Having issues with Trojan.Flush.G

[Tiamat]

My Autoprotect keeps finding/deleted/quarantine-ing Trojan.Flush.G accompanied with Trojan Horse. It quarantines the Trojan Horse file and deletes the Flush.G. (so far this has happened about 3x per day yesterday and today)

I've gone ahead and manually deleted the quarantined files.

I've done a full scan with symantec and it didn't find anything.

My antivirus definitions are fully up to date.

I've never had any problems with virus/trojans/worms/spyware before.

Should I be concerned? What is the course of action. My stuff is backed up so I can format the drive if needed, but I'd rather not.

Thanks in advanced.

 

[MadAmos]

Start by downloading superantispyware free, install and up date it, (very important) then restart in safe mode and scan/repair and see what it finds.

 

[law9933]

You might try Malwarebytes & a2 both free in Safe Mode + your AV

Did you read this for ideas, like restore points?

http://www.symantec.com/securi...050211-4750-99&tabid=3

 

[Tiamat]

i guess ill try using symantec antivirus in safe mode first. Then Ill try dl other things. I wouldn't know which restore point to choose. Id rather just wipe my drive than fiddle around with messing with restore points then finding out the problem is still there.

 

[law9933]

I don't think you choose a restore point, just remove them all, then if all is good after the fix, you create a new good one

more removal sites>

http://www.spywareguide.com/sp...dnschanger_trojan.html

http://www.precisesecurity.com...er-virus/tfg-may03.htm

 

[Tiamat]

In safe mode, Symmantec antivirus did not find anything.

I will try to undo the system restore and follow the directions at the precisesecurity.com link provided.

Thanks, I'll update...


Edit: I went through regedit and did not find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Values:
"hgqhp.exe" = "%System%\hgqhp.exe"
"hgqhp.exe" = "%System%\yaemu.exe"



OR



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[CLSID]
Value:
"NameServer" = "85.255.116.51,85.255.112.96"

(I checked all 8 of the { } entries and didn't find any values after NameServer)


Also, I do not have a file called rasphone.pbk. only two executables one in windows/system32 and one in windows/servicepackfiles/i386. Both are only 56 KB in size.

Thanks for help so far. I'll update whether or not my auto-protect continues to find these trojans. So far, no luck manually finding them.

 

[law9933]

My last idea is posting a HJT log at amazingtechs.com, they seem to be the least busy but very good. As you stated maybe you just want to reinstall.

 

[Tiamat]

Originally posted by: law9933
My last idea is posting a HJT log at amazingtechs.com, they seem to be the least busy but very good. As you stated maybe you just want to reinstall.

Three weeks ago, my apartment-mate's computer had this same trojan I believe and we had to nuke his system. My system hasn't had any symptoms of the trojan (no redirecting of my websites luckily) but his system constantly redirected.

If my auto-protect finds the trojan within the next few days, i will nuke my system. Otherwise, If it doesn't find the trojan, then I will re-enable the system restore.

Thanks so far for your help.

Edit: Well, auto-protect just popped up again. Sigh, looks like Ill have to nuke my system.

I don't know anything about hijack this and i just dont have the time to learn how to use it. :/

 

[law9933]

To learn HJT can take months, that is why you post a log (registry) & a trained expert gives you instruuctions on how to clean your PC, They also use many other special programs, Malwarebytes & Superantispyware are two of the most user freindly ones.
Sometimes a baddy will take several different programs.

 

[Tiamat]

Originally posted by: law9933
To learn HJT can take months, that is why you post a log (registry) & a trained expert gives you instruuctions on how to clean your PC, They also use many other special programs, Malwarebytes & Superantispyware are two of the most user freindly ones.
Sometimes a baddy will take several different programs.

Ah, I thought I was just being incompetent

This trojan doesn't seem to rank very high though...

I used superantispyware in safe mode and it only found cookies to sites that I frequent (partsexpress, etc.)

For some reason the anti virus scans are really slow in safe mode, so ill be trying the malwarebytes probably overnight. I'll report back my findings.

 

[Tiamat]

Malwarebytes Found a trojan. Will update tomorrow to see if auto-protect pops up anymore...

 

[law9933]

If you use your PC for any money transactions a HJT adviser will state with certain malwares you may never be really safe, even after all of their help. That is rare-but worrisome. Even if you think all is fixed, having a HJT checkup might be a good idea/education.

HJT advisers, also have you update unsafe programs, & remove crap from the registry.
Some sites are flooded at the moment for help.

 

[MadAmos]

You nay get a quicker response at a less known forum like virtualdr there are a couple very good user hijackthis users that are frequently there.

 

[Tiamat]

Thanks guys. Right now, my laptop is still sick. I use it for everything.

Overnight, my auto-protect found and deleted/quaranteened several of the same trojan. My computer also ran out of ram and virtual memory for the first time (idling). Something is wrong with my laptop and traditional schemes are not cutting it

Symantec, Superantispyware, and Malwarebytes have all failed to find anything in safemode and within windows. I didn't see anything unusual in the hijackthis log, but then again, its the first time I have ever seen one.

I don't want to format my laptop since I found some programs that I cannot find the install disks to.

Ill have to check out some of those other security forums i guess...

 

[MadAmos]

have you tried this just as it is written Symantec
Also Trendmicro says they can remove it using housecall link on the solutions page.

 

[Tiamat]

Originally posted by: MadAmos
have you tried this just as it is written Symantec
Also Trendmicro says they can remove it using housecall link on the solutions page.

Yes, i have used that method. Antivirus doesn't find any trojan and when I look at the regedit, there are no unusual entries as mentioned by the link.

I am beginning to wonder if some other computer on the router is infected and trying to infect my laptop continuously. I left my laptop on the whole day today without connection to the internet and autoprotect didn't pop up.

I haven't had any redirects in my web browsing so far...

Within 30 minutes of hooking my laptop into the router wirelessly, I got norton auto-protect to pop-up telling me it deleted the trojan.

I guess the only way for me to know what to do is to post my hijackthis log on one of those forums.

My memory usage has skyrocketed past 1GB used which is unusual..

 

[zds107]

Hi,

I am having almost the same problem as you. I also use Symantec with AutoProtect. It started yesterday, and I get a warning about once every 2 hours (when my internet was connected). After that, my page file would slowly increase until the computer was unusable.

I ran the usual virus scan / Malwarebytes / Adaware, and it removed one trojan. The autodetects continued though.

Since it seemed internet dependent, I turned on ZoneAlarm. My HJT report didn't seem to have anything out of the ordinary, and since turning on Zone Alarm I have received zero trojan warnings. I have not received any suspicious warnings from zone alarm, so I'm not sure what is going on. The only activity I'm really limiting is googleupdate.exe, but thats mostly because it wouldn't stop asking to connect to things.

Anyway, thats my story. I'll keep updates if I find out the cause

 

[MadAmos]

You might try posting in the Norton forums and see if you get any help there.

 

[Tiamat]

My laptop still has problems.

I have posted on Virtualdr. forums. Will update later.

zds107, it is interesting that you have a similar problem. Unfortunately, I don't use googleupdate program...

 

[MadAmos]

I had a quick look at your hijackthis log and did not see anything obvious I also checked it here and everything came up good. I would wait a bit and see if Broni on Virtualdr see's anything.

 

[Tiamat]

Originally posted by: MadAmos
I had a quick look at your hijackthis log and did not see anything obvious I also checked it here and everything came up good. I would wait a bit and see if Broni on Virtualdr see's anything.

Thanks, I really appreciate your help! My autodetect just found and deleted the same trojan. I just ran malwarebytes again, and it didnt find anything, however my ram usage has taken an unexplained 10% increase in usage.

 

[Proxemo]

Tiamat, I am having all the same symptoms as you.
I've tried all the same solutions with identical results.

Keep us posted if you make any progress.

 

[Tiamat]

Originally posted by: Proxemo
Tiamat, I am having all the same symptoms as you.
I've tried all the same solutions with identical results.

Keep us posted if you make any progress.

Unfortunately, so far no progress. My system ram is being eaten up by something that is not showing up on these tools. Autoprotect frequently (about every 60-90 minutes) pops up with finding and deleting the trojan.

I am beginning to lose hope and will probably just purge my windows install. Luckily it is on a separate partition than my data.

I really wanted to do this without reinstallation of windows because reinstall doesn't help anybody solve this problem.

 

[lxskllr]

Here is a copy/paste of an email I sent a couple of years ago. It quotes a web page that I don't remember the source of. The trojan was different, but it may help you with your problem. Try Process explorer from sysinternals suite.


I think I finally kicked that trogan's ass :^). I remember when Antivir copied it to quarantine. It said it couldn't remove it, but it could make a copy to store. I assume that was because the process was active. When I searched for svdhost.exe I couldn't find anything though. I looked on the web for revealing hidden files, and came across this:

Revealing the super hidden files
Microsoft has added many features to Windows XP to protect the critical files of the operating system. The system file checker, for instance, continually monitors the system files to ensure that no application will replace your system files with a version that Windows XP was not designed to work with. The new super hidden files feature allows Windows to protect itself even further by hiding some of its most critical files from the user. If they can't get to it, they can't hurt it, right?

Revealing the super hidden system files is not very difficult at all. You can uncheck the box on the list on the View tab of Folder Options, but where is the fun in that? Use the Registry Editor to turn this feature off:

1. Click on the Start button and select Run.
2. Type in regedit in the box and click OK to start up the Editor.
3. Once regedit appears, navigate through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
4. Right-click on ShowSuperHidden and select Modify.
5. Change the value to 1 and click OK to save your changes.

Now you will be able to see all of the files on your computer, including the super hidden system files.

This worked perfectly. svdhost.exe became visible, and I was able to rename it. I'll probably delete it tonight, but I would sure like to know exactly what's inside. It would be cool to decompile it, but I don't think I'd know what I was looking at even if I could.

Anyway, I thought this could be useful information to you all. I hadn't seen reference to this registry setting before, and It could be very helpful under certain circumstances. You'll probably want to hide the files again once you've done what you needed to do because it creates a lot of visual clutter, and makes navigating folders more difficult.

As an added note... Unchecking the hide system files box in folder views didn't reveal the trogan. I had to go into the registry to make the change. I mention this because they imply that using the folder view setting will reveal all files, but it doesn't.

 

[zds107]

Hey guys,

So I am still not sure what the problem is, just wanted to check in and say I haven't given up quite yet.

Still no more virus detected popups after enabling zone alarm, but that just makes me paranoid that its not detecting them anymore. My page file doesn't seem to grow uncontrollably anymore though, so maybe thats something.