December 6, 2008

How to remove Trojan.Flush.M ?

Trojan.Flush.M use makes junk traffic on LAN (Local Area Network)using Address Resolution Protocol (ARP). The Trojan creates fake Dynamic Host Configuration Protocol (DHCP) offer packets to clients which is renewing address and then it attempts to overwrite DNS configuration.


How to remove Trojan.Flush.M ?

1. Stop services added by this trojan.
Right click "My Computer"
Select "Manage"
Go to "Services and Applications" and click "Services"
Stop the services named "ArcNet NDIS Protocol Driver" (Right click and select properties) and change its start type to "Manual"
Restart your PC.

2. Perform standard procedure for virus removal
** Standard procedure for virus removal.
3. Delete these registry values added by the Trojan .
** How to edit registry ?



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\"NextInstance" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"Service" = "Ndisprot"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"Legacy" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"ConfigFlags" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\"DeviceDesc" = "ArcNet NDIS Protocol Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\Control\"*NewlyCreated*" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISPROT\0000\Control\"ActiveService" = "Ndisprot"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\Enum\"0" = "Root\LEGACY_NDISPROT\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\Enum\"Count" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\Enum\"NextInstance" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\TimestampMode" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\"Type" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\"Start" = "3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisprot\"ErrorControl" = "1"


** Remove these files
C:\Windows\inf\ndisprot.inf
C:\Windows\System32\drivers\ndisprot.sys

No comments: