NOD32 and the "TrojanSpy.Win32.Flux.a"

Discussion in 'NOD32 version 2 Forum' started by David Gilmour, Sep 9, 2004.

Thread Status:
Not open for further replies.
  1. NOD32 detects (only advanced heuristics mode) the "TrojanSpy.Win32.Flux.a" , but it's not be able to delete, or quarantine or simply to rename it ! For sophos antivirus it's child's play to delete it.

    NOD32, the best antivirus solution? What a disappiontment !
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I don't understand - if NOD32 detects something without needing to be updated is dissapointing? Please send me a PM with the full name and path to the file in question as well as what module (AMON or IMON) it was detected by.

    If NOD32 detects something via Advanced heuristics, please do not delete that files without sending it to sample@nod32.com for analysis.
     
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    He's obviously disappointed because NOD32 can't remove the file. Detection without removal is pretty useless.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the on-demand scanner finds a virus in an archive it's necessary to remove it manually. However, since IMON scans all files including archives, there's no way a trojan (even detected as NewHeur_PE) could slip through the HTTP scanner.
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Marcos, it could be that I'm not the only NOD user not using IMON. :) AMON should be able to delete without my having to do it manually. If Eset wants those of us who do not use IMON to stay with NOD32 they have to do a lot of fixing of the resident scanner AMON. Yes, it is better but still lacking for those of us using no email or HTTP scanners.
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Do you've NOD updated?
    I've 2 variants of that trojan, and NOD detect both using SIGNATURES as Win32/Spy.Flux.A trojan


     
  7. I think you haven't understood ! I said: Nod32 detects that trojan but it's not able to delete it!
    During a scan nod32 finds the "TrojanSpy.Win32.Flux.a" and asks me what I want to do: rename, delete or quarantine, as usually in case of virus. I've tried all 3 possibilities and first of all a quarantine results impossible (gives a error message). If I delete, it logs the operation as "file deleted" but in the next scans I continue to find that trojan on my pc. The same happens for "rename".
    As user "Sard" said : "Detection without removal is pretty useless"

    Have you a trick to suggest ?

    thanks
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    But.. you submitted the file like Marcos asked, right o_O
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    If using xp, turn off system restore and restart your computer and scan.

    If the trojan still appears, enter the safe mode and delete it manually.
     
  10. This trojan is hard to destroy. I've deleted it manually and after a few seconds is auto-regenerated. Hundreds times deleted, hundreds times recreate itself.
    It's hidden under the name "svchost.exe" and you can imagine how windows recognize this file.
    I've no idea what I have to do now. I've tried with a specific program for trojans (the cleaner) and the problem persists.

    Any advice ?

    thx
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi David,
    I suggest you send a log created by HijackThis (can be found easily on the web) to support@nod32.com with a description of the problem.
     
  12. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    A poll was taken a little while back here in Wilders and it was asked if it was desirable to have an all-in-one security programme to handle viruses, Trojans, worms, adware, malware, key loggers etc. and the consensus was that a single programme was more likely to be compromised so it was mentioned that it is better to have a dedicated anti-virus program, an anti-Trojan programme, an anti-worm programme etc. Overlap is good. Layered protection is the best way to go.

    Yes we know it is not so convenient to have so many programmes just for security but is true security the priority or convenience? Yes Eset says protection is available from nasties other than viruses but can we rely upon any single programme to be a be-all and end-all? No.

    Suggestion for anti-Trojan protection:
    1) Safe/smart INTERNET usage
    2) Layered defense
    3) TDS3 anti-Trojan Suite
    4) Individual settings in the O/S and Browser
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Re: NOD32 and the "TrojanSpy.Win32.Flux.a" [by IFightYouForever]

    ORIGINALLY POSTED BY IFightYouForever

    Hi everyone. My first post so dont scream at me if i do anything wrong,
    I just happend to swing by and see this post, maybe this is completly useless but here goes.

    First off, <removed> is the guy who made "flux" some dude from sweden. This link is to a website in sweden so you can figure out wich language you have to deal with. More info on flux can be found on <removed>


    And <removed> is a link to a guide he wrote. The guide is in english btw. This probably wont help any one at all but, why not, maybe the intelligent ones can figure somthing out with the help of the guide?!

    Please excuse my bad language,
    Regards, // Retard from Sweden.

    Edit: Oh by the way, Flux also creates some file called "A0033695.exe" my Nod32 likes to remind me about it.

    =============MOD NOTE============

    Hi IFightYouForever, I realise this was you first post and it had been removed for review as the links provided were to a virus writer's website, where you could actually download them. This goes against our TOS and as such had to be removed.

    Please feel free to continue posting, but also be aware of the TOS so that no one can be comprised by malware links. Thanks for your co-operation. ~ TAS
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re: NOD32 and the "TrojanSpy.Win32.Flux.a" [by IFightYouForever]

    Flux injects into running processes and restores itself if deleted. This is a very nasty trojan, but even manual removal is quite easy when you know how. Try the trick I worked out, posted below. Substitute "mixerw.exe" for the trojan filename

    Feel free to duplicate this anywhere, but please credit me :)

    http://www.diamondcs.com.au/forum/showpost.php?p=23562&postcount=6
     
  15. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    That's a "TDS private" member login Gavin.
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    No actually, it is not from DCS's "private" TDS forum section. It's from their public forums, however, the DCS forums require member registration for access. There is no Guest level access there.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Instructions by Gavin Coe of DCS, home of TDS-3, Process Guard and more

    "Its self protection is very nasty, different to what was expected."

    Follow these steps EXACTLY before declaring your system clean:

    1. Create a folder called mixerw.exe on your desktop.

    2. Open an explorer window with Windows folder visible, highlight the trojan file.

    3. Hold Shift and press Delete, don't say yes to delete the file YET.

    4. Press Y and quickly drag drop the folder from the desktop into the Windows directory.

    You might have to try a few times, but once you do drop it in there, the file can't be replaced because a folder of that name already exists.

    5. Reboot immediately. Now delete all startup methods that will delete.

    6. Search with regedit for mixerw, delete all entries that exist.

    You should be clean here. If referring to these instructions, substitute mixerw with the name of the infected file

    7. Reboot, and run regedit again - check for any entries again, delete them if any still exist. Reboot, AGAIN check to see if any entries are still found."

    Feel free to duplicate this anywhere, but please credit Gavin Coe DCS.

    Thanks Gavin.

    Cheers :D
     
    Last edited: Sep 17, 2004
Thread Status:
Not open for further replies.