Having issues with Trojan.Flush.G

[zds107]

Actually, just found something:

Check out C:\WINDOWS\Tasks

you'll find a bunch of mysterious tasks, set to go off every few hours, and pointing to the trojan file at windows/system32

At least thats what I've found. Its something, right?

 

[MadAmos]

Originally posted by: zds107
Actually, just found something:

Check out C:\WINDOWS\Tasks

you'll find a bunch of mysterious tasks, set to go off every few hours, and pointing to the trojan file at windows/system32

At least thats what I've found. Its something, right?

Sounds promising, Can you post a screen shot of the tasks or at least copy and past them here?

 

[zds107]

At1.job -----> At24.job (one for every hour)

 

[MadAmos]

If you go to the control panel do they show up under the scheduled tasks right click them and under properties uncheck enabled or if you are confident just delete them and the process they point to I would do this in safe mode, you might want to save a copy to a cd or such first in case you need it back for any reason. Have you tried uploading the file that the tasks point to to virustotal?

 

[zds107]

Yes, they do, and I'm confident that they're the virus' work. Somehow I removed the file they were pointing to (the last .exe the anti virus detected), and now they all fail to launch. I've deleted them all.

I haven't figured out how they got there in the first place though....that's my next goal

 

[law9933]

Wait to see what may be found, but maybe your HJT adviser would find this info helpful if your log does not show much???

"I am beginning to wonder if some other computer on the router is infected and trying to infect my laptop continuously. I left my laptop on the whole day today without connection to the internet and autoprotect didn't pop up.

Within 30 minutes of hooking my laptop into the router wirelessly, I got norton auto-protect to pop-up telling me it deleted the trojan."

& zds107 "Still no more virus detected popups after enabling zone alarm"

 

[MadAmos]

Originally posted by: zds107
Yes, they do, and I'm confident that they're the virus' work. Somehow I removed the file they were pointing to (the last .exe the anti virus detected), and now they all fail to launch. I've deleted them all.

I haven't figured out how they got there in the first place though....that's my next goal

most likely the malware installed them to keep it running no mater how many times it was disabled.

 

[law9933]

HJT adviser Broni found nothing in Tiamat's log.

Do you still have a AV if Autoprotect is disabled to see if your PC returns to normal.

I know Norton messed up my mother's PC.

 

[Tiamat]

Originally posted by: zds107
At1.job -----> At24.job (one for every hour)

I have the same, they point to the same file which is something that all the Properties options are grayed out : I55865av.exe in the system32 directory. Both it and the at1->24 files were created on the 27th of this month.

 

[Tiamat]

http://www.bitdefender.com/VIR...Downloader.Firu.G.html

This sounds familiar. Ill report back...

 

[MadAmos]

That sure sounds like what you are finding. The removal information looks almost too simple but defiantly worth a try.

 

[Tiamat]

Originally posted by: MadAmos
That sure sounds like what you are finding. The removal information looks almost too simple but defiantly worth a try.

So far so good, no auto-protect popping up yet. I'll update tomorrow. If I didn't eliminate the problem, it will pop up by tomorrow morning.

Edit: I must mention that these forums have been very helpful. The ability to brainstorm ideas lead me to find at least one hidden threat that could have been the source of all of this. I probably would never have checked my scheduled tasks (which I don't use) without zds107's post for example!.

 

[zds107]

Yeah, I guess I got lucky and deleted the file it was scheduled to run, the scheduled tasks started to fail, and my page file / pop-ups all stopped. Good find with the firu.g thing. I deleted those tasks in safe mode, and reran everything out of paranoia, but still no more popups or anything. I may even feel safe enough to check my email again soon 😛

My main question is how I got the original virus. I'm normally pretty crazy about not clicking on bad things...and haven't had a virus in ...5 years? ish

Thanks for everyones help!

 

[Tiamat]

Originally posted by: zds107
Yeah, I guess I got lucky and deleted the file it was scheduled to run, the scheduled tasks started to fail, and my page file / pop-ups all stopped. Good find with the firu.g thing. I deleted those tasks in safe mode, and reran everything out of paranoia, but still no more popups or anything. I may even feel safe enough to check my email again soon 😛

My main question is how I got the original virus. I'm normally pretty crazy about not clicking on bad things...and haven't had a virus in ...5 years? ish

Thanks for everyones help!

So far, no popups! I would love to find out how I got this trojan as well. I don't randomly click stuff either...

 

[Tiamat]

My laptop did not get any auto-protect warnings overnight. I am reasonably confident that we finally killed the bug. I'm glad I stuck through and didn't cop out and format my laptop. I learned quite a bit about trojans and how they work, some new excellent tools, and some common hiding places.

 

[MadAmos]

Excellent results :beer: it never hurts to learn something new, you never know when it will come in handy. I sure would like to know where this came from as it sounds like it may be hard to spot based on how knowledgeable you both seem.