Well, this is the conclusion to my epic glenwiry.P trilogy (in case you missed it, the
first two posts were a roller coaster of emotion, drama and raw excitement). I noticed that my latest anti-virus definitions were downloaded when I fired up the computer this morning (8:20am PDT). So I tried the following:
- Disconnected my router from the Internet.
- Went to the "Tools" tab of the CA antivirus software.
- Clicked "Quarantined Items."
- Restored the three "wextract.exe" files that were quarantined Thursday night.
- Ran a virus scan of the WINDOWS/system32 folder.
- Did a happy dance.
With those files rightly restored, the new antivirus definitions didn't think wextract was a bad apple. This more or less confirms that CA blew it, and then they fixed it rather quickly. I guess they decided to hold off on releasing the fix for glenwiry.p until they actually release that trojan into the wild! Ha! Just kidding. Or am I? Maybe? No, really, I am not even sure anymore.
So chances are, if you never had the glenwiry.p problem, you aren't going to see it anytime soon because the current definitions don't produce a false positive, and if you did have the glenwiry.p problem, you can probably go ahead an restore those files. Again, this is just based on my own experience: do whatever you want to do at your own risk. I am not a security expert, I just play one on the web.
10 comments:
Hey, Thanks for your blog....was really helpful at 3AM when I went to shutdown my computer & found the glenwiry.p alert. Nice to know I was not alone... I had followed the same steps as you mentioned in your final chapter & all seems fine as well. Glad your out there. NMM
Most appreciative of your posts. All is well. Thanks. JL
Hey, thanks heaps my mums computer got the problem with the service pack prompt and sure enough when i looked in Vet antivirus by CA the wextract.exe glenwiry.p files were there i restored them then clicked cancel on the prompt and reran the virus scan all is well.
cheers
Hi, found your posting on google this weekend because of the same problem. I used the on-line chat that is available at ca.com and was told by an individual that went by the tag of "Samuel" that it was a "false positive" and was told to get the latest update and to restore my "wextract.exe" files. I didn't have any other kind of files that were flagged, so I can't comment on those. My hunch was that this code was put in by one of their programmers (maybe disgruntled) as a hoax or something, because I don't know if anyone else noticed that this problem popped up at about 7AM (at least on all of my computers) on Friday the 13th! I just hope that I really am protected by my CA Internet Suite !!!
I had two files that were quarantined by CA that also had the Glenwiry 'infection': A0050735.exe and A0050736.exe. Anyone know anything about these? And thanks so much for posting about this. I've been really, really stressed the past week until I found your blog and followed the steps to restore my two flagged wextract.exe files. CPK
Hi Chris, it might depend on where those files were when they were quarantined. If they lived in some sort of "backup" or "restore" directory in the C:/WINDOWS tree, then they probably are copies of the same wextract.exe file that got quarantined in the first place. If you can figure out if that's the case then, I'd probably restore them. I still am not convinced that glenwiry.p is a real trojan anywhere, but better to ere on the side of caution. If you do restore them, you should still do another scan with the updated antivirus definitions to see if they get quarantined again. Hope this helps.
Hi Joey,
You're spot on...they were in some sort of backup folder. Thanks again. One last question. I'm sure this is coincidence, but right after I got the CA warning and the prompt to install SP2, my cursor started doing strange things. For example, when I would highlight text, the cursor would automatically move letter by letter to the end of the word or http address. When I would open menus, the highlight would scroll automatically to the bottom. I was concerned this was some sort of keylogger hack, but it seems to have stopped now. Am I being paranoid, am I infected, or is my mouse driver messed up somehow? Oh, and it happened even when I unplugged the mouse from my laptop.
Thanks again,
Chris
I think you're on your own with the mouse thing. I'd guess it's just coincidence and I'd just reboot my machine if something like that was happening to me. That kind of stuff sometimes happens when there is a process in the background hogging too many resources, but if you have a secure system, it's usually benign. Do a ctrl-alt-del to see what your system is up to. If it doesn't go away after rebooting, I'd investigate it online as a separate issue to the CA stuff. Of course, it would probably be a good idea to do a full system scan to feel a little better. Good luck!
Thanks again for all your help. Can't tell you how much this means.
Best,
Chris
Post a Comment