NOD32 and the "TrojanSpy.Win32.Flux.a"

NOD32 detects (only advanced heuristics mode) the "TrojanSpy.Win32.Flux.a" , but it's not be able to delete, or quarantine or simply to rename it ! For sophos antivirus it's child's play to delete it.

NOD32, the best antivirus solution? What a disappiontment !

 

I don't understand - if NOD32 detects something without needing to be updated is dissapointing? Please send me a PM with the full name and path to the file in question as well as what module (AMON or IMON) it was detected by.

If NOD32 detects something via Advanced heuristics, please do not delete that files without sending it to sample@nod32.com for analysis.

 

He's obviously disappointed because NOD32 can't remove the file. Detection without removal is pretty useless.

 

If the on-demand scanner finds a virus in an archive it's necessary to remove it manually. However, since IMON scans all files including archives, there's no way a trojan (even detected as NewHeur_PE) could slip through the HTTP scanner.

 

Marcos, it could be that I'm not the only NOD user not using IMON. AMON should be able to delete without my having to do it manually. If Eset wants those of us who do not use IMON to stay with NOD32 they have to do a lot of fixing of the resident scanner AMON. Yes, it is better but still lacking for those of us using no email or HTTP scanners.

 

Do you've NOD updated?
I've 2 variants of that trojan, and NOD detect both using SIGNATURES as Win32/Spy.Flux.A trojan

 

I think you haven't understood ! I said: Nod32 detects that trojan but it's not able to delete it!
During a scan nod32 finds the "TrojanSpy.Win32.Flux.a" and asks me what I want to do: rename, delete or quarantine, as usually in case of virus. I've tried all 3 possibilities and first of all a quarantine results impossible (gives a error message). If I delete, it logs the operation as "file deleted" but in the next scans I continue to find that trojan on my pc. The same happens for "rename".
As user "Sard" said : "Detection without removal is pretty useless"

Have you a trick to suggest ?

thanks

 

But.. you submitted the file like Marcos asked, right

 

This trojan is hard to destroy. I've deleted it manually and after a few seconds is auto-regenerated. Hundreds times deleted, hundreds times recreate itself.
It's hidden under the name "svchost.exe" and you can imagine how windows recognize this file.
I've no idea what I have to do now. I've tried with a specific program for trojans (the cleaner) and the problem persists.

Any advice ?

thx

 

Hi David,
I suggest you send a log created by HijackThis (can be found easily on the web) to support@nod32.com with a description of the problem.

 

A poll was taken a little while back here in Wilders and it was asked if it was desirable to have an all-in-one security programme to handle viruses, Trojans, worms, adware, malware, key loggers etc. and the consensus was that a single programme was more likely to be compromised so it was mentioned that it is better to have a dedicated anti-virus program, an anti-Trojan programme, an anti-worm programme etc. Overlap is good. Layered protection is the best way to go.

Yes we know it is not so convenient to have so many programmes just for security but is true security the priority or convenience? Yes Eset says protection is available from nasties other than viruses but can we rely upon any single programme to be a be-all and end-all? No.

Suggestion for anti-Trojan protection:
1) Safe/smart INTERNET usage
2) Layered defense
3) TDS3 anti-Trojan Suite
4) Individual settings in the O/S and Browser

 

Re: NOD32 and the "TrojanSpy.Win32.Flux.a" [by IFightYouForever]

ORIGINALLY POSTED BY IFightYouForever

Hi everyone. My first post so dont scream at me if i do anything wrong,
I just happend to swing by and see this post, maybe this is completly useless but here goes.

First off, <removed> is the guy who made "flux" some dude from sweden. This link is to a website in sweden so you can figure out wich language you have to deal with. More info on flux can be found on <removed>


And <removed> is a link to a guide he wrote. The guide is in english btw. This probably wont help any one at all but, why not, maybe the intelligent ones can figure somthing out with the help of the guide?!

Please excuse my bad language,
Regards, // Retard from Sweden.

Edit: Oh by the way, Flux also creates some file called "A0033695.exe" my Nod32 likes to remind me about it.

=============MOD NOTE============

Hi IFightYouForever, I realise this was you first post and it had been removed for review as the links provided were to a virus writer's website, where you could actually download them. This goes against our TOS and as such had to be removed.

Please feel free to continue posting, but also be aware of the TOS so that no one can be comprised by malware links. Thanks for your co-operation. ~ TAS

 

Re: NOD32 and the "TrojanSpy.Win32.Flux.a" [by IFightYouForever]

Flux injects into running processes and restores itself if deleted. This is a very nasty trojan, but even manual removal is quite easy when you know how. Try the trick I worked out, posted below. Substitute "mixerw.exe" for the trojan filename

Feel free to duplicate this anywhere, but please credit me

http://www.diamondcs.com.au/forum/showpost.php?p=23562&postcount=6

 

That's a "TDS private" member login Gavin.

 

Instructions by Gavin Coe of DCS, home of TDS-3, Process Guard and more

"Its self protection is very nasty, different to what was expected."

Follow these steps EXACTLY before declaring your system clean:

1. Create a folder called mixerw.exe on your desktop.

2. Open an explorer window with Windows folder visible, highlight the trojan file.

3. Hold Shift and press Delete, don't say yes to delete the file YET.

4. Press Y and quickly drag drop the folder from the desktop into the Windows directory.

You might have to try a few times, but once you do drop it in there, the file can't be replaced because a folder of that name already exists.

5. Reboot immediately. Now delete all startup methods that will delete.

6. Search with regedit for mixerw, delete all entries that exist.

You should be clean here. If referring to these instructions, substitute mixerw with the name of the infected file

7. Reboot, and run regedit again - check for any entries again, delete them if any still exist. Reboot, AGAIN check to see if any entries are still found."

Feel free to duplicate this anywhere, but please credit Gavin Coe DCS.

Thanks Gavin.

Cheers