Encountered WMF Vulnerability



XPHome SP2, fully patched. Opened a picture link, it flashed up my download
manager trying to download the file eid6.wmf, which shut before I could
close it and flashed open the picture and fax viewer which I closed and
disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.


--
Regards



.



Relevant Pages

  • Re: IE non connect problem
    ... None of these will now connect to the internet. ... > this will not help until the hijacker is totally removed. ... > Download Registrar Lite 2.0, ... After the reboot, the shield-DLL file is still on the hard ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Problems Downloading Patch
    ... UNPLUG YOUR MODEM (or disconnect from the Internet). ... not reboot on you. ... This virus is very clever and has disabled several ... Download and install. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Dire Need Of Help
    ... spyware/malware on your system, download, install and run Ad Aware, ... Open Control Panel, open Internet Options, on the General tab, click Delete ... > having to reboot each time I wish to use my browser. ... Same thing with both Netscape and Opera, ...
    (microsoft.public.windowsxp.basics)
  • Window2000 critical update KB824146 (posted 9/11/03)
    ... I download all Microsoft critical updates...this ... is the first time one has hosed my computer. ... update caused my computer (on reboot) to state I was ... security, completely shutting off access to the Internet, ...
    (microsoft.public.win2000.security)
  • Re: Encountered WMF Vulnerability
    ... Opened a picture link, it flashed up my download ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. ...
    (microsoft.public.windowsxp.security_admin)