Jump to content


Photo

wuamgrd.exe


  • Please log in to reply
4 replies to this topic

#1 randoma

randoma

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 06:59 AM

hi,

i installed windows this morning and already managed to get all sorts of viruses, trojans, malware, ... i think kaspersky and spybot's search and destroy got rid of most, i guess, but wuamgrd.exe is still running, i have to stop the process everytime i boot... i'm not sure which registry entries to let hijackthis delete. the following is the log after running hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 13:31:22, on 11.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\iexplorer.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Dokumente und Einstellungen\rz\Desktop\hijackshit\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\Run: [Web Service] sjwylm.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Microsoft Update Machine] iexplorer.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\kvopudv.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\RunServices: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\RunServices: [Web Service] sjwylm.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKCU\..\Run: [Web Service] sjwylm.exe
O4 - HKCU\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] iexplorer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8178.7747337963


i'd appreciate any help and perhaps some suggestions on what good protection measures are..
thanks,
rade

#2 randoma

randoma

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 07:37 AM

ok, after running spybot, adaware, housecall, and kaspersky (!) the processes are gone. BUT, hijackthis still finds registry entries for wuamgrd.exe.

here the new log!

Logfile of HijackThis v1.97.7
Scan saved at 14:37:15, on 11.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\iexplorer.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Dokumente und Einstellungen\rz\Desktop\hijackshit\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\Internet Explorer\iexplore.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\Run: [Web Service] sjwylm.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Microsoft Update Machine] iexplorer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\RunServices: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\RunServices: [Web Service] sjwylm.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKCU\..\Run: [Web Service] sjwylm.exe
O4 - HKCU\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] iexplorer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8178.7747337963

any comments would be greatly appreciated,
Rade

#3 Atribune

Atribune

    SWI Junkie

  • Developer
  • PipPipPipPip
  • 302 posts

Posted 11 July 2004 - 08:04 AM

Please run hijackthis again and place a check besdie each of the following items. Once done close all other windows and click fix checked.

O4 - HKLM\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\Run: [Web Service] sjwylm.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] iexplorer.exe
O4 - HKLM\..\RunServices: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKLM\..\RunServices: [Web Service] sjwylm.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] iexplorer.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Java Windows Update] qorkmc.exe
O4 - HKCU\..\Run: [Web Service] sjwylm.exe
O4 - HKCU\..\Run: [Microsoft Message Machine] SVCHOST13.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] iexplorer.exe

Once done reboot and post a fresh log.

Edited by Atribune, 11 July 2004 - 08:13 AM.


#4 randoma

randoma

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 08:17 AM

ok,

the log, after repair, looks like this:

Logfile of HijackThis v1.97.7
Scan saved at 15:15:56, on 11.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\iexplorer.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\rz\Desktop\hijackshit\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8178.7747337963

everything cool?
thanks again,
Rade

#5 Atribune

Atribune

    SWI Junkie

  • Developer
  • PipPipPipPip
  • 302 posts

Posted 11 July 2004 - 08:29 AM

Nope everythings not cool. Boot to safe mode and find that iexplorer.exe and zip it up there and move thezip file to your desktop.

Then delete iexplorer.exe from system32

Then reboot and email me iexplorer.zip.

submissions@atribune.org




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button