Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Flush.M Problems...


  • This topic is locked This topic is locked
2 replies to this topic

#1 Siddha

Siddha

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 26 April 2009 - 06:11 PM

Please, im at such a loss, I have so much schoolwork to get done, and its getting troublesome, any help in advance is VERY appreciated, I will be providing updates with as MUCH as I learn, im basically working on this till I sleep tonight, they will be frequent.

------------------------------------------------------------------------------------

Good day, so I've accidentialy downloaded a virus, big mistake, im prolly never gonna use a torrent site again because of this. However, I am having IMMENSE trouble getting it off my system, and its on my Mother's System too now.

------------------------------------------------------------------------------------

Okay so this is what I know, a log will be posted below, when the PC is scanned using MBAM software, it comes up with a Trojan.flush.M.

From the countless hours of research ive done, Trojan.flush.M seems to be a DNS altering trojan, and it constantly redirects my web browser, or makes certain internet things impossible (I.E. updating MBAM, updating Norton, going to the windows update site)

------------------------------------------------------------------------------------

When I had this first, I tried to remove it using these instructions : http://www.symantec.com/security_response/...-99&tabid=3
I did have trouble, as the ONLY registry key that I could find, was LEGACY_NDIS, not LEGACY_NDISPROT, however it contained all the information that NDISPROT was assumed to have, so I assumed them to be the same thing, following instructions as listed there.
Just as a side note, i was NEVER able to do #3. Locate and select the service that was detected. Was unnable to find the service

------------------------------------------------------------------------------------

THIS IS MY MBAM LOG:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

4/26/2009 5:13:45 PM
mbam-log-2009-04-26 (17-13-39).txt

Scan type: Quick Scan
Objects scanned: 74520
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6f67441-5697-43fb-b4f4-aba306638602}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c6f67441-5697-43fb-b4f4-aba306638602}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.68 85.255.112.141 1.2.3.4 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------------------------

NO ACTION, was taken because often it instantly comes back, or at least after a restart it is immediately back, and I wanted to show you what it looked like before I did anything with it. (this is taken from my mother's computer, but is identical to the one on my computer basically)

------------------------------------------------------------------------------------

Below, is basically a small summary of the hell ive gone through, and hopefully will be helpful to anyone that reads this:

When I first got this, i attempted to remove it, failed, and reformatted, with my USB drive with all the drivers I needed, ready to go right by me.
I reformatted using NTFS and got back to my clean desktop, scanned with MBAM, nothing. I first installed Windows service pack 3, and rebooted. I scanned with MBAM again, nothing! I was getting excited, I installed my Ethernet drivers, connected to the web, and attempted to access the Microsoft updates page, but it oddly kept me on Google.com? It was wierd, scanned with MBAM, BOOM, got exactly what I had before the reformat.
So I only got the virus, AFTER i connected to the internet, not before, but ONLY after I had my internet drivers in me, and was connected to the web. I dont entirely understand this, but its true.
So I ended up reformatting several times, all ending with the same thing, Doing fine till i got online.

------------------------------------------------------------------------------------

A couple of theories that I know of are the following (obtained from myself, a fairly tech savvy friend, and my father, who is a professional computer programmer, however he is very reluctant to help with computer problems at home.)

-USB drive, the USB drive is containing the virus, and the auto play function may be executing a malicious something or other .exe
-The internet #1, The whatever this is redirecting me too (because it always redirects using this IP (.....................) knows MY IP and is finding me as soon as i connect to the internet, then doing things to me (unlikely i know)
-The internet #2, Maybe the virus travels through the router that me my dad and my mom are connected too, so that it went from me, to my mom, and then back to me after I reconnect to the internet after the format (Im leaning towards this one)
-My Hard drive, there is a backdoor written in the "ghost files" of my hard drive, that arent touched by a reformat (I feel that this is farfetched)


------------------------------------------------------------------------------------

CURRENTLY:
My father and I are finishing a fresh reformat on my computer, and we will attempt to elliminate one of the theories on how it keeps getting on my computer, we are planning on starting with the USB drive one.

------------------------------------------------------------------------------------


Please, im at such a loss, I have so much schoolwork to get done, and its getting troublesome, any help in advance is VERY appreciated, I will be providing updates with as MUCH as I learn, im basically working on this till I sleep tonight, they will be frequent.

I KNOW that I've left a few things out, but the hours of research ive done on this are well in the 13+ range, so i cant remember everything, ill be letting you know EVERYTHING that I can as fast as possible, considering my mother's computer is with drivers and internet right now, and not completely dying, i will be fixing the virus here first, and doing tests on my computer to figure out the infection reasons. I would THEN proceed with fixing mine, after I have a good understanding of what is going on.


ONE LAST FYI, reformats on my computer is nothing, there is NOTHING on my computer right now, in fact, its BEING reformatted, however my mother has ALOT of important information on her computer, reformatting is NOT an option unless it is the ONLY WAY to get it off.


-Siddha

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 PM

Posted 10 May 2009 - 03:52 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by Baabiouz, 10 May 2009 - 03:53 AM.

Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:07 PM

Posted 14 May 2009 - 11:09 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users