New
#1
Win32/fynloski.aa trojan problem
Hello,
I got Win32/fynloski.aa trojan today & I am not sure if I had completely removed it, as I had heard it reappears after some time if not successfully removed from the computer.
Well, firstly I scanned my computer with Eset NOD 32 Antivirus & it found the trojan attached to my calc.exe (C:/Windows/SysWOW64/calc.exe), but it had failed to remove it. I tried to put it into quarantine which also ended up failing.
Afterwards, I ran CCleaner, Spybot S&D + removed the calc.exe manually from my computer & re-checked all of the registries connected to that trojan(listed below)
(The problem about this trojan is that it always changes places where it is, which makes it hard to remove manually, and even harder for an antivirus to remove it.
It also stealthily installs the backdoor encased in a Cabinet self-extractor, on the affected system. Also, it is a type of RAT (Remote Administration Tool) trojans and so far, no RAT actions have been taken on my PC, which is why I don't know if it's gone or not.
So far, as I had searched through internet, I found absolutely no antivirus programs that are capable of removing it themselves, without having to do it manually.)
This is all I had found about this trojan so far & that's why I'm asking is there something else left to do to remove it permanently off my computer?
(I had re-scanned my PC with Eset and it found no viruses, however, many people complain that the trojan stays hidden & undetectable after so called "temporary remove".)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′
Last edited by jackthewar; 16 Jun 2012 at 18:31.