Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.flush.M Problems, Assistance DIRELY Needed


  • Please log in to reply
1 reply to this topic

#1 Siddha

Siddha

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 26 April 2009 - 04:44 PM

Please, im at such a loss, I have so much schoolwork to get done, and its getting troublesome, any help in advance is VERY appreciated, I will be providing updates with as MUCH as I learn, im basically working on this till I sleep tonight, they will be frequent.

------------------------------------------------------------------------------------

Good day, so I've accidentialy downloaded a virus, big mistake, im prolly never gonna use a torrent site again because of this. However, I am having IMMENSE trouble getting it off my system, and its on my Mother's System too now.

------------------------------------------------------------------------------------

Okay so this is what I know, a log will be posted below, when the PC is scanned using MBAM software, it comes up with a Trojan.flush.M.

From the countless hours of research ive done, Trojan.flush.M seems to be a DNS altering trojan, and it constantly redirects my web browser, or makes certain internet things impossible (I.E. updating MBAM, updating Norton, going to the windows update site)

------------------------------------------------------------------------------------

When I had this first, I tried to remove it using these instructions : http://www.symantec.com/security_response/...-99&tabid=3
I did have trouble, as the ONLY registry key that I could find, was LEGACY_NDIS, not LEGACY_NDISPROT, however it contained all the information that NDISPROT was assumed to have, so I assumed them to be the same thing, following instructions as listed there.
Just as a side note, i was NEVER able to do #3. Locate and select the service that was detected. Was unnable to find the service

------------------------------------------------------------------------------------

THIS IS MY MBAM LOG:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

4/26/2009 5:13:45 PM
mbam-log-2009-04-26 (17-13-39).txt

Scan type: Quick Scan
Objects scanned: 74520
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6f67441-5697-43fb-b4f4-aba306638602}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c6f67441-5697-43fb-b4f4-aba306638602}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------------------------

NO ACTION, was taken because often it instantly comes back, or at least after a restart it is immediately back, and I wanted to show you what it looked like before I did anything with it. (this is taken from my mother's computer, but is identical to the one on my computer basically)

------------------------------------------------------------------------------------

Below, is basically a small summary of the hell ive gone through, and hopefully will be helpful to anyone that reads this:

When I first got this, i attempted to remove it, failed, and reformatted, with my USB drive with all the drivers I needed, ready to go right by me.
I reformatted using NTFS and got back to my clean desktop, scanned with MBAM, nothing. I first installed Windows service pack 3, and rebooted. I scanned with MBAM again, nothing! I was getting excited, I installed my Ethernet drivers, connected to the web, and attempted to access the Microsoft updates page, but it oddly kept me on Google.com? It was wierd, scanned with MBAM, BOOM, got exactly what I had before the reformat.
So I only got the virus, AFTER i connected to the internet, not before, but ONLY after I had my internet drivers in me, and was connected to the web. I dont entirely understand this, but its true.
So I ended up reformatting several times, all ending with the same thing, Doing fine till i got online.

------------------------------------------------------------------------------------

A couple of theories that I know of are the following (obtained from myself, a fairly tech savvy friend, and my father, who is a professional computer programmer, however he is very reluctant to help with computer problems at home.)

-USB drive, the USB drive is containing the virus, and the auto play function may be executing a malicious something or other .exe
-The internet #1, The whatever this is redirecting me too (because it always redirects using this IP (.....................) knows MY IP and is finding me as soon as i connect to the internet, then doing things to me (unlikely i know)
-The internet #2, Maybe the virus travels through the router that me my dad and my mom are connected too, so that it went from me, to my mom, and then back to me after I reconnect to the internet after the format (Im leaning towards this one)
-My Hard drive, there is a backdoor written in the "ghost files" of my hard drive, that arent touched by a reformat (I feel that this is farfetched)


------------------------------------------------------------------------------------

CURRENTLY:
My father and I are finishing a fresh reformat on my computer, and we will attempt to elliminate one of the theories on how it keeps getting on my computer, we are planning on starting with the USB drive one.

------------------------------------------------------------------------------------


Please, im at such a loss, I have so much schoolwork to get done, and its getting troublesome, any help in advance is VERY appreciated, I will be providing updates with as MUCH as I learn, im basically working on this till I sleep tonight, they will be frequent.

I KNOW that I've left a few things out, but the hours of research ive done on this are well in the 13+ range, so i cant remember everything, ill be letting you know EVERYTHING that I can as fast as possible, considering my mother's computer is with drivers and internet right now, and not completely dying, i will be fixing the virus here first, and doing tests on my computer to figure out the infection reasons. I would THEN proceed with fixing mine, after I have a good understanding of what is going on.


ONE LAST FYI, reformats on my computer is nothing, there is NOTHING on my computer right now, in fact, its BEING reformatted, however my mother has ALOT of important information on her computer, reformatting is NOT an option unless it is the ONLY WAY to get it off.


-Siddha

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:01 PM

Posted 26 April 2009 - 10:12 PM

To disinfect your flash drive

Be sure to hold down the shift key when inserting the flash drive

Please download
Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



Also disconnect from the net and do a hard reset on your router. Then give it a strong password

Edited by garmanma, 26 April 2009 - 10:14 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users