Flux, The Return of

Hi,
I've been trying to get rid of Flux for a while now, I've read a few of the tutorials on how to rid of this thing on this website along with others, but SpySweeper STILL seems to pick it up, whatever I do.

Any tips or help you can offer me would be much appreciated.

EDIT: this is what Spy Sweeper seems to come up with every scan (Even when I delete them);

Code:

System Monitor found: spyanytime pcspy
Trojan Horse found: flux
Trojan Horse found: trojan-backdoor-fastboxhosting

Thanks

-Dayjo

 

have you tried running ewido or trojan hunter while in safe mode ?

 

same suggestion above.. safe mode is a good choice.
BTW:Kaspersky is a good choice too.

 

Ok well I have resolved this problem.

I basically did spy sweeper again and deleted the entry, then I went into safe mode to make sure it wasn't running and went through the registry and deleted a few entries I found. I also then cleared all my temporary files and it seems to have disapeared.

Thanks guys.

 

you did delete the activeX stub too ?
flux can be very persistent sometimes

 

Meh, looks like it isn't gone, It just popped up on spysweeper again .
Same results as above.

What's the activeX stub?

 

it has an activeX stub to reload the infection after removal
check the registry

Hkey_Local_Machine\Software\Microsoft\Active Setup
\Installed Components

for a rogue entry

known CLSID's:
4DA6578A-5EE1-3CA3-3AA1-4E6B1A2C6C1D
73AA3483-8D3C-7B5E-6C6A-8E418B5B774B
etc

 

Couldn't see anything odd there.

EDIT:
Ok, what i've noticed is that the location that Spy Sweeper finds the threat is in;
HKLM\software\microsoft\windows\currentversion\run\ || svchost

Which was running "C:\Windows\svchost.exe", (which actually doesnt exist), so I have deleted the registry value and i'm hoping that that's all that was left of the darn thing.

The problem is spy sweeper also keeps giving me an alert that MSConfig and svchost keep being added to the \run\ registry, so I'm thinking then that it's still running or something to be able to set itself back into the registry.

Ugh, any tips?

 

it has usually 3 startups
Hkey_Current_User\Software\Microsoft\Windows
\CurrentVersion\Run
Hkey_Local_Machine\Software\Microsoft\Windows
\CurrentVersion\Run
and
Hkey_Local_Machine\Software\Microsoft\Active Setup
\Installed Components
\
all point to the same executable
in your case likely C:\Windows\svchost.exe

those must be deleted in safe mode

no other scanner is finding anything ?

 

Well, actually I ran Trojan Hunter in safe mode and it did find something, and supposedly cleaned it.
I've run Spy Sweeper several times since then and it hasn't popped up again.

All those registry areas seem clean at the moment, and I'm not getting the alert of the two things added to the start up.

Perhaps it has gone, then again I thought it was gone before, I'll go into safe mode again and scan with various things.

Thanks for your help by the way.

EDIT: ok, I ran Trojan Hunter again and it came up with 5 trojans or what it thought were trojans, so I cleaned them, and rebooted into normal mode, where spy sweeper came up with the "these entries have been written to the registery" alert again . So now I'm back in safe mode scanning TH, Spy Sweeper and Spybot, I'll also go through the registry again in a bit.

EDIT2: I thought that it might be some false positives but Spy Sweeper came up with the registry things again and they c:\windows\svchost.exe thing DID get put into the registry, even though the file doesnt exist. It also comes up with MSCONFIG, to some random file that I'm not sure what it is, it could be though that was just because I was looking in msconfig to see the start up entries.
Perhaps i'm going about this the wrong way, rather than trying to get rid of Flux, perhaps I need to do something to get rid of;
spyanytime pcspy
and
trojan-backdoor-fastboxhosting
as they come up on S'S' as well as Flux.

 

I appologise for bumping, but has anyone got ANY clue or advice that I can use? :/

 

hi

lets see a hijackthis log then

see this page for instructions http://forums.spybot.info/showthread.php?t=288



FOR OTHER PROSPECTIVE LOG POSTERS:
see this topic https://www.wilderssecurity.com/showthread.php?t=42148
wilders only does requested logs

 

I'm pretty sure it's clean, but Thanks anyway.
Logfile of HijackThis v1.99.1
Scan saved at 23:04:41, on 30/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dayjo\Application Data\Microsoft\Internet Explorer\Quick Launch\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Program Files\BPFTP\BPFTP.EXE
C:\Documents and Settings\Dayjo\Desktop\Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.63.217.17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe