|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online.
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
PiNg_nl
Cadet
Joined: Mar 17, 2004
Posts: 3
Location: Netherlands
|
 Posted: Wed Mar 17, 2004 6:25 pm Post subject: |
|
|
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Port 1480/TCP is open (Matches RemoteHack.130. Port being used by process wuamgrd.exe/PID 1240) (Tell me more about port alerts...)
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINNT\system32\qxaxw.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\wuamgrd.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
2 possible trojan files found
Here's the HijackThis log (i've installed a few programs since i first found i was infected)
Logfile of HijackThis v1.97.7
Scan saved at 12:16:32 AM, on 3/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Security\Panda Titanium Antivirus 2004\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Security\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Utils\Daemon\daemon.exe
C:\Program Files\Internet\NetLimiter\NetLimiter.exe
C:\PROGRA~1\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Security\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\wuamgrd.exe
E:\games\steam\steam.exe
C:\Program Files\Internet\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet\GetRight\getright.exe
C:\Program Files\Internet\GetRight\getright.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Security\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\Security\TrojanHunter 3.8\TrojanHunter.exe
D:\My Downloads\PrcView\PrcView.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
D:\My Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Utils\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\Internet\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Security\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Security\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\Security\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Steam] "e:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Internet\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunOnce: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\RunOnce: [Microsoft Update] wuamgrd.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\Internet\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\Internet\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\Internet\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\security\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\security\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\security\panda titanium antivirus 2004\pavlsp.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...8986574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74E44268-FC9F-40B1-A8B3-C1FA6EEB00A4}: NameServer = 192.168.2.1
***********************************************************
So the file C:\WINNT\system32\wuamgrd.exe suddenly appeared AFTER UPDATING. Remember, the file wasnt found before my last update (i last checked as soon as update asked me to reboot) and it WAS there as soon as i managed to get into windows again. (first thing i did was run Trojan Hunter see log above) Looking at the filename i can imagine that wuamgrd has to do with windows update. Could it be that this file is sent to my pc when i use windows update function? It seems the only logical explanation i can think of..... then again, im no expert. |
|
| Back to top |
|
 |
PiNg_nl
Cadet
Joined: Mar 17, 2004
Posts: 3
Location: Netherlands
|
| Posted: Wed Mar 17, 2004 6:43 pm Post subject: |
|
|
I just checked qxaxw.exe on Kazpersky
now don't laugh at me
Current object: qxaxw.exe
qxaxw.exe Packed: UPX
qxaxw.exe Archive: RAR
qxaxw.exe/archive comment Ok
qxaxw.exe/jjkdqs.exe Packed: FSG
qxaxw.exe/jjkdqs.exeWarning: TrojanProxy.Win32.Ranky.p
qxaxw.exe/fqcsjj.exe Packed: FSG
qxaxw.exe/fqcsjj.exeWarning: Backdoor.SdBot.ev
qxaxw.exe Archive: RAR
qxaxw.exe/archive comment Ok
qxaxw.exe/jjkdqs.exe Packed: FSG
qxaxw.exe/jjkdqs.exeWarning: TrojanProxy.Win32.Ranky.p
qxaxw.exe/fqcsjj.exe Packed: FSG
qxaxw.exe/fqcsjj.exeWarning: Backdoor.SdBot.ev
qxaxw.exeWarning: Backdoor.SdBot.ev
If you're looking for me, im buying some rope......
HEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEELP!!!!!!!!!!!!!!!!!
obviously i'm deleting this file. once again, how on earth did i get it??????????????????????????????????? and more importantly if reinstalling windows doesnt work, how do i get rid of it?????????
By the way i am using a broadband router, which is wide open as DMZ host. Win2k pro. |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Wed Mar 17, 2004 7:48 pm Post subject: |
|
|
| PiNg_nl wrote: |
Found possible trojan file: C:\WINNT\system32\qxaxw.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\wuamgrd.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
2 possible trojan files found
{{~snipped~}}
So the file C:\WINNT\system32\wuamgrd.exe suddenly appeared AFTER UPDATING. Remember, the file wasnt found before my last update (i last checked as soon as update asked me to reboot) and it WAS there as soon as i managed to get into windows again. (first thing i did was run Trojan Hunter see log above) Looking at the filename i can imagine that wuamgrd has to do with windows update. Could it be that this file is sent to my pc when i use windows update function? It seems the only logical explanation i can think of..... then again, im no expert. |
TrojanHunter has definitely identified the suspicious files. Also, did you try using HijackThis to delete these autostart entries in your registry? --
| Quote: |
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunOnce: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\RunOnce: [Microsoft Update] wuamgrd.exe |
Microsoft uses NOD32 to keep their online systems and servers clean. I don't think you need to worry about getting a virus from Windows Update .. if that ever happened, it would cause such an uproar, it would be immediately fixed & cleaned. Good Luck, Warmly, Ran
|
|
| Back to top |
|
|
saxax
Cadet
Joined: Mar 17, 2004
Posts: 2
Location: Italy
|
| Posted: Wed Mar 17, 2004 8:02 pm Post subject: wuamgrd.exe |
|
|
| cant attach the Hijackthis result scan text file,did update NAV after half hour another time wuamgrd.exe.At the beginning of these topics is written to scan with Hijiackthis and attach here the result,i cant.what do i have to do to solve this problem??Thank u for help |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Wed Mar 17, 2004 9:08 pm Post subject: Re: wuamgrd.exe |
|
|
| saxax wrote: |
| cant attach the Hijackthis result scan text file,did update NAV after half hour another time wuamgrd.exe.At the beginning of these topics is written to scan with Hijiackthis and attach here the result,i cant.what do i have to do to solve this problem??Thank u for help |
Hmmm .... NAV "knows" this file and will detect and quarantine it .. but if you don't get all of it, and delete the autostart entries from the registry that are restarting the trojan everytime you reboot .. you won't be clean. I think it has been wisely suggested to restart in Safe Mode and scan with NAV from there -- then let NAV quarantine or delete anything it finds .. then either use HijackThis, or directly look in your registry {if you know how}, for the autostart entries I mentioned in my previous post .. the ones that PiNg_nl found on his system .. to delete those entries .. then reboot and you might be clean. One other thing you'll need to do is to disable System Restore in case the trojan has gotten backed up into a Restore Point .. this assumes you're running ME or XP which has the System Restore feature. Good Luck, Warmly, Ran 
|
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Tue Mar 23, 2004 11:00 am Post subject: Hi all - check up.... |
|
|
Have you ever used Startup Mechanic? Well I was looking on there at what starts up and a few things listed were to do with that WUAMGRD file and another with th GT.EXE file I had. Only yesterday did I notice that GT.EXE had appeared in my Task Manager Again the little get! Norton got rid of this but still I think somethings left could you take a looksee at my HiJackThis! report please?  |
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Tue Mar 23, 2004 11:01 am Post subject: My Hijack this log: |
|
|
Logfile of HijackThis v1.97.7
Scan saved at 16:03:43, on 23/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\TrueBlock\TrueBlock.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\My Downloads\Antivirus and Trojan help\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {8FA29996-D0A6-444F-85F6-9691A0EAE6F3} - C:\Program Files\TrueAssistant\TrueAssistantToolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: TrueAssistant - {18AD2309-B249-46FB-9012-3B787446707F} - C:\Program Files\TrueAssistant\TrueAssistantToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Documents and Settings\John\Desktop\My Downloads\Antivirus and Trojan help\Startup Mechanic\StartupScanner.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: TrueAssistant (HKLM)
O9 - Extra 'Tools' menuitem: TrueAssistant (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...0697569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab |
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Tue Mar 23, 2004 11:02 am Post subject: Startup list |
|
|
Using another program to show Startups showed this:
StartupList report, 23/03/2004, 16:04:33
StartupList version: 1.52
Started from : C:\Documents and Settings\John\Desktop\My Downloads\Antivirus and Trojan help\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\TrueBlock\TrueBlock.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\My Downloads\Antivirus and Trojan help\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\John\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SoundMan = SOUNDMAN.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
NeroCheck = C:\WINNT\system32\NeroCheck.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
Startup Manager Scanner = C:\Documents and Settings\John\Desktop\My Downloads\Antivirus and Trojan help\Startup Mechanic\StartupScanner.exe
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\Program Files\TrueAssistant\TrueAssistantToolbar.dll - {8FA29996-D0A6-444F-85F6-9691A0EAE6F3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft.WinRep]
InProcServer32 = C:\WINNT\system32\Winrep.dll
CODEBASE = https://webresponse.one.microsoft.com/o...winrep.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/C...0697569444
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shoc...wflash.cab
[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX22/download/kdx.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
--------------------------------------------------
End of report, 5,767 bytes
Report generated in 0.032 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Tue Mar 23, 2004 12:38 pm Post subject: Re: Hi all - check up.... |
|
|
| Churchillohyes wrote: |
| Have you ever used Startup Mechanic? Well I was looking on there at what starts up and a few things listed were to do with that WUAMGRD file and another with th GT.EXE file I had. Only yesterday did I notice that GT.EXE had appeared in my Task Manager Again the little get! Norton got rid of this but still I think somethings left could you take a looksee at my HiJackThis! report please? |
I am unfortunately not too good at {not trained at} analyzing HJT logs but other of the regulars here might be able to help you on those. I don't see anything off-hand that jumps out as "infected". Meanwhile you can take opportunity yourself to scan all suspicious files with Kaspersky Online Virus Checker. I would recommend you scan GT.EXE and anything in your list of running processes that looks suspicious. Even if the files are locked from deletion, you can still scan them since scanning only requires read-access. Anything that turns out to be malicious you can end-task or if necessary get a process viewer and terminate. Hope that helps, until the HJT experts come along to help further. 
|
|
| Back to top |
|
|
Halidon
Cadet
Joined: Mar 23, 2004
Posts: 4
Location: USA
|
| Posted: Tue Mar 23, 2004 6:08 pm Post subject: |
|
|
| wuamgrd.exe is showing up in my task manager process, but I can't find the file in my System32 to delete. Any ideas on how I can get rid of it? |
|
| Back to top |
|
|
csred
Cadet
Joined: Mar 10, 2004
Posts: 5
Location: USA
|
| Posted: Tue Mar 23, 2004 6:18 pm Post subject: |
|
|
looks like you got one of those from IRC. never click on any link in irc unless you know the person who gave it. also, you need to make sure that your dcc auto accept is disabled, because people often take advantage of that by sending you viruses and such.
edit i'm sorry, apparently i did not read the other two pages of this topic anyways, anyone who uses irc should stay away from suspicious links. |
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Tue Mar 23, 2004 6:21 pm Post subject: Where to find it: |
|
|
As I said earlier:
If you want to check if its there go to your Windows file then System32 Go to Tools>Folder Options and click the view tab. On this screen below the title hidden files and folders heading click the option button labelled show hidden files and folders and check the tickbox below this labelled Hide Operating System files so theres no tick in this box. Now look through your System32 file for the WUAMGRD.exe file and it should be there. |
|
| Back to top |
|
|
Halidon
Cadet
Joined: Mar 23, 2004
Posts: 4
Location: USA
|
| Posted: Tue Mar 23, 2004 7:57 pm Post subject: |
|
|
| It worked. Thank a million. I also noticed another file that I've never seen before, do you know if scchost.exe is a virus? |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Tue Mar 23, 2004 8:32 pm Post subject: |
|
|
| Halidon wrote: |
| It worked. Thank a million. I also noticed another file that I've never seen before, do you know if scchost.exe is a virus? |
That indeed sounds suspicious: trojans & worms often name the infecting server with a name very similar sounding to a legitimate file, for purposes of deception. "Svchost" {not "Scchost"} is the legitimate Generic Host Process in Windows 2K/XP. So bottom line, you should scan that "Scchost" file with the Kaspersky Online Virus Checker. I'm betting it is a trojan, though.
|
|
| Back to top |
|
|
Halidon
Cadet
Joined: Mar 23, 2004
Posts: 4
Location: USA
|
| Posted: Wed Mar 24, 2004 8:29 am Post subject: |
|
|
| We'll do tonight. Thanks. |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
