DjLizard.net » RogueRemover http://DjLizard.net Aw dawg, this is just my whateva-whateva site. Mon, 22 Aug 2011 06:02:44 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Retarded viruses http://DjLizard.net/2007/10/10/268/ http://DjLizard.net/2007/10/10/268/#comments Wed, 10 Oct 2007 21:07:55 +0000 DjLizard http://DjLizard.net/2007/10/10/268/ Twice in 24 hours I've come across "WinBudget" which is some garbage BHO (filename matrix.dll) that gets installed somehow. A few of our customers who don't even venture that deep into the internet (and I know for a fact they don't surf porn sites or download pirated software) got infected by it somehow. I'm guessing it might have been an Outlook/Outlook Express/Internet Explorer zero-day exploit or something.

That was ridiculously easy to remove using RogueRemover and Spybot, but neither were able to find the odd infection left behind:

If you search your drives for folders called 'bak' you may find backup copies of executables from several popular software packages such as Adobe (several products), Nero, Apple (iTunes and Quicktime), Incredimail, Realplayer, Java, and even Norton Antivirus. If you move the contents of each bak folder to its parent directory and overwrite, the infection is gone. Thanks, stupid virus, for making backup copies before infecting files.

The best way to find these folders is like this:
Start > Run > cmd.exe (to get a command prompt)
dir /a /b /s bak

You'll get a list of affected applications. Go into each 'bak' folder and move whatever is in there one level up.

cd bak
move *.* ..

(yes you want to overwrite)

Thanks, WinBudget, or whatever the fuck you are.

Edit: I also found out that WinBudget sticks one or more entries in Internet Explorer's trusted zone list. One is called whataboutadog (dot com) and one is whataboutarabit (sic) (dot com).

© DjLizard for DjLizard.net, 2007. | Permalink | 10 comments | Add to del.icio.us
Post tags: , ,

Feed enhanced by Better Feed from Ozh

]]> http://DjLizard.net/2007/10/10/268/feed/ 10