Troj/Winflux-B

Discussion in 'malware problems & news' started by dostival, Aug 24, 2004.

Thread Status:
Not open for further replies.
  1. dostival

    dostival Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    3
    Helo all
    I am having trouble removing this trojan.
    I'm following sophos instruction to remove it, but it not work!!
    The startup in registry keep coming back!
    If i delete file it also comes back! why?
    am i doing wrong?
    I open regedit and find the keys sophos say, then i delete them.
    They disapear but if I press F5 (update) they are back again.
    Same with file.
    I go to explorer and delete file c:\windows\backvol.exe.
    But after i update the file is back!
    How can i remove it?
    Can tds help me?
    Why can I not remove it?

    This happens if i boot computer in safe mode too!

    info:
    http://www.sophos.com/virusinfo/analyses/trojwinfluxb.html
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Do you have System Restore turn off ?

    Have you edited the registry as they advise?

    You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE entries:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    and remove any reference to any file you deleted.

    Locate the HKEY_LOCAL_MACHINE entries:
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CLASS ID)\
    delete only the entry with the path of the Trojan, nothing else.

    Each user has a registry area named HKEY_USERS\[code number indicating user]\.

    For each user locate the entry:
    HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
    HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    and remove any reference to any file you deleted.

    Close the registry editor.

    Hope this helps...

    Cheers :D
     
  3. dostival

    dostival Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    3
    Yes I have.

    I have (tried) removed all of them.

    This is also what sophos say:
    "The Trojan has the ability to monitor these autostart entries and may restore them if they are deleted."

    I think that is why my registry can not be deleted.
    Sure I can delete them, but they keep coming back.
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O

    yes tds can help you. download and install it and do a full system scan(update before scanning)..

    download here
    http://tds.diamondcs.com.au/
    update here
    http://tds.diamondcs.com.au/index.php?page=update
    basic configuration and info here
    https://www.wilderssecurity.com/showthread.php?t=24666

    this one drops several files, av sites write ups are not that helpful, because filenames are customisable.

    flux also has a hidden startup .. making it difficult to remove completely.
    so a dedicated anti trojan really is your best bet!

    edit: you might want to post tds's scan report here
     
  5. dostival

    dostival Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    3
    Ok, I tried it.
    TDS finds it as RAT.Flux 1.0b.
    I can right click and select "delete file" but it still comes back right after i delete it!
    Same with registry.

    So how do i else get rid of it??
     
  6. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    can you boot into safe mode( tap f8 button while booting)

    and scan with tds again?
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
Thread Status:
Not open for further replies.