winfyz32.dll

Discussion in 'ewido anti-spyware forum' started by mattfca, Mar 5, 2006.

Thread Status:
Not open for further replies.
  1. mattfca

    mattfca Registered Member

    Joined:
    Mar 5, 2006
    Posts:
    2
    Ewido keeps finding this trojan but it can't remove it. It's in a weird location, memory [736] which i have no idea how to get to. Can anyone help? The specific name is Trojan.Agent.og and its in 736 c:\windows\system32\winfyz32.dll.

    Well I did a restart and it seems to have been removed.
     
    Last edited: Mar 5, 2006
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It's running in memory, to delete it you must first stop it from running.

    Boot yourself into 'safe' mode:-

    http://www.bleepingcomputer.com/forums/tutorial61.html

    Then do a memory scan with ewido.

    Note the PID number of the relevant process (it was [736] but it could change so note the current PID number).

    Now you need to use ewido's analysis section, click on the 'processes' sub-tab and look for the process with the relevant PID. Then select that process from the list and click terminate process.

    That should halt the prcess and you should be able to run an ewido scan (still in 'safe') and delete the bad file.

    One word of caution - this may not be possible if the .dll file is loaded into an important system file like Winlogon; in which case you would need to try deleting on reboot. But let us know how the above goes first.
     
  3. mattfca

    mattfca Registered Member

    Joined:
    Mar 5, 2006
    Posts:
    2
    What was strange was Ewido found another file called 'remove_on_reboot_winfyz32' when i did a full scan, so i rebooted and now it's not finding anything. Thanks for your help.
     
Thread Status:
Not open for further replies.