had installed Ilfak Guilfanov's patch v. MS patch

I installed this Guilfanov
patch for the WMF vulnerability a
couple of weeks ago. I'd read on GRC's pages that
this install would show up in the add/remove section,
and could be removed from there,
but didn't check to see. After MS put out the patch
I considered unistalling Guilfanov's and looked. It
wasn't listed. I installed MS patch over the top,
and noted no problem.

Oddly enough, when I went back to review GRC's pages
I could not find any information about uninstalling
Guilfanov's patch!

With all the paranoia there about CIA, NSA, etc..,
I'm beginning to wonder if I haven't installed the
real trojan, which is Guilfanov's!

Any help on all this?

 

"none" <> wrote in message
news:43c196f5$0$1531$...
> I installed this Guilfanov
> patch for the WMF vulnerability a
> couple of weeks ago. I'd read on GRC's pages that
> this install would show up in the add/remove section,
> and could be removed from there,
> but didn't check to see. After MS put out the patch
> I considered unistalling Guilfanov's and looked. It
> wasn't listed. I installed MS patch over the top,
> and noted no problem.
>
> Oddly enough, when I went back to review GRC's pages
> I could not find any information about uninstalling
> Guilfanov's patch!
>
> With all the paranoia there about CIA, NSA, etc..,
> I'm beginning to wonder if I haven't installed the
> real trojan, which is Guilfanov's!
>
> Any help on all this?
##############################################
http://www.hexblog.com/
According to Guilfanov, that's the way to uninstall it. Run
netstat -an to look for any unwanted connections if you think that you
installed a trojan instead.
It could be that it never really installed in the first place. See if it's
in the startup on msconfig and look in the registry
HKLM
Software
Microsoft
Windows
Run
################################################

 

Reading a little further, I see that MS says that w2k sp4 is vunerable. Does
that mean that w2k running any sp other than 4 is NOT vunerable?
donnie
##################################

 

Donnie wrote:
> "none" <> wrote in message
> news:43c196f5$0$1531$...
>
>>I installed this Guilfanov
>>patch for the WMF vulnerability a
>>couple of weeks ago. I'd read on GRC's pages that
>>this install would show up in the add/remove section,
>>and could be removed from there,
>>but didn't check to see. After MS put out the patch
>>I considered unistalling Guilfanov's and looked. It
>>wasn't listed. I installed MS patch over the top,
>>and noted no problem.
>>
>>Oddly enough, when I went back to review GRC's pages
>>I could not find any information about uninstalling
>>Guilfanov's patch!
>>
>>With all the paranoia there about CIA, NSA, etc..,
>>I'm beginning to wonder if I haven't installed the
>>real trojan, which is Guilfanov's!
>>
>>Any help on all this?
>
> ##############################################
> http://www.hexblog.com/
> According to Guilfanov, that's the way to uninstall it. Run
> netstat -an to look for any unwanted connections if you think that you
> installed a trojan instead.
> It could be that it never really installed in the first place. See if it's
> in the startup on msconfig and look in the registry
> HKLM
> Software
> Microsoft
> Windows
> Run
> ################################################
>
>

Apparently, from this page:
http://castlecops.com/a6445-WMF_Exploit_FAQ.html
The uninstall for this hotfix is inside the following folder;
#21
# Can I un-install the hotfix across a network?

Yes, the un-installer is found here:

c:\Program Files\WindowMetafile\Fixunins000.exe

Have yet to reboot and return to Windows update to see if I
still have their fix, and/or how to remove it and then reinstall it.

 

"Donnie" wrote:

> Reading a little further, I see that MS says that w2k sp4 is vunerable.
> Does that mean that w2k running any sp other than 4 is NOT vunerable?

I can confirm that W2k SP2 *is* vulnerable.

 

On Mon, 9 Jan 2006 02:28:08 -0000, "Ant" <> wrote:

>"Donnie" wrote:
>
>> Reading a little further, I see that MS says that w2k sp4 is vunerable.
>> Does that mean that w2k running any sp other than 4 is NOT vunerable?
>
>I can confirm that W2k SP2 *is* vulnerable.

I imagine they say that as its the most recent (last) service pack;

Yesterday whilst web browsing for hymn sheets, I got instead
some adult educational material which wanted to send me
..wmf files - so the exploit is out there.
--
Jim Watt
http://www.gibnet.com