PLease Help... What Is WAMGRD.exe?

Hello psbrickmill =)

Download HijackThis, run it and Post the Log File here:
http://www.wilderssecurity.com/supportfiles/HijackThis1980.exe

Here is the log..
This is from one of the winxp pcs.  The process is not currently running. (it starts up after a while... not consistent)

Logfile of HijackThis v1.98.0
Scan saved at 4:40:21 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Crystal Decisions\2.0\bin\querysrv.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mqtgsvc.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\ctfmon.exe
C:\Netscape\Netscp.exe
C:\GPSoftware\Directory Opus\dopus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Novell\GroupWise\Notify.exe
C:\WINNT\system32\ntvdm.exe
C:\Documents and Settings\slundahl\Desktop\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msdn.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "lundahls");
user_pref("aim.session.screenname", "lundahls");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\slundahl\\Application Data\\Mozilla\\Profiles\\default\\m6ucfwix.slt");
user_pref("browser.download.dir", "C:\\Steve\\Downloads\\Netscape4_8");
user_pref("browser.history.last_page_visited", "http://www.npabenefitsgroup.com/cbi_masthead.asp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.search.mode", 1);
user_pref("browser.startup.homepage"
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "lundahls");
user_pref("aim.session.screenname", "lundahls");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\slundahl\\Application Data\\Mozilla\\Profiles\\default\\m6ucfwix.slt");
user_pref("browser.download.dir", "C:\\Steve\\Downloads\\Netscape4_8");
user_pref("browser.history.last_page_visited", "http://www.npabenefitsgroup.com/cbi_masthead.asp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.search.mode", 1);
user_pref("browser.startup.homepage"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Windows Update] wamgrd.exe
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DOpus] C:\GPSoftware\Directory Opus\dopus.exe
O4 - Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Startup: WinMySQLadmin.lnk = C:\MySQL\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O4 - HKLM\..\Run: [Windows Update] wamgrd.exe
O4 - HKLM\..\RunServices: [Windows Update] wamgrd.exe
======================================

put a check mark against these two lines, and click on Fix Checked !!!!
then reboot in SAFEMODE and delete this wamgrd.exe file from C:\Windows\System32

if it gives an error of Access Denied, then take its permission and then delete it !!!!!!

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

post back results !!!!!!

Will do..

But look at this...
Here is the log from one of my win2k servers that also had it. The entry doesn't exist here?
Logfile of HijackThis v1.98.0
Scan saved at 4:32:05 PM, on 8/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\Administrator.BMSD\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\WINNT\System32\ctxxmlss.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\PROGRA~1\NAV\vptray.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Documents and Settings\Administrator.BMSD\Desktop\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.BMSD\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.BMSD\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.bmsd\windows\system32\rnr20.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BMSD
O17 - HKLM\System\CCS\Services\Tcpip\..\{594193A8-D0E0-4EBB-A256-4B2382684A67}: NameServer = 192.168.10.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BMSD
O17 - HKLM\System\CS1\Services\Tcpip\..\{594193A8-D0E0-4EBB-A256-4B2382684A67}: NameServer = 192.168.10.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BMSD
O17 - HKLM\System\CS2\Services\Tcpip\..\{594193A8-D0E0-4EBB-A256-4B2382684A67}: NameServer = 192.168.10.8
O20 - AppInit_DLLs: mfaphook.dll

yes u are right,, its not here :-?

try this,,,,,,, goto Start>Run>regedit
and hit Ctrl+F
type wamgrd and hit enter
and then hit find next, until it gives the message that no entry was found
check in which places regedit finds its entry ??

post here the location(s) !!

Well here is the results of searching the registry on all machines that had this process running...
I could not get to the XP PC that has the HJT log above but it obviously has some entries.

1 xp PC - no entry found
5 W2K servers - no entry found
1 W2k server - hklm\system\ControlSet001\WAMGRD and  hklm\system\CurrentControlSet\WAMGRD

All of the above machines had this process running and the file in winnt\system32.  Interesting to note that we renamed the file on the first machine and it kept coming back...
but now that we have renamed the file on all machines that we could find... it has not started up again... yet!

that means in that one W2k server machine, it shud be starting as a service !!!!!

get msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html
run it on this W2k server machine
and goto Services and Startup sections
can u see the entry for this Windows Update(wamgrd) ??

Also i think that as u have connected all these machines..... this file is spreading itself over the network......
u shud disconnect the machine which is having this file locally,,,,, and then tryo to delte this file.....
then after making sure that its not running anymore locally, re-connect the other machines to this pc, and then check if still the other ones start this process\service ??

Yes.. it was running as a service on the one W2K server called Windows Update Service.
It also appears to be on the XP pc above as the same service.

So I think we have a handle on it.. thanks.
Two remaining questions.
1.Is "Windows Update Service"  a real MS service name? I've never seen it before.
2. Do you have any idea what this file (service) was doing?

I have now cleaned all machines.. so far nor reoccurance of it.
I guess time will tell.
Thanks for the advice

my pleasure :)