|
|
#1
August 24th, 2004, 09:36 PM
|
|||
|
|||
Troj/Winflux-B
Helo all
I am having trouble removing this trojan. I'm following sophos instruction to remove it, but it not work!! The startup in registry keep coming back! If i delete file it also comes back! why? am i doing wrong? I open regedit and find the keys sophos say, then i delete them. They disapear but if I press F5 (update) they are back again. Same with file. I go to explorer and delete file c:\windows\backvol.exe. But after i update the file is back! How can i remove it? Can tds help me? Why can I not remove it? This happens if i boot computer in safe mode too! info: http://www.sophos.com/virusinfo/anal...jwinfluxb.html |
|
#2
August 24th, 2004, 09:39 PM
|
||||
|
||||
|
Re: Troj/Winflux-B
Do you have System Restore turn off ?
Have you edited the registry as they advise? You will also need to edit the following registry entries, if present. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ and remove any reference to any file you deleted. Locate the HKEY_LOCAL_MACHINE entries: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CLASS ID)\ delete only the entry with the path of the Trojan, nothing else. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry: HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\ and remove any reference to any file you deleted. Close the registry editor. Hope this helps... Cheers 
__________________
"Illegitimis non carborundum"
translation: "Don't let the bastards grind you down" U.S. General Joseph W. "Vinegar Joe" Stilwell (1883-1946) Two Photographers |
|
#3
August 24th, 2004, 10:00 PM
|
|||
|
|||
|
Re: Troj/Winflux-B
Yes I have.
I have (tried) removed all of them. This is also what sophos say: "The Trojan has the ability to monitor these autostart entries and may restore them if they are deleted." I think that is why my registry can not be deleted. Sure I can delete them, but they keep coming back. |
|
#4
August 25th, 2004, 02:14 AM
|
||||
|
||||
|
Re: Troj/Winflux-B
Quote:
yes tds can help you. download and install it and do a full system scan(update before scanning).. download here http://tds.diamondcs.com.au/ update here http://tds.diamondcs.com.au/index.php?page=update basic configuration and info here http://www.wilderssecurity.com/showthread.php?t=24666 this one drops several files, av sites write ups are not that helpful, because filenames are customisable. flux also has a hidden startup .. making it difficult to remove completely. so a dedicated anti trojan really is your best bet! edit: you might want to post tds's scan report here
__________________
a proud supporter of THE GLORIOUS REDS To Ride, Shoot Straight And Speak TheTruth |
|
#6
August 27th, 2004, 07:08 AM
|
||||
|
||||
|
Re: Troj/Winflux-B
can you boot into safe mode( tap f8 button while booting)
and scan with tds again?
__________________
a proud supporter of THE GLORIOUS REDS To Ride, Shoot Straight And Speak TheTruth |
|
#7
August 27th, 2004, 12:02 PM
|
||||
|
||||
|
Re: Troj/Winflux-B
Fixed over at our forum, refer to this manual removal instructions for Flux any time
http://www.diamondcs.com.au/forum/sh...3562#post23562 Actually quite easy to remove like this, should only need the first 5 steps |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
