Exploit.wmf

shupola

shupola

Active Member
howdy,

its been a long time since i have posted on this forum, but im glad it here:).

as you might be able to tell, i have a trojan/virus/whatever it is called "exploit.wmf" on my computer and i need to get rid of it. i was doing a scan with avg free yesterday, and this thing popped up, but avg was unable to do anything about it. a-squared didnt detect it as malware either, so i dont know how to get rid of it. if someone knows how then please fill me in.

also, if i need to post a hj this log let me know that too.

thanks,
shupola
 
P

PC eye

banned
That's a type of trojan downloader that exploits a vulnerability found in the Windows Picture and Fax viewer. I can easily point you to a free trojan scanner also by Grisoft. Ewido is now owned by Grisoft and also a free program to grab. First the Ewido trojan is found at http://www.ewido.net/en/download/

Have you downloaded the latest AVG 7.5? http://free.grisoft.com/doc/2/lng/us/tpl/v5
Ewido catches what AdAware SE Personal misses. And AdAware catches what Ewido misses. :rolleyes: They go well together! :p The free version of Ewido can be found at http://free.grisoft.com/doc/ewido-anti-spyware-free/lng/us/tpl/v5
AdAware SE Personal is another freeware found at http://www.lavasoft.com

Microsoft released a security patch to prevent this from being a problem. http://www.microsoft.com/downloads/...96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en

Removal instructions can be found at http://www.pchell.com/support/alfacleaner.shtml AVG generally shows where a bug is located for manual removal. But if you need to you can post a HiJack This log and find the reg keys to remove.
 
shupola

shupola

Active Member
PC eye said:
AVG generally shows where a bug is located for manual removal. But if you need to you can post a HiJack This log and find the reg keys to remove.
Click to expand...

I searched back through my test results and found the path for the file, but the file no longer exists??? Does this mean that it is gone? Am I safe from this Trojan or am i still possibly infected?
 
P

PC eye

banned
It probably left a value lingering in the system registry. If you have a trojan downloader they will hide somewhere on the drive and download other crap. Those are that usually create new registry keys. Check the quaranteen archive for AVG there.

There are times when the host trojan will create new startups to see other things downloaded. Once the new bug is stepped on the host downloads another later. One correction about Ewido is that Grisoft renamed a new version of it to the AVG Anti-Spyware Free found along with AVG 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

You still will want to run a few different tools to see if there is a host trogan to be dealt with somewhere on the drive. One place to look besides in folders is the root of C. If you see a file with an "exe" extension on it you can ask why that would be seen on an NTFS type partition. For XP Home version if that is what you are running the four normal files are the "ntdetect.com, ntldr, boot.ini, and the pagefile.sys".
 
shupola

shupola

Active Member
PC eye said:
It probably left a value lingering in the system registry. If you have a trojan downloader they will hide somewhere on the drive and download other crap. Those are that usually create new registry keys. Check the quaranteen archive for AVG there.

There are times when the host trojan will create new startups to see other things downloaded. Once the new bug is stepped on the host downloads another later. One correction about Ewido is that Grisoft renamed a new version of it to the AVG Anti-Spyware Free found along with AVG 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

You still will want to run a few different tools to see if there is a host trogan to be dealt with somewhere on the drive. One place to look besides in folders is the root of C. If you see a file with an "exe" extension on it you can ask why that would be seen on an NTFS type partition. For XP Home version if that is what you are running the four normal files are the "ntdetect.com, ntldr, boot.ini, and the pagefile.sys".
Click to expand...


since that all sounds greek to me, i think i will post a hijack this log. :) maybe you or someone else can tell me if there are any registry keys still around.

i have to download the program, but i will post a log as soon as i get it up and running.

in the mean time, i will be re-running all of my anti-spy/mal/virus programs to see if they can find another trace of the problem.

thanks,
shupola
 
shupola

shupola

Active Member
PC eye said:
You can easily use a free registry cleaner called RegCleaner found at http://www.majorgeeks.com/RegCleaner_d460.html That will clean up a ton of leftovers in the registry itself. Consider that a janitor in there.
Click to expand...
yeah i had that program not too long ago...never used it though. will it delete important registry keys or just the old ones for programs i no longer have?

do you have any idea what kind of entry this trojan left behind? what should i be looking for?


PC eye said:
Meanwhile Grisoft renamed Ewido to the AVG Anti-Spyware Free edition now found on the same download page for AVG 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
Click to expand...
thanks i downloaded it the other day.....its picking up stuff that spybot and a-squared missed, even though they are only tracking cookies.

do you think it is necessary to post a hjt log anyway? if so let me know.

thanks,
shupola:)
 
P

PC eye

banned
RegCleaner will clean up the loose unassociated garbage. When it first opens you would be the one to select any value seen in that window for manual removal. Let's say you spotted something you know you had already unistalled and saw an entry you would simply check that off and click on the delete button at the bottom of the window there.

When first tried along with AdAware the only thing seen here that Ewido does is remove the data miners that AdAware missed. Likewise AdAware grabbed the ones Ewido missed. AdAware also can nail browser hijackers and remove registry keys at times. I give that the edge over Ewido. AVG on the other hand will show where trojans, viruses, and malwares hide themselves. It can also show which files are changed by a virus and need to be removed or overwritten(like restoring infected system files.)

Hiack This has the one purpose of showing what new addons are found on IE 6(and may not with IE 7 with the new antiphising filters) and new startups found in the registry. With a trojan downloader it will download one thing you will see new entries for in the reg. But once that it cleaned the trojan downloads something else and HT finds more a few days later.

Often you need a good trojan hunter like AVG to find where the original "bug" is hidden. In many cases a special removal tool for one specific malware has to used in order to see it totally gone. You can post another log to see if anything comes up to be on the safe anyways. AVG won't catch 100% of the crap out there and neither will any other single program. You found that out with Spybot and a-squared missed.

The latest version of the Windows Defender was just released. You can add a little more protection having one more tool in the tool box. The download page is at http://www.microsoft.com/downloads/...E7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en

The latest version will not support WIN 2000 however. Support for that version of Windows was dropped in july. For the system requirements now seen go to http://www.microsoft.com/athome/security/spyware/software/about/sysreq.mspx
 
shupola

shupola

Active Member
PC eye said:
RegCleaner will clean up the loose unassociated garbage. When it first opens you would be the one to select any value seen in that window for manual removal. Let's say you spotted something you know you had already unistalled and saw an entry you would simply check that off and click on the delete button at the bottom of the window there.

When first tried along with AdAware the only thing seen here that Ewido does is remove the data miners that AdAware missed. Likewise AdAware grabbed the ones Ewido missed. AdAware also can nail browser hijackers and remove registry keys at times. I give that the edge over Ewido. AVG on the other hand will show where trojans, viruses, and malwares hide themselves. It can also show which files are changed by a virus and need to be removed or overwritten(like restoring infected system files.)

Hiack This has the one purpose of showing what new addons are found on IE 6(and may not with IE 7 with the new antiphising filters) and new startups found in the registry. With a trojan downloader it will download one thing you will see new entries for in the reg. But once that it cleaned the trojan downloads something else and HT finds more a few days later.

Often you need a good trojan hunter like AVG to find where the original "bug" is hidden. In many cases a special removal tool for one specific malware has to used in order to see it totally gone. You can post another log to see if anything comes up to be on the safe anyways. AVG won't catch 100% of the crap out there and neither will any other single program. You found that out with Spybot and a-squared missed.

The latest version of the Windows Defender was just released. You can add a little more protection having one more tool in the tool box. The download page is at http://www.microsoft.com/downloads/...E7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en

The latest version will not support WIN 2000 however. Support for that version of Windows was dropped in july. For the system requirements now seen go to http://www.microsoft.com/athome/security/spyware/software/about/sysreq.mspx
Click to expand...



Thanks for all the helpful information PC Eye!!!!!!

I just have 2 questions for you.
1. How do you know all this stuff? and...
2. Why the hell haven't they made you a moderator????:p:)
 
P

PC eye

banned
Let's see if I can give you a good answer to each there. :confused: :eek: :p

1) I don't I don't think? I get a good guess? :confused: (just answer the question!) It must be that constant hounding I get to solve everyone else's problems(don't forget the schooling!). Oh yes the community colledge cousres for "Microcomputer Specialist" and another school for "PC Hardware Specialist". Plus always trying some download or another to see what works. :D

2) Moderator? Gee I haven't thought of applying for that yet. Do you think I would qualify? :eek: Don't answer that! (he's keeping a low profile. ssshhh!)
 
You must log in or register to reply here.
Top