WUAMGRD.exe trojan

Churchillohyes · Posted: Sat Mar 13, 2004 8:46 am Post subject: WUAMGRD.exe trojan

Right well I hope you can help me cos this is doing my head in now. Last week my PC crashed and Norton went off and so I ended up getting 20+ viruses Evil or Very Mad

And so I had to send this back to the guy who built my PC nad hes pretty good with comps and ended up fixin it and restarted my PC afresh. After installing Broadband again evrything was lookin okay until after 2 or so startups an error message came up at startup saying that WUAMGRD.EXE had caused an error. The only thing I could do was get into my Task Manager so I deleted this program but still no success. I found the only way to get on was by Restarting from this which ended up being my only way in. Once In i checked the internet and this was the only site search came up with so I saw others had the same prob. I downloaded both stinger files and it came up with nothing when it searched. You say to delete the file but when I search It does not appear and is not in the System32 directory. I then thought it may be gone but when I did a search with one of your trojan horse removers - Trojan Hunter 3.8 this comes up with the following files -
C:\WINNIT\SYSTEM32\MPTCLOCKWW.exe
C:\WINNIT\SYSTEM32\GT.EXE
C:\WINNIT\SYSTEM32\WUAMGRD.exe

And now my Norton is not auto loading or even Loading when I try manually. Please help!!! Sad

CalamityJane · Posted: Sat Mar 13, 2004 9:27 am Post subject:

Hi Churchillohyes, and welcome.

I guess you found us from the related thread in this forum about the new worm
http://computercops.biz/postt23084.html

The Stinger tool does not have detections for this one yet to my knowledge. NAV does, but you say it is not functioning properly.

It looks like Trojan Hunter has found it for you (plus a couple of others I am not familiar with).....but this one is definitely a worm:
C:\WINNIT\SYSTEM32\WUAMGRD.exe

First, please download this small free program so we can take a look at your system configuration and detemine what all is running on that PC and then we can help you get rid of the problem/problems.

Download *Hijack This!*

http://www.spywareinfo.com/downloads/tools/HijackThis.exe
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe. Then, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

Alternate download sites::
http://www.majorgeeks.com/downloadget.p...e6434cfc13

It would also help us for you to give us all the details from the Trojan Hunter log to see exactly what it is telling you.

Churchillohyes · Posted: Sat Mar 13, 2004 9:44 am Post subject: HiJackthis report:

Logfile of HijackThis v1.97.7
Scan saved at 14:00:58, on 13/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\mptclockvvv.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MP Tclockvvv] C:\WINNT\system32\mptclockvvv.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...0697569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Churchillohyes · Posted: Sat Mar 13, 2004 9:57 am Post subject: Trojan Report

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan (autostarted files, running executables)
Warning: Unable to unpack UPX-packed file C:\WINNT\system32\mptclockvvv.exe (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\mptclockvvv.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINNT\system32\mptclockvvv.exe (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\mptclockvvv.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
No trojan files found

CalamityJane · Posted: Sat Mar 13, 2004 10:08 am Post subject:

Do you have a program that is a clock (appears maybe in your systray?)

Found possible trojan file: C:\WINNT\system32\mptclockvvv.exe <---that is the only one I can't identify and TH is really just telling you it can't unpack it to check it out.

First, please go to this site:

Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html <---go to this site

And browse to the file - let KAV check it for you.

mptclockvvv.exe <--scan this file

Please copy the results of the report at the end of the scan and paste the contents back here

Churchillohyes · Posted: Sat Mar 13, 2004 10:24 am Post subject: Scan result

Scanned the file and was it came up with this:

Current object: mptclockvvv.exe

mptclockvvv.exe Packed: UPX
mptclockvvv.exe Packed: PE_Patch
mptclockvvv.exe Infected: Backdoor.IRCBot.gen

Statistics:

--------------------------------------------------------------------------------
Known viruses: 83909 Updated: 13.03.2004
File size (Kb): 96 Scan time: 00:00:01
Speed (Kb/sec): 96 Virus bodies: 1
Archives: 0 Packed: 1
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0

CalamityJane · Posted: Sat Mar 13, 2004 10:46 am Post subject:

Heh, that's your trojan then.

You can probably kill it with Trojan Hunter (though I'm not sure how to tell you in that program).

Or you can also end the running process in Task Manager (or checkmark it in HijackThis and press fix checked on this item:
O4 - HKLM\..\Run: [MP Tclockvvv] C:\WINNT\system32\mptclockvvv.exe

Reboot your PC into SAFE MODE:

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/ts...ec_doc_nam

C:\WINNT\system32\mptclockvvv.exe <---delete file

Reboot back into normal mode.

Scan again with Trojan Hunter to see if it finds anything else.

Also scan again with HijackThis and post a new log back here.

Churchillohyes · Posted: Sat Mar 13, 2004 10:53 am Post subject: A little more help....

I cant load my task manager this closes as soon as it opens also will this have Norton working again??? And what about the WUAMGRD.exe file?

Churchillohyes

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINNT\system32\GT.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINNT\system32\mptclockvvv.exe (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\mptclockvvv.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\wuamgrd.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Error: Directory not found: D:\
Error: Directory not found: E:\
3 possible trojan files found

Churchillohyes · Posted: Sat Mar 13, 2004 12:04 pm Post subject: New HIJACKTHIS report

Logfile of HijackThis v1.97.7
Scan saved at 17:07:02, on 13/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\mptclockvvv.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...0697569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Randy_Bell · Posted: Sat Mar 13, 2004 12:36 pm Post subject:

According to your HJT log: the suspicious file C:\WINNT\system32\mptclockvvv.exe is still a running process in memory.

You need to kill that process using Task Manager, then delete the file. If you can't kill it with Task Manager, you can try a 3rd-party process viewer like this one: http://www.teamcti.com/pview/prcview.htm

CalamityJane · Posted: Sat Mar 13, 2004 12:42 pm Post subject:

Make sure your PC is configured to show hidden files:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Did you try:
Reboot your PC into SAFE MODE:

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/ts...ec_doc_nam

C:\WINNT\system32\mptclockvvv.exe <---delete file

C:\WINNT\system32\wuamgrd.exe <---delete file

Reboot back into normal mode.

You need to scan the file:

http://www.kaspersky.com/remoteviruschk.html <--go here

C:\WINNT\system32\GT.exe <--Scan file

Churchillohyes · Posted: Sat Mar 13, 2004 1:35 pm Post subject: Almost....

Well Norton came back when I restarted and this found WUAMGRD.exe so thats gone. I went into System 32 file once I had changed to show hidden and OS files and now both have appeared should I just right click and delete them ?

CalamityJane · Posted: Sat Mar 13, 2004 2:00 pm Post subject:

This one yes, it is a known trojan (you may need to go into safe mode to delete it)

C:\WINNT\system32\mptclockvvv.exe <---delete file

Did you scan the other file to see what Kaspersky said? (GT.exe ) If you did and it was also infected, then yes, delete it too. If it did not find any infection then wait, we'll need to investigate further on that one.

Churchillohyes · Posted: Sat Mar 13, 2004 2:37 pm Post subject: Thankyou

Went into Safe Mode and deleted both files started Trojan hunter and all clear - well done you Geniouses. Any tips on security measures to stop me getting so damn many or where they mainly come from like P2Ps ? Very Happy


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1081 pages served in previous 5 minutes. Page Generation: 0.514 seconds.