This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/bubnix-A - in windows\system32\drivers\cpdqn.sys

please can anyone help. I have a network of windows XP computers running sophoes endpoint security. One of these computers has a trojan, namely Troj/Bubnix-A, found in file cpdqn.sys, and reports that a manual clean is required. I have tried booting to safe mode, running sav32cli from a cd created on a separate machine, but it reports that it can not open this file and is therefore clean. How Can I clean this file / remove it?

:5079


This thread was automatically locked due to age.
  • I suggest you call Support. I can think of several methods to get rid of this single file but I don't know whether it will have side effects.

    Christian

    :5095
  • I am trying that. I have tried to delete the file using normal methods, but to no avail, I get for example from explorer "cannot delete cpdqn : cannot read from the source file or disk.

    :5097
  • I have tried to delete the file using normal methods

    This definitely won't work as if it would sav32cli would have done it. Again - as I haven't dealt with it and therefore can't tell what else is involved besides this executable - I recommend calling Support.

    Among "other methods" is booting (a different OS) with a CD and deleting the file from there. The analysis of Troj/Bubnix-A is quite sparse but it hints at a possible rootkit component. Just deleting the file might or might not be sufficient. Or it could damage your system.

    As you don't seem familiar with these things I advise against "self-help" (and - Support is free).

    Christian 

    :5098
  • Hi,

    Thanks Christian,

    I have spoken with Bill from Technical support, re this problem and he pointed me in the way of the linux bootable cd with Sophos on it so as not to involve windows at all. This I duly ran, and although I had initially ran it as disinfect, I ended up having to run it in delete mode, which cured the problem so all is now good.

    Ian

    :5127