[Dshield] Spyware Problem

Sue Young sforslev at gmail.com
Tue Jan 2 17:56:12 GMT 2007


I'm the one that posted asking about it.

Before you try to delete it, try using a system restore to go back before
the system was infected.  If that doesn't work, disable the system restore
before deleting the trojan files.  You don't want them restored again!

It's Winfixer, one of my users had it  2 weeks ago.  Boot in safe mode and
delete that Winbudget directory.  Also use HijackThis to delete the bho for
matrix.dll in the registry.  The trojan that installed winfix was detected
by Trend so I was able to delete it in safe mode too.  If you find other
trojans on the system, they probably installed winfix and you will keep
getting winfix back until they're removed.  I was about 1/2 hour from wiping
the computer.

I keep a usb key with HijackThis, Autoruns, and various Sysinternals
utilities on it so that I have all the tools I need when I go to a user's
machine.  Sometimes I have to pull the machine off the network so I can't
count on downloading utilities.

Sue Young, CISSP



On 12/31/06, Marie Campbell <sparrowhwk007 at gmail.com> wrote:
>
> Thanks for all the advice. I'm sorry I didn't make myself clear in my
> first
> post exactly what I was talking about. This is the problem   C:\Program
> Files\Winbudget\matrix.dll?. I googled it and found the original posting
> in
> this topic. I ran AVG and it found a trojan. Maybe that is where it came
> from,
> I'm not sure.  Thanks again.
>                       Marie
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


More information about the list mailing list