Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Jacked Up Is This?


  • Please log in to reply
8 replies to this topic

#1 swampmote

swampmote

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 02 March 2007 - 04:48 PM

I seem to have picked up EXPL_WMF.GEN which was identified by Trend Micro PC-cillin. Once it was identified, it could be neither cleaned nor quarantined. I then scanned my system in safe mode with the system restore turned off, and the trojan could not even be found. After running several online anti-virus applications (HouseCall and Panda among them), none could locate the virus.

It seems unlikely that it just went away without my having done anything to eradicate it. Any suggestions regarding how to proceed?

Thanks.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,993 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:12 PM

Posted 02 March 2007 - 05:38 PM

This is a Windows vulnerability that has since been fixed with a patch available from Windows Update, so you should be sure you have all your updates. The update would be more than a year ago. If you ran Trendmicro in safe mode and it didn't find it I would say it was a false positive. Is your Windows up to date? It could also be that what Trendmicro found was in restore files and when you deleted them you deleted that, too.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 swampmote

swampmote
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 02 March 2007 - 06:16 PM

If it helps, Windows is, in fact, up to date, and I scanned my system with the latest virus pattern file. Anything else you think I should try to make sure my system's okay, or is it safe to just go about my business?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 PM

Posted 02 March 2007 - 06:45 PM

Trend Micro suggests to be sure these 2 patches are installed prior to running the scan. It also recommends to do this scan in normal mode

Minimum scan engine version needed: 7.000

Pattern file needed: 3.158.12

Pattern release date: Jan 15, 2006



--------------------------------------------------------------------------------

Solution:




Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as EXPL_WMF.GEN. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:

Microsoft Security Bulletin MS05-053
http://www.microsoft.com/technet/security/...n/MS05-053.mspx

Microsoft Security Bulletin MS06-001
http://www.microsoft.com/technet/security/...n/MS06-001.mspx

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 swampmote

swampmote
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 02 March 2007 - 06:59 PM

This is precisely the protocol I followed. Hence the mention of obtaining the latest virus pattern file in my previous post. The thing is, PC-cillin identified the virus and before doing anything, I ran PC-cillin again and EXPL_WMF.GEN didn't show. After this, I ran a host of online scans and they found nothing as well. After no scan found the virus, it was finally the intense paranoia that led me to the Trend Micro site where I attempted to eradicate this thing via the instructions at the site.

My question remains, what happened to it before I followed the Trend Micro protocol? Why would it have seemingly disappeared PRIOR to this?

I think, perhaps, buddy215 is on to something, but I would feel better with the assurance that this virus is, indeed, gone.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 PM

Posted 02 March 2007 - 07:32 PM

Ok ,I just posted to be certain that you had those 2 patches.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 buddy215

buddy215

  • BC Advisor
  • 12,993 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:12 PM

Posted 02 March 2007 - 08:07 PM

I don't think you are paranoid. If every user was as diligent as you obviously are, we would all be safer.
If it comes up again, try to get the file location and name.
Another possibility comes to mind, if you have more than one antivirus installed on your computer that could be the source of the identifier.
At this point, I think you have done all that can be done.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 swampmote

swampmote
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 02 March 2007 - 10:19 PM

Nothing like some knowledgeable advice to help take a little of the sting out of a virus infection. I appreciate you guys for taking the time, and I thank you both for posting.

Edited by swampmote, 02 March 2007 - 10:19 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 PM

Posted 03 March 2007 - 03:11 PM

You're welcome
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users