WUAMGRD.exe trojan

CalamityJane · Posted: Sat Mar 13, 2004 2:43 pm Post subject:

awwwwwwww {{hugs}} So many smilie's - that's nice to see Very Happy

Glad you asked about prevention - we have just the thing for you here:

Here are some things you can do and some free programs to help Smile

.
So how did I get infected in the first place?
http://www.computercops.biz/postt7736.html

And yeah, file sharing is one of the major ways to get new worms. You might want to go ahead and hang on to (and buy) trojan hunter if you do a lot of that.

Randy_Bell · Posted: Sat Mar 13, 2004 2:50 pm Post subject: Re: Thankyou

Churchillohyes · Posted: Sat Mar 13, 2004 4:37 pm Post subject: Security

Ive just downloaded all the programs you said and am about to install them but theres one thing I use WAREZ P2P is this a bad choice and if so which P2P server seems to be the best? I once had Kazaa but this was one of the worst for Spyware

Randy_Bell · Posted: Sat Mar 13, 2004 5:43 pm Post subject:

Unless you want to switch to Kaspersky AV that has a high detection rate of P2P malware {even new stuff} .. I would stay away from P2P software myself .. unless you just cannot do without it .. as, Kazaa and P2P are breeding grounds for all sorts of malware, worms and trojans in particular. Some folks actually "troll" P2P to collect new malware samples, because it is that fertile for malware. Even with KAV running in the background as your resident AV patrol, you aren't 100% safe .. the only 100% safe solution is to stay away from P2P networks. Wink

Randy_Bell · Posted: Sat Mar 13, 2004 6:17 pm Post subject:

Permit me to re-emphasize too: that you might seriously consider using an alternative browser that does not have ActiveX -- I have used Opera 7.23, Netscape {all flavors 4.x and 7.x}, and Mozilla 1.6 -- installed on my home computers -- and those alternatives usually work great on most sites. I believe Janie has Firebird {firefox} now herself. I mention this and emphasize this because if you've been bitten once already, you can avoid much of the "driveby-download" danger that accompanies IE with its default settings. I use IE myself {am typing this from IE as I speak} but for others who have been bitten, an alternative like Mozilla or Firebird might be better .. do consider it, especially if you decide to go ahead and use P2P software. Wink

CalamityJane · Posted: Sat Mar 13, 2004 8:33 pm Post subject:

The Good and the Bad on P2P programs Smile

Clean and Infected File Sharing Programs

Last update: December 20, 2003

Wondering if your favorite peer-to-peer file-swapping program has spyware bundled into it? Chances are, it does.
Infected

The following file-swappers are confirmed to have spyware or other unwanted parasites bundled into them:

* KaZaa (offers a paid version without spyware)
* Limewire
* Audiogalaxy
* Bearshare (offers a paid version without spyware)
* Imesh
* Morpheus
* Grokster
* Xolox
* Blubster 2.x aka Piolet (Blubster 2.0 and higher and Piolet are adware and bundle other adware)
* OneMX
* FreeWire
* BitTorrent (Only the Unify Media version. Other versions are clean to my knowledge. See warning below)

Also see this page which details what most of the above programs bundle.
Clean

The following file-swappers have been found not to have any spyware or other advertising parasites bundled into them:

* WinMX (recommended)
* Shareaza
* E-Mule
* Gnucleus
* Blubster 1.2.3 (Later versions include adware)
* Soulseek
* BitTorrent (see warning below)
* Direct Connect
* Mute
* EarthStation5 (Not recommended. See below)

Regarding EarthStation5

Earth Station 5 once contained code that would allow an attacker to delete any file off of your computer's hard drive. Whether it was placed there intentionally or was a bug left in the code by accident is unclear. For now, we recommend against using it.
Regarding BitTorrent

BitTorrent is an open source program distributed under a license that allows for repackaging and distribution. Unfortunately, a company named Unify Media Ltd has decided to distribute a version infected with the C2Media/Lop parasite. We strongly recommend that you download BitTorrent only from the official web site.
Cracks

There are two programs, Kazaalite and Groksterlite, which you may be wondering about. Both programs are spyware-free versions of those file-swappers. Some people believe that they are alternative versions put out by the makers of KaZaa and Grokster.

Let's kill that myth right here. Neither of these are distributed by the owners of Kazaa or Grokster. They are cracks, meaning that the people distributing them violated their End User License Agreements to decompile them and remove the embedded spyware.

You may think that by using these products, you are giving the proverbial finger to the makers of spyware-ridden software. I'm sorry to say, this is not true. You merely show them that their software is so popular that you will go to any lengths to use it. This tells them that it is safe to keep selling out their millions and millions of users to the parasitical spyware companies. It also lets them point to the size of their network when spyware companies come sniffing around. By using these products, cracked or not, you contribute to the problem of advertising spyware.

It is recommended that you not use any version of a product that uses spyware, whether it is a spyware-free crack, or the normal version. Spyware companies pay good money to the developers that sell out their users. The only way to discourage developers from including spyware into their products is to show them that his/her users will go elsewhere. No users equals no sponsors equals no money. It's as simple as that.

This article is located at http://www.spywareinfo.com/articles/p2p/
................................................
As for Browsers, with a little effort you can secure IE (SpywareGuard, SpywareBlaster and IESPYAD, updated regularly and kept up to date will help immensely).

But yes, I do use Firebird (now Firefox) for most of my surfing and keep IE around for the sites where I know I need ActiveX (like Windows Update). I like it because with my secure IE settings, I get the annoying IE popups about ActiveX being turned off....I don't get those in Firebird Very Happy

Here's a whole bunch of great links for PC Security to bookmark and refer to if you need to:

Home Computer Security
http://www.cert.org/homeusers/HomeComputerSecurity/

Protecting Your Home Network
http://www.microsoft.com/windowsxp/pro/...omenet.asp

Home Network Security
http://www.cert.org/tech_tips/home_networks.html

Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html

National Institue of Standards and Technology
Computer Security Resource Center
http://csrc.nist.gov/

Stay Safe Online
http://www.staysafeonline.info/

Protecting Your Privacy & Security on a Home PC
http://www.staff.uiuc.edu/~ehowes/main-nf.htm

IE-SPYAD: Restricted Sites List for Internet Explorer
http://www.staff.uiuc.edu/~ehowes/resource.htm

Working with Internet Explorer 6 Security Settings
http://www.microsoft.com/windows/ie/usi...ttings.asp

Churchillohyes · Posted: Sun Mar 14, 2004 10:01 am Post subject: WINMX

I downloaded WINMX and its O.K but a bit confusing. The main thing is my download times. Its only about 25 kb/s Im on Blueyonder Broadband and on other P2Ps I used to be going at at least 60kb/s

Any ideas cos the setting are confusing me! Very Happy

CalamityJane · Posted: Sun Mar 14, 2004 10:46 am Post subject:

You might try posting your questions about WINMX here in a new topic:
http://computercops.biz/forum26.html

You won't find too many people here in the Security Section that even use file sharing so we're not too familiar with those programs Very Happy

I really only keep a list of the spywarefree programs for those who ask.

Some of our members watching General Software might have some answers for you Smile

GeneralZod · Cadet Joined: Mar 15, 2004 Posts: 1 Location: USA

Hey new poster here!

Came across this site after battling this wuamgrd.exe trojan for the last 3 days with no real luck.

I got some good pointers from you guys and eventually was able to take it down. However at the startup I get an error telling me it cant find wuamgrd.exe. I click OK, go past that and windows starts up normally.
Although it does seem sluggish.

Are there some other related files that I have to delete or alter in order to completely remove even a trace of that virus?

CalamityJane · Posted: Tue Mar 16, 2004 11:08 am Post subject:

Hi GeneralZod,

Can you post the result of a scan with HijackThis so we can see what is on your system? Smile

Download *Hijack This!*

http://www.spywareinfo.com/downloads/tools/HijackThis.exe

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe. Then, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

Randy_Bell · Posted: Tue Mar 16, 2004 11:41 am Post subject:

Churchillohyes · Posted: Tue Mar 16, 2004 2:07 pm Post subject: WUAMGRD.exe trojan Location

If you want to check if its there go to your Windows file then System32 Go to Tools>Folder Options and click the view tab. On this screen below the title hidden files and folders heading click the option button labelled show hidden files and folders and check the tickbox below this labelled Hide Operating System files so theres no tick in this box. Now look through your System32 file for the WUAMGRD.exe file and it should be there. Very Happy

saxax · Cadet Joined: Mar 17, 2004 Posts: 2 Location: Italy

her is my scan with hijack

Gaussblaster · Cadet Joined: Mar 17, 2004 Posts: 1 Location: USA

Logfile of HijackThis v1.97.7
Scan saved at 21:19:56, on 17/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost139.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\JIRNFDS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SETI@home\[email protected]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Local Settings\Temp\Temporary Directory 2 for PrcView[1].zip\PrcView.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust...yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust..._side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust...yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust...yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust...yahoo.com/
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe svchost139.exe
F2 - REG:system.ini: Shell=explorer.exe svchost139.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Outwar] C:\WINDOWS\syslaunch.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AntiVirus] C:\WINDOWS\antivirus.exe
O4 - HKLM\..\Run: [mnsvcsp] C:\WINDOWS\System32\mnsvcsp.exe
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\System32\kernel32.dlI
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113777.exe -auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~3\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows Graphics Loader] graphicsv1.exe
O4 - HKLM\..\Run: [Wcmdmnger Utility] WCMDMNGRUTIL.EXE
O4 - HKLM\..\Run: [DEFRTUI4] JIRNFDS.EXE
O4 - HKLM\..\Run: [winsockdriver] svchost139.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\RunOnce: [winsockdriver] svchost139.exe
O4 - HKCU\..\RunOnce: [DEFRTUI4] JIRNFDS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: BT (HKCU)
O9 - Extra button: Homepage (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://216.82.66.200/build/preload.cab
O16 - DPF: {0EB1CA3E-C9C7-42B6-8016-B0CBA435E291} (ImclCtl Class) - http://www.messenger.lycos.co.uk/messen...grCore.cab
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.browserplugin.com/eroticAccess/cabs/1768008.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar...vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://Q:\Resources\IntraLaunch.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templat...rol012.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{759268B2-D19C-4B44-AA51-82532026E6FE}: NameServer = 213.1.119.103 213.1.119.104

PiNg_nl · Cadet Joined: Mar 17, 2004 Posts: 3 Location: Netherlands

I have been reading this thread for a few days now, since it was the only mention in google of the infected files. In short, i have your very same problem. Problem is, i shouldnt have this trojan. Just dont know how on earth i got it. Here's a brief description of what i have had to go through for the past few weeks.
PC's been REALLY unstable. Spontaneous resets, programs crashing to desktop every 10 minutes and so on. Here's what i tried: Fdisk'ed my drives c and d reformatted in NTFS, just copied about 10 GIG of ISO files from disk e to c (can't go without those) then fdisk'd e too. (i realise that the safest way would be to just wipe all my 3 hd's WITHOUT copying files from a possibly infected disk, but hey an infected .cue/.bin file????? i've personally never heard of it (no expert)).
Installed win 2000 , downloaded getright, dowloaded SP4, Norton antivirus corporate, Daemon tools, Netlimiter 1.29 and zonealarm. Installed just those programs, nothing else.

After NAV install, the update window just popped away. Reset PC and NAV just disables itself. Taskmanager pops away. Found file C:\WINNT\system32\mptclockvvv.exe using ZoneAlarm. You tell me how i got it?????? I havent done ANYTHING extraordinary or risky. Then started looking found this thread. Got similar hijackthis log. TrojanHunter found it too. Deleted this file. Reset PC. Scanned again with TrojanHunter, all clear. Thought i'd fixed it all, ran windows update and installed some updates. (IE sp)
Windows didnt want to boot after that. Then when i finally got into windows again,(few boots in safe mode and it worked), i ran TrojanHUnter again. See log in next post.
See next post for log.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1079 pages served in previous 5 minutes. Page Generation: 7.575 seconds.