WMFPatch11 problem & AVG

[Eric Parker]

I've a WIN2K SP4 system.

I recently (~6/1/06) downloaded & installed WMFPatch11.zip from
http://www.nod32.ch/en/download/tools.php
It installed no problems.

This morning my free AVG (just updated) picked up
Trojan horse BackDoor.Generic2.CPU in
C:\Program Files\WMFPatch\inject.exe
That file is created when I install using the above WMFPatch11.zip.

AVG is able to clean it up and moves it to the vault.
I've submitted the file to
http://www.virustotal.com/flash/index_en.html
and get no hits including AVG.

I've downloaded/updated/run using the 4 tools from
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
and they returned no viruses.

I suspect and hope this is a false positive.
As I use the free version of AVG I cannot contact them to get them to
test the file.

Any advice would be appreciated.

Eric

 

[David H. Lipman]

From: "Eric Parker" <[email protected]>

| I've a WIN2K SP4 system.
|
| I recently (~6/1/06) downloaded & installed WMFPatch11.zip from
| http://www.nod32.ch/en/download/tools.php
| It installed no problems.
|
| This morning my free AVG (just updated) picked up
| Trojan horse BackDoor.Generic2.CPU in
| C:\Program Files\WMFPatch\inject.exe
| That file is created when I install using the above WMFPatch11.zip.
|
| AVG is able to clean it up and moves it to the vault.
| I've submitted the file to
| http://www.virustotal.com/flash/index_en.html
| and get no hits including AVG.
|
| I've downloaded/updated/run using the 4 tools from
| http://www.ik-cs.com/programs/virtools/Multi_AV.exe
| and they returned no viruses.
|
| I suspect and hope this is a false positive.
| As I use the free version of AVG I cannot contact them to get them to
| test the file.
|
| Any advice would be appreciated.
|
| Eric
|

Check the version of the signature files on Virus Total vs that on your PC. If you have the
lateer version then send Grisoft a note indicating a Flase Positive declaration.

The below URL has the AV vendor submission adddresses including Grisoft (AVG).

http://www.ik-cs.com/suspicious-files.htm

 

[kes]

Hi

I had a similar experience with this patch and Win 98 SE.

Unlike you, I'm using a Kaspersky Personal Pro (paid for).
It picked up inject.exe and several other items coming from
WMFPatch11 from NOD32.

My instinct was to uninstal the WMFPatch, disinfect
and wait for an alternative solution - NOD or not-NOD.

 

[Eric Parker]

To bring anyone interested up to date, this is part of a reply I
received from Grisoft

----------------------------------------------------------------------
---------start
Dear Sir/Madam,

Thank you for your email.

I can inform you that the file was examined by our virus specialists
and it is false alarm.

We'll prepare the correction as soon as possible. Unfortunately, false
alarms are appearing time to time in every Anti-Virus software.

Thank you for your understanding.

----------------------------------------------------------------------
---------end

Thanks for the contact information Dave.
I feel a little happier now.

Eric

 

[Ian Kenefick]

I suspect and hope this is a false positive.
As I use the free version of AVG I cannot contact them to get them to
test the file.

This is a false detection. Temporarily disable the Antivirus protection
while you uninstall the ESET patch for WMF vulnerability. Install the
Microsoft patch then by running windows update or by visiting
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

Any advice would be appreciated.

You're most welcome!