.M 04232009


  • Please log in to reply
10 replies to this topic

#1 ScarlettLux

ScarlettLux

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 April 2009 - 06:47 AM

Budapest Posted Today, 12:15 AM
ScarlettLux, if you cannot get into Safe Mode try it in Normal Mode. Don't post your log into this topic, please start your own.

V. Sorry, I read the Prep Guide in the wrong forum, and didn't scroll down far enough. In my error I was hoping to save already stated help from being redone.



To expedite the removal I have already performed several clean-ups as outlined by Budapest in the topic Trojan.Flush.M from yesterday, 04222009. History Please let me know if I need to quote any or all of the verbiage instead of the topic link.

The only difference is that I cannot get into safe mode, nor can I create a Restore Point.

Again, many thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 23 April 2009 - 09:10 PM

So you had success running MBAM, would you post that log here.
SUPER you did not run as you cannot acess safe mode, correct? Then please run ATF and SAS (SUPER) from normal mode and post it's log. Whatever it removes will still help.
I believe the same happened with SDFix. but we'll wait on that till we see what the other logs say.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 April 2009 - 09:29 PM

I appreciate the help. I ran both MBAM and SAS. Will post them in 2 replies, one for each tool.

SUPER Anti-Spyware logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/22/2009 at 09:46 PM

Application Version : 4.26.1000

Core Rules Database Version : 3858
Trace Rules Database Version: 1810

Scan type : Complete Scan
Total Scan Time : 02:32:41

Memory items scanned : 582
Memory threats detected : 0
Registry items scanned : 7205
Registry threats detected : 18
File items scanned : 108045
File threats detected : 2

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1da7dbe8-c51b-4ae4-bc6e-21863349b0b4}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1DA7DBE8-C51B-4AE4-BC6E-21863349B0B4}
HKU\S-1-5-21-1777238972-1077115274-927710691-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1DA7DBE8-C51B-4AE4-BC6E-21863349B0B4}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1DA7DBE8-C51B-4AE4-BC6E-21863349B0B4}

Trojan.Media-Codec
HKU\S-1-5-21-1777238972-1077115274-927710691-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{a2595f37-48d0-46a1-9b51-478591a97764}
HKU\S-1-5-21-1777238972-1077115274-927710691-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{A2595F37-48D0-46A1-9B51-478591A97764}
HKU\S-1-5-21-1777238972-1077115274-927710691-1003\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName

Adware.180solutions/ZangoSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#{DECEAAA2-370A-49BB-9362-68C3A58DDC62}

Adware.IST/YourSiteBar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll#{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}

Trojan.Unclassified/Loader-Suspicious
C:\PROGRAM FILES\AVI CONVERTER\AVI-MPEG-RM-WMV JOINER V4.11&SPLITTER +SERIAL\AVI-MPEG-RM-WMV JOINER V4.11&SPLITTER +SERIAL\AVI_TO_VCD_CONVERTER DIGC148A(KRAK)\LOADER.EXE
C:\PROGRAM FILES\AVI CONVERTER\LOADER.EXE


Restarted computer and ran again:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/23/2009 at 00:21 AM

Application Version : 4.26.1000

Core Rules Database Version : 3858
Trace Rules Database Version: 1810

Scan type : Complete Scan
Total Scan Time : 01:46:04

Memory items scanned : 534
Memory threats detected : 0
Registry items scanned : 7158
Registry threats detected : 0
File items scanned : 77208
File threats detected : 0

#4 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 April 2009 - 09:31 PM

Malewarebyte's Anti-Malware logs:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/22/2009 5:33:09 PM
mbam-log-2009-04-22 (17-33-09).txt

Scan type: Quick Scan
Objects scanned: 77379
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0985c112-2562-46f2-8da6-92648ba4630f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f63b171-e2f3-4362-a484-8563144d62e6} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86c510e9-97ef-4749-914f-0280247be3a6} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{143414d1-c324-4d6f-9756-5075d9a4a485} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IST (Trojan.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-2-5-11-100002404-100002099-100018098-9783.com (Trojan.Agent) -> Quarantined and deleted successfully.


Restarted and ran again:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/22/2009 5:55:25 PM
mbam-log-2009-04-22 (17-55-25).txt

Scan type: Quick Scan
Objects scanned: 77137
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 23 April 2009 - 09:45 PM

Good job. OK the SAS was run in normal correct/

mbam database is old please Rerun MBAM like this now

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 April 2009 - 10:56 PM

Updated MBAM, performed a full scan, rebooted computer. Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2034
Windows 5.1.2600 Service Pack 3

4/23/2009 11:34:09 PM
mbam-log-2009-04-23 (23-34-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161866
Time elapsed: 45 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\WinRar\WinRAR.v3.62.Incl.Crack-F4CG_BlaZe\crack\Patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ldrdsb\Ldrdsb.exe (Adware.Effbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

#7 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 April 2009 - 11:43 PM

Updated again, ran the scan again. It came up with the DNS Changer for a 2nd time. I'll reboot and restart and run again. If it's clean I won't post anything until I get a reply. Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2035
Windows 5.1.2600 Service Pack 3

4/24/2009 12:41:19 AM
mbam-log-2009-04-24 (00-41-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165559
Time elapsed: 42 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

#8 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 24 April 2009 - 09:56 AM

All right, reran MBAM, all clear with no threats detected. Rebooted, updated and ran MBAM once more. Got the Trojan DNS Changer yet again. I've not retstarted the computer since when I do that it seems to just come up again. Also. My Norton's just not working. Obviously something's keeping it from running correctly. They had sent me instructions on how to get rid of the Trojan.Flush.M virus, but I don't know that much about puters to do the required brain surgery. Here is the latest and greatest log:

Malwarebytes' Anti-Malware 1.36
Database version: 2036
Windows 5.1.2600 Service Pack 3

4/24/2009 10:49:10 AM
mbam-log-2009-04-24 (10-49-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165685
Time elapsed: 44 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 24 April 2009 - 10:03 AM

Hello, The issue is with this file gxvxccounter.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files. Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ScarlettLux

ScarlettLux
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 24 April 2009 - 02:43 PM

I suppose the bet course of action would be to reformat and reinstall the OS. I never used this computer to get into financial institutions, so I'm ok there, but I will be unplugging it from the net shortly. My one problem is that as the computer is second-hand I don't have the disks for reformatting. I can always purchase XP I suppose. Or try Linux. Any suggestions? Ill be looking at this from a different computer from now on. Thank you for your help.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 25 April 2009 - 09:47 PM

Do you have your registration key? Then you can use any ones XP CD and reinstall. When it asks for a key you enter yours(not theirs) and all goes well.
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your

drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to

backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of

files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back

to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files

that are webpages should also be avoided.

Edited by boopme, 25 April 2009 - 09:48 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users