Flux, The Return of

Discussion in 'malware problems & news' started by Dayjo, Jan 23, 2006.

Thread Status:
Not open for further replies.
  1. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    Hi,
    I've been trying to get rid of Flux for a while now, I've read a few of the tutorials on how to rid of this thing on this website along with others, but SpySweeper STILL seems to pick it up, whatever I do.

    Any tips or help you can offer me would be much appreciated.

    EDIT: this is what Spy Sweeper seems to come up with every scan (Even when I delete them);
    Code:
    System Monitor found: spyanytime pcspy
    Trojan Horse found: flux
    Trojan Horse found: trojan-backdoor-fastboxhosting
    Thanks

    -Dayjo
     
    Last edited: Jan 23, 2006
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    have you tried running ewido or trojan hunter while in safe mode ?
     
  3. wormvirus

    wormvirus Registered Member

    Joined:
    May 24, 2005
    Posts:
    17
    Location:
    Beijing,China
    same suggestion above.. safe mode is a good choice.
    BTW:Kaspersky is a good choice too.
     
  4. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    Ok well I have resolved this problem.

    I basically did spy sweeper again and deleted the entry, then I went into safe mode to make sure it wasn't running and went through the registry and deleted a few entries I found. I also then cleared all my temporary files and it seems to have disapeared.

    Thanks guys.
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    you did delete the activeX stub too ?
    flux can be very persistent sometimes
     
  6. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    Meh, looks like it isn't gone, It just popped up on spysweeper again :(.
    Same results as above.

    What's the activeX stub?
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it has an activeX stub to reload the infection after removal
    check the registry

    Hkey_Local_Machine\Software\Microsoft\Active Setup
    \Installed Components


    for a rogue entry

    known CLSID's:
    4DA6578A-5EE1-3CA3-3AA1-4E6B1A2C6C1D
    73AA3483-8D3C-7B5E-6C6A-8E418B5B774B
    etc
     
  8. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    Couldn't see anything odd there.

    EDIT:
    Ok, what i've noticed is that the location that Spy Sweeper finds the threat is in;
    HKLM\software\microsoft\windows\currentversion\run\ || svchost

    Which was running "C:\Windows\svchost.exe", (which actually doesnt exist), so I have deleted the registry value and i'm hoping that that's all that was left of the darn thing.

    The problem is spy sweeper also keeps giving me an alert that MSConfig and svchost keep being added to the \run\ registry, so I'm thinking then that it's still running or something to be able to set itself back into the registry.

    Ugh, any tips?
     
    Last edited: Jan 27, 2006
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it has usually 3 startups
    Hkey_Current_User\Software\Microsoft\Windows
    \CurrentVersion\Run
    Hkey_Local_Machine\Software\Microsoft\Windows
    \CurrentVersion\Run
    and
    Hkey_Local_Machine\Software\Microsoft\Active Setup
    \Installed Components
    \
    all point to the same executable
    in your case likely C:\Windows\svchost.exe

    those must be deleted in safe mode

    no other scanner is finding anything ?
     
  10. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    Well, actually I ran Trojan Hunter in safe mode and it did find something, and supposedly cleaned it.
    I've run Spy Sweeper several times since then and it hasn't popped up again.

    All those registry areas seem clean at the moment, and I'm not getting the alert of the two things added to the start up.

    Perhaps it has gone, then again I thought it was gone before, I'll go into safe mode again and scan with various things.

    Thanks for your help by the way.

    EDIT: ok, I ran Trojan Hunter again and it came up with 5 trojans or what it thought were trojans, so I cleaned them, and rebooted into normal mode, where spy sweeper came up with the "these entries have been written to the registery" alert again :(. So now I'm back in safe mode scanning TH, Spy Sweeper and Spybot, I'll also go through the registry again in a bit. :(

    EDIT2: I thought that it might be some false positives but Spy Sweeper came up with the registry things again and they c:\windows\svchost.exe thing DID get put into the registry, even though the file doesnt exist. It also comes up with MSCONFIG, to some random file that I'm not sure what it is, it could be though that was just because I was looking in msconfig to see the start up entries.
    Perhaps i'm going about this the wrong way, rather than trying to get rid of Flux, perhaps I need to do something to get rid of;
    spyanytime pcspy
    and
    trojan-backdoor-fastboxhosting
    as they come up on S'S' as well as Flux.
     
    Last edited: Jan 28, 2006
  11. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    I appologise for bumping, but has anyone got ANY clue or advice that I can use? :/
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  13. Dayjo

    Dayjo Registered Member

    Joined:
    Jan 23, 2006
    Posts:
    7
    I'm pretty sure it's clean, but Thanks anyway.
    Logfile of HijackThis v1.99.1
    Scan saved at 23:04:41, on 30/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Dayjo\Application Data\Microsoft\Internet Explorer\Quick Launch\msnmsgr.exe
    C:\Program Files\mIRC\mirc.exe
    C:\WINDOWS\system32\wisptis.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
    C:\Program Files\BPFTP\BPFTP.EXE
    C:\Documents and Settings\Dayjo\Desktop\Apps\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.63.217.17:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    Last edited by a moderator: Jan 30, 2006
Thread Status:
Not open for further replies.