winset32.exe

Discussion in 'malware problems & news' started by bartmdq, Oct 21, 2004.

Thread Status:
Not open for further replies.
  1. bartmdq

    bartmdq Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    2
    This file is don´t detect by NOD32 :eek:

    In this site: http://virusscan.jotti.dhs.org/ tell me that file is a:

    Service load:
    0% 100%
    File: winset32.exe
    Status:
    INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected:
    UPX

    AntiVir BDS/Picharad (1.22 seconds taken)
    Avast No viruses found (4.58 seconds taken)
    BitDefender Backdoor.Flux.E (2.59 seconds taken)
    ClamAV No viruses found (2.76 seconds taken)
    Dr.Web BackDoor.Flux.101 (4.52 seconds taken)
    F-Prot Antivirus W32/Flux.C@bd (0.37 seconds taken)
    Kaspersky Anti-Virus Backdoor.Win32.Flux.e (4.22 seconds taken)
    mks_vir Trojan.Downloader.Myway (1.34 seconds taken)
    NOD32 No viruses found (2.71 seconds taken)
    Norman Virus Control W32/Flux.E (1.05 seconds taken)

    Please a i need to remove ;) this file. And i need that NOD32 detect this malware. Please update the definitions list :)

    Thanks alot :)
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you send a zipped copy of the file to samples@nod32.com

    Can you also try the steps found here

    Let us know how you go...

    Cheers :D
     
  3. bartmdq

    bartmdq Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    2
    Thanks i send the email ;) with the attach in zip.

    I do, i have a lavasoft SE 1.05 and alot remove spyware and cleaners but the file don´t be detect ...

    Thanks alot.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you try Step 4 in the link that I posted?

    Cheers :D
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, here are manual removal instructions:

    1. Open Windows task manager [ right click on task bar>task manager ]
    Kill the process IEXPLORE.EXE

    2. Turn off system restore [ right click My Computer>Properties>System Restore>Turn off ]

    3.Go to Registry Editor [ Start>Run>Type Regedit>press ENTER ]

    4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run

    In the right panel, locate and delete the entry:
    sys32 = "%System%\SYS32.EXE"

    In the left panel, double-click the following: HKEY_CURRENT_USERS>Software>Microsoft>Windows>
    CurrentVersion>Run

    In the right panel, locate and delete the entry:
    sys32 = "%System%\SYS32.EXE"

    In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Active Setup>
    Installed Components>{73AA3483-8D3C-7B5E-6C6A-8E418B5B774B}

    In the right panel, locate and delete the entry:
    StubPath = "%System%\SYS32.EXE 2"

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

    # Close Registry Editor.

    5. Reboot PC and turn on system restore.


    Take care while in the Windows Registry, only delete those specified.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi bartmdq,

    To give reference to Sweetie(*)(*) 's manual removal instructions:
    Trend Micro: BKDR_FLUX.E

    Though there is no mention on that page of a winset32.exe file, so this may be a new variant using winset32.exe. It's good then that you have sent the file off to Eset for analysis.

    I would also suggest that you do an on-line scan too.

    Regards,

    snap
     
  7. BeanDyp

    BeanDyp Guest

    look i have that too.... it sux.. i think it does a xmas_scan and connects to a remote host..... Symantec Antivirus Corporate 8.0 detected it.... wellll alll 5000 its... if there is one on ur computer dude... ur screwwed it replicates... so remove it from the registry
     
Loading...
Thread Status:
Not open for further replies.