Thursday, June 12, 2008

win32/Glenwiry.p fiasco

So I think the most recent update of Computer Associate's virus scan definitions is giving false positives on wextract.exe. If you have real-time scan activated you'll probably get C:/WINDOWS/system32/wextract.exe and C:/WINDOWS/system32/dllcache/wextract.exe quarantined by your anti-virus software. This might prompt Windows to put up a red flag and demand that you insert your operating system install disk. Not sure yet what the best fix is, so I am going to wait out til the next update from CA which should fix the problem. If that doesn't happen soon or my system has problems due to the quarantined/missing wextract.exe, I will probably restore the quarantined item using CA's tools that come with the anti-virus software.

This all did give me quite a scare though since I pride myself on keeping as secure a system as I can considering I am running Windows. Anyway, I hope this post helps somebody not feel as freaked out as I was initially. There isn't much info online as of now.

Oh, as a side note, I would be careful about going to sites you might find by searching for glenwiry. I think many of them are bogus. If you do go to one by mistake, don't try and click any videos posted there. And if you browser goes into a pop-up hell, you should ctrl-alt-del and kill the browser process. That should get you out of the pop-up carousel.

If I learn anything new tomorrow I'll try and update here, but as you can see by my post history, I am not the most prolific blogger.

20 comments:

Anonymous said...

Had the same hell/scare bizo all afternoon. Dude at CA tried to convince me all was well but I eventually convinced him otherwise. Got a message back saying that CA Antivirus was throwing up a false negative. I am exhausted - dudes on the 'tech desk' who automatically think you are a crank if you report something odd - and time wasted by false alarms. Clicker

Anonymous said...

gg ca noobs... thanks to your blog and a few other hits from google i realise this is a fkup on their part... now to restore those files...

Anonymous said...

Just adding to the list of freaked out individuals. I almost d/l SP3 just cause I have a SP1 disc, and Xp prompted for SP2 disc 2, which I don't have since I used M$ update to upgrade to SP2....I'll hold off till more info can be figured out.

Hopefully it gets sorted out. I used the Report tool for the CA anti virus to ask them as well.

/hurray for the internet on finding proper info out once in a while.

Anonymous said...

Clicker again ... latest update from CA (about 6pm EST) fixes the problem in CA Antivirus. All is peace again (for a while).

Anonymous said...

Goddamn, thanks for blogging. I'm trying to study and I looked over at the computer to see I'm infected all of a sudden. Scared the life out of me. Unplugged the internet, booted safe mode, the whole bit...

Anyway, does that mean we can just restore the wextract files from ca quarantine?

Anonymous said...

idk, in order to restore the files I had to tell realtime scan to specificly ignore that file in 3 locations...otherwise each time I recovered it, CA-AV just requarenteened it. Kinda got irritating, but I got it back and XP ain't pissing and moaning anymore, and CA aint being a de de dee anymore.

So, I'm all good now.

Anonymous said...

scanned the entire system after I got that virus alert - it said I had zero infected files. I'm just going to hang tight & see if that alert pops up again.

Anonymous said...

... and on my comp, CA found Win32/Glenwiry.P in Install_Messenger.exe (which I believe is Yahoo Messenger Installer), and 'Win32 FileID APIs 1.1.EXE' downloaded from Microsoft's site too. I got a lot of reasons to believe they are false positives too.

Anonymous said...

I have XP Pro on one computer and Win2000 on another, both with CA. Only the computer with XP Pro running CA indicated the win32/Glenwiry virus. One with Win2000 just happen to be running a virus check at the time and did not find any problems. I would think that it is a false positive as ZA anti-virus indicated it as being a problem too. Computer take too much time because there is just so many things that can happen. I use two different routers to change my IP from often and have not had any problems yes. One other computer still has Norton on it running Win2000 and it has not indicated a problem regarding win32/glenwire.p
Lots of trouble, huh?

Anonymous said...

I have XP Pro on one computer and Win2000 on another, both with CA. Only the computer with XP Pro running CA indicated the win32/Glenwiry virus. The one with Win2000 just happen to be running a virus check at the time and did not find any problems. I would think that it is a false positive as ZA anti-virus indicated it as being a problem too. Computer take too much time because there are just so many things that can happen. I use two different routers to change my IP from time to time and so far have not had any problems yet. I have one other computer running that has Norton on it running Win2000 and Norton has not indicated a problem regarding win32/glenwire.p
Lots of trouble, huh

Anonymous said...

Dude! ...you just saved me from spending a couple of hours trying to fix this issue and revising my security standards. Thanks for the post!

Anonymous said...

Thanks!

When you click on the link for the definition, the CA website doesn't know what it is.

The CA updater was the last thing that happened on what I consider a secure PC, except for this CA software. But it was cheap.

I googled and got you.

Anonymous said...

THANKYOU! I was scared last night cuz I NEVER seem to attract viruses and I hadn't done anything that would compromise me. I've had nothing but problems with CA - from the ppctl issues, to the firewall suddenly saying it's not installed, etc. I was going to go reformat my laptop tonight, but now I'm glad I searched the net for a fix first!

Anonymous said...

I got the message of 5 infected files - but before deleting I came on found your blog.

I have since re-run CA Virus and it gave me a clean bill of health.

I will now search for the files in question and run it specifically against those files.

Hopefully that will give me peace of mind.

Thanks to everyone who has contributed.

Unknown said...

Glad this quick post helped some folks feel a little better, I know I was concerned when I had things getting quarantined. I haven't been back to my Windows box to see what the status of the CA virus tool is. Sounds like maybe they secretly fixed it? It would be nice to get a message of some sort from CA, since we don't know "officially" that wextract.exe triggered a false positive. Really it's all educated guessing based on all the available evidence. I'll probably feel safe restoring those wextract.exe files tonight, though.

Anonymous said...

CA a/v reported wextract.exe infected with WIn32/Glenwiry.P in 3 locations (all \windows folders, from \system32 through \servicepack1 and \servicepackfiles\i386). First 2 quarantined and the 3rd just listed as infected. XPSP2 popped up a hard request (no redirect to a folder name) for the SP2 disk, which I don't have either, being updated/upgraded via MS Update all along.

I searched the CA support and av center site and got ZERO results on either the filename or the glenwiry name, really surprising! Did a quick update check and my CA AV is fully up to date.

I'm not doing anything until I find out some more information. Going to check the MS site and run another full scan... but I thank you for all the info here, it's made me feel more comfortable about going through the process.

Anonymous said...

Thanks for this post! I about had a heart attack when I thought I had a infection, especialy when windows asked for a SP2 disk. I'm glad I'm not the only one who had this problem. I ran all my scanners(4 realtime and 2 on demand) and none of them picked up anything, so I'm assuming it was a false positive, I've restored the files and they haven't gotten re-quarantined, so I assume CA fixed the problem.

Man from OZ said...

Same Win32/Glenwiry.P report turned up for me (3 instances) when performing a routine CA AV scan(with fully updated definitions) on 13 June 2008. 3 mentions, with 2 files (wextract.exe) quarantined.
CA AV reported them found in C:WINDOWS\system32 and C:windows\SERVIC~1\i386
I did a Windows "Search" and located wextract.exe in C:\WINDOWS\$NtServicePackUninstall$. It's a 59 KB application. I ran CA Vet AV against wetract.exe and Vet reported it as 1 file, 0 infected.
At this stage, I've left the quarantined items in quarantine for possible later return, when, (if), CA AV go public and tell us what is really happening, i.e it's a false positive, or otherwise.
I used CA Vet's Report Tool, asking them for information as to what should be done. No answer yet.
At this time (touching wood as I write this), with three days of solid use since Vet's quarantining, my computer's in its normal, happy mood, showing no ill effects from quarantining OR the existence of wextract.exe sitting in
C:\WINDOWS\$NtServicePackUninstall$
Hope this helps!

Unknown said...

I've actually posted two further entries on this topic on my blog, that I think wrap up this topic. If for some reason you Googled and found just this particular entry, take a look at the main blog page for updates regarding this online "threat".

Anonymous said...

pfizer viagra viagra canada viagra pill negative effects of viagra viagra australia viagra logo buy generic viagra buy generic viagra buy cheap viagra online uk buy viagra soft online cheapest viagra in uk too much viagra homemade viagra viagra uk cheap purchase buy