Windows WMF Vunerablity Important Information

It's very important that if you have not already done so that you visit http://windowsupdate.microsoft.com and keep your computer up to date. There is an very important update that fixes a flaw in Windows operating system that allows hackers to execute code on your computer when you visit an infected website.

You will know if you are infected if you see a ballon at the bottom of your screen that says the following

"Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware."

Or it may say

" Your computer is infected!
Dangerous malware infection was detected on your PC
The system will now download and install most efficient
antimalware program to prevent data loss and your private
information theft.
Click here to protect your computer from the biggest malware
threats."

The Virus name is actually Trojan.Spaxe. It is a serious infection that needs a special removal tool to be safely removed from your computer.

Removal Directions

1. Download and save smitRem.zip
2. Reboot and start into Safe mode
3. Extract smitRem.zip
4. Open folder where smitRem.zip extracted then double click on RunThis.bat
5. After program runs you can safely restart the computer and the infection is gone! Be sure to always keep your Windows up to date!

Updated! I've ran into this problem since the orginal article was posted and the original fix may not fix this problem any longer due to variations.

After in safe mode I ran HiJack this and noticed two other suspicous programs

C:\WINDOWS\SYSTEM32\KERNEL8.EXE
C:\WINSTALL.EXE

Symantec says you may have to follow the below instructions to remove the Virus although my variation did not require this.

1. Click Start > Run .
2. Type regedit
3. Click OK .
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool , and then continue with the removal.
   
   
4. Navigate to the subkeys:
   
   HKEY_CLASSES_ROOT\CLSID\{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}\InProcServer32
   HKEY_CURRENT_USER\Software\Classes\CLSID\{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}\InProcServer32
   
   
5. In the right pane, delete the values:
   
   "Default" = "%System%\svchosts.dll"
   "Default" = "%System%\ioctrl.dll"
   "Default" = "%System%\netwrap.dll"
   
   or
   
   "Default" = "%AppData%\Microsoft\svchosts.dll"
   "Default" = "%AppData%\Microsoft\ioctrl.dll"
   "Default" = "%AppData%\Microsoft\netwrap.dll"
   
   
6. Navigate to one of the following subkeys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObject
   
   
7. In the right pane, delete the value:
   
   "{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}" = "Reload Browse"
   
   
8. Exit the Registry Editor.

 

 

For additional information on questions please email me,

Tom Fitzgerald, CCNA, MCSA

Return to Tutorials

 

View Our Other Tutorials

• How to take a screen shot using Outlook or Outlook Express
• How to boot into Recovery Console and run Check Disk
• How to remove stealthy virus programs