psbrickmill
asked on
PLease Help... What Is WAMGRD.exe?
All of a sudden I have several WinXP Pro pcs and a couple WIN2000 servers with a pulsating process called WAMGRD.exe. Current Nortov AV says the system has no viruses.
The file exists in winnt/system32 directory. If I rename it (delete not possible), the file gets rebuit and the process starts again.
A search of the registry shows nothing.
It acts like a virus.. but I find no info anywhere...
The file exists in winnt/system32 directory. If I rename it (delete not possible), the file gets rebuit and the process starts again.
A search of the registry shows nothing.
It acts like a virus.. but I find no info anywhere...
ASKER
Here is the log..
This is from one of the winxp pcs. The process is not currently running. (it starts up after a while... not consistent)
Logfile of HijackThis v1.98.0
Scan saved at 4:40:21 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\msdtc.ex e
C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
C:\Program Files\Common Files\Crystal Decisions\2.0\bin\querysrv .exe
C:\WINNT\System32\cusrvc.e xe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\inetsrv\ inetinfo.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL \binn\sqls ervr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\System32\NMSSvc.e xe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32. exe
C:\Program Files\Common Files\Lanovation\PrismXL\P RISMXL.SYS
C:\WINNT\System32\mqsvc.ex e
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mqtgsvc. exe
C:\WINNT\System32\NWTRAY.E XE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\ctfmon.e xe
C:\Netscape\Netscp.exe
C:\GPSoftware\Directory Opus\dopus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Novell\GroupWise\Notify .exe
C:\WINNT\system32\ntvdm.ex e
C:\Documents and Settings\slundahl\Desktop\ HijackThis 1980.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://msdn.microsoft.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.gatewaybiz.com
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32 \userinit. exe,
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!
user_pref("aim.internal.bu ddy.MaxBud dies", 220);
user_pref("aim.internal.in tproxyprot ocol", 1);
user_pref("aim.session.fin ishedwizar d", true);
user_pref("aim.session.fir sttime", false);
user_pref("aim.session.lat estaimscre enname", "lundahls");
user_pref("aim.session.scr eenname", "lundahls");
user_pref("browser.activat ion.checke dNNFlag", true);
user_pref("browser.bookmar ks.added_s tatic_root ", true);
user_pref("browser.cache.c heck_doc_f requency", 1);
user_pref("browser.cache.d isk.parent _directory ", "C:\\Documents and Settings\\slundahl\\Applic ation Data\\Mozilla\\Profiles\\d efault\\m6 ucfwix.slt ");
user_pref("browser.downloa d.dir", "C:\\Steve\\Downloads\\Net scape4_8") ;
user_pref("browser.history .last_page _visited", "http://www.npabenefitsgroup.com/cbi_masthead.asp");
user_pref("browser.search. defaulteng ine", "engine://C%3A%5CNetscape% 5Csearchpl ugins%5CSB Web_01.src ");
user_pref("browser.search. mode", 1);
user_pref("browser.startup .homepage"
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!
user_pref("aim.internal.bu ddy.MaxBud dies", 220);
user_pref("aim.internal.in tproxyprot ocol", 1);
user_pref("aim.session.fin ishedwizar d", true);
user_pref("aim.session.fir sttime", false);
user_pref("aim.session.lat estaimscre enname", "lundahls");
user_pref("aim.session.scr eenname", "lundahls");
user_pref("browser.activat ion.checke dNNFlag", true);
user_pref("browser.bookmar ks.added_s tatic_root ", true);
user_pref("browser.cache.c heck_doc_f requency", 1);
user_pref("browser.cache.d isk.parent _directory ", "C:\\Documents and Settings\\slundahl\\Applic ation Data\\Mozilla\\Profiles\\d efault\\m6 ucfwix.slt ");
user_pref("browser.downloa d.dir", "C:\\Steve\\Downloads\\Net scape4_8") ;
user_pref("browser.history .last_page _visited", "http://www.npabenefitsgroup.com/cbi_masthead.asp");
user_pref("browser.search. defaulteng ine", "engine://C%3A%5CNetscape% 5Csearchpl ugins%5CSB Web_01.src ");
user_pref("browser.search. mode", 1);
user_pref("browser.startup .homepage"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Windows Update] wamgrd.exe
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.e xe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DOpus] C:\GPSoftware\Directory Opus\dopus.exe
O4 - Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify .exe
O4 - Startup: WinMySQLadmin.lnk = C:\MySQL\bin\winmysqladmin .exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE10\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-0 0508B755B4 4} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0 000F8773BF 0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-E B0E5584767 D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0 0C04F8EC29 4} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
This is from one of the winxp pcs. The process is not currently running. (it starts up after a while... not consistent)
Logfile of HijackThis v1.98.0
Scan saved at 4:40:21 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\msdtc.ex
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Common Files\Crystal Decisions\2.0\bin\querysrv
C:\WINNT\System32\cusrvc.e
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\inetsrv\
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\System32\NMSSvc.e
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.
C:\Program Files\Common Files\Lanovation\PrismXL\P
C:\WINNT\System32\mqsvc.ex
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mqtgsvc.
C:\WINNT\System32\NWTRAY.E
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\ctfmon.e
C:\Netscape\Netscp.exe
C:\GPSoftware\Directory Opus\dopus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Novell\GroupWise\Notify
C:\WINNT\system32\ntvdm.ex
C:\Documents and Settings\slundahl\Desktop\
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!
user_pref("aim.internal.bu
user_pref("aim.internal.in
user_pref("aim.session.fin
user_pref("aim.session.fir
user_pref("aim.session.lat
user_pref("aim.session.scr
user_pref("browser.activat
user_pref("browser.bookmar
user_pref("browser.cache.c
user_pref("browser.cache.d
user_pref("browser.downloa
user_pref("browser.history
user_pref("browser.search.
user_pref("browser.search.
user_pref("browser.startup
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!
user_pref("aim.internal.bu
user_pref("aim.internal.in
user_pref("aim.session.fin
user_pref("aim.session.fir
user_pref("aim.session.lat
user_pref("aim.session.scr
user_pref("browser.activat
user_pref("browser.bookmar
user_pref("browser.cache.c
user_pref("browser.cache.d
user_pref("browser.downloa
user_pref("browser.history
user_pref("browser.search.
user_pref("browser.search.
user_pref("browser.startup
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Windows Update] wamgrd.exe
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.e
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DOpus] C:\GPSoftware\Directory Opus\dopus.exe
O4 - Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify
O4 - Startup: WinMySQLadmin.lnk = C:\MySQL\bin\winmysqladmin
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-0
O16 - DPF: {82774781-8F4E-11D1-AB1C-0
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-E
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
O4 - HKLM\..\Run: [Windows Update] wamgrd.exe
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
========================== ========== ==
put a check mark against these two lines, and click on Fix Checked !!!!
then reboot in SAFEMODE and delete this wamgrd.exe file from C:\Windows\System32
if it gives an error of Access Denied, then take its permission and then delete it !!!!!!
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
post back results !!!!!!
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
==========================
put a check mark against these two lines, and click on Fix Checked !!!!
then reboot in SAFEMODE and delete this wamgrd.exe file from C:\Windows\System32
if it gives an error of Access Denied, then take its permission and then delete it !!!!!!
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
post back results !!!!!!
ASKER
Will do..
But look at this...
Here is the log from one of my win2k servers that also had it. The entry doesn't exist here?
Logfile of HijackThis v1.98.0
Scan saved at 4:32:05 PM, on 8/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Documents and Settings\Administrator.BMS D\WINDOWS\ System32\s mss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\System32\termsrv. exe
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\msdtc.ex e
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\WINNT\System32\ctxxmlss .exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\WINNT\System32\cba\pds. exe
C:\WINNT\System32\llssrv.e xe
C:\WINNT\System32\mfcom.ex e
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\System32\CPQNiMgt \CPQNIMGT. EXE
C:\WINNT\system32\cpqmgmt\ CqMgServ\C qMgServ.EX E
C:\WINNT\system32\cpqmgmt\ cqmgstor\c qmgstor.ex e
C:\WINNT\system32\Dfssvc.e xe
C:\WINNT\System32\encsvc.e xe
C:\WINNT\System32\inetsrv\ inetinfo.e xe
C:\Program Files\Citrix\System32\Citr ix\Ima\Ima Srv.exe
C:\WINNT\System32\sysdown. exe
C:\WINNT\System32\cdmsvc.e xe
C:\WINNT\System32\SCardSvr .exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam. exe
C:\Program Files\Citrix\system32\icab ar.exe
C:\PROGRA~1\NAV\vptray.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\winlogon .exe
C:\Documents and Settings\Administrator.BMS D\Desktop\ HijackThis 1980.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINNT\System32\blank.ht m
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32 \userinit. exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\Documents and Settings\Administrator.BMS D\WINDOWS\ web\relate d.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\Documents and Settings\Administrator.BMS D\WINDOWS\ web\relate d.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.bms d\windows\ system32\r nr20.dll' missing
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = BMSD
O17 - HKLM\System\CCS\Services\T cpip\..\{5 94193A8-D0 E0-4EBB-A2 56-4B23826 84A67}: NameServer = 192.168.10.8
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = BMSD
O17 - HKLM\System\CS1\Services\T cpip\..\{5 94193A8-D0 E0-4EBB-A2 56-4B23826 84A67}: NameServer = 192.168.10.8
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = BMSD
O17 - HKLM\System\CS2\Services\T cpip\..\{5 94193A8-D0 E0-4EBB-A2 56-4B23826 84A67}: NameServer = 192.168.10.8
O20 - AppInit_DLLs: mfaphook.dll
But look at this...
Here is the log from one of my win2k servers that also had it. The entry doesn't exist here?
Logfile of HijackThis v1.98.0
Scan saved at 4:32:05 PM, on 8/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Documents and Settings\Administrator.BMS
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\System32\termsrv.
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\msdtc.ex
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\WINNT\System32\ctxxmlss
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.
C:\WINNT\System32\cba\pds.
C:\WINNT\System32\llssrv.e
C:\WINNT\System32\mfcom.ex
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\CPQNiMgt
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\encsvc.e
C:\WINNT\System32\inetsrv\
C:\Program Files\Citrix\System32\Citr
C:\WINNT\System32\sysdown.
C:\WINNT\System32\cdmsvc.e
C:\WINNT\System32\SCardSvr
C:\WINNT\System32\svchost.
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.
C:\Program Files\Citrix\system32\icab
C:\PROGRA~1\NAV\vptray.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\WINNT\system32\winlogon
C:\Documents and Settings\Administrator.BMS
R0 - HKCU\Software\Microsoft\In
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.bms
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - AppInit_DLLs: mfaphook.dll
yes u are right,, its not here :-?
try this,,,,,,, goto Start>Run>regedit
and hit Ctrl+F
type wamgrd and hit enter
and then hit find next, until it gives the message that no entry was found
check in which places regedit finds its entry ??
post here the location(s) !!
try this,,,,,,, goto Start>Run>regedit
and hit Ctrl+F
type wamgrd and hit enter
and then hit find next, until it gives the message that no entry was found
check in which places regedit finds its entry ??
post here the location(s) !!
ASKER
Well here is the results of searching the registry on all machines that had this process running...
I could not get to the XP PC that has the HJT log above but it obviously has some entries.
1 xp PC - no entry found
5 W2K servers - no entry found
1 W2k server - hklm\system\ControlSet001\ WAMGRD and hklm\system\CurrentControl Set\WAMGRD
All of the above machines had this process running and the file in winnt\system32. Interesting to note that we renamed the file on the first machine and it kept coming back...
but now that we have renamed the file on all machines that we could find... it has not started up again... yet!
I could not get to the XP PC that has the HJT log above but it obviously has some entries.
1 xp PC - no entry found
5 W2K servers - no entry found
1 W2k server - hklm\system\ControlSet001\
All of the above machines had this process running and the file in winnt\system32. Interesting to note that we renamed the file on the first machine and it kept coming back...
but now that we have renamed the file on all machines that we could find... it has not started up again... yet!
that means in that one W2k server machine, it shud be starting as a service !!!!!
get msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html
run it on this W2k server machine
and goto Services and Startup sections
can u see the entry for this Windows Update(wamgrd) ??
get msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html
run it on this W2k server machine
and goto Services and Startup sections
can u see the entry for this Windows Update(wamgrd) ??
Also i think that as u have connected all these machines..... this file is spreading itself over the network......
u shud disconnect the machine which is having this file locally,,,,, and then tryo to delte this file.....
then after making sure that its not running anymore locally, re-connect the other machines to this pc, and then check if still the other ones start this process\service ??
u shud disconnect the machine which is having this file locally,,,,, and then tryo to delte this file.....
then after making sure that its not running anymore locally, re-connect the other machines to this pc, and then check if still the other ones start this process\service ??
ASKER
Yes.. it was running as a service on the one W2K server called Windows Update Service.
It also appears to be on the XP pc above as the same service.
So I think we have a handle on it.. thanks.
Two remaining questions.
1.Is "Windows Update Service" a real MS service name? I've never seen it before.
2. Do you have any idea what this file (service) was doing?
It also appears to be on the XP pc above as the same service.
So I think we have a handle on it.. thanks.
Two remaining questions.
1.Is "Windows Update Service" a real MS service name? I've never seen it before.
2. Do you have any idea what this file (service) was doing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have now cleaned all machines.. so far nor reoccurance of it.
I guess time will tell.
Thanks for the advice
I guess time will tell.
Thanks for the advice
my pleasure :)
Download HijackThis, run it and Post the Log File here:
http://www.wilderssecurity.com/supportfiles/HijackThis1980.exe