WUAUMQR.EXE worm/virus help please

This is an old worm that is playing hell on one of my computers. Does
anyone have a way to eradicate it?

OS: XP
A/V: NV2003

NV2003 did not find this worm. It appears on start up every time. I
have booted to safe mode and deleted the executable. I used Mcafee as
well but it neither sees this worm.

On Wed, 25 Jun 2003 13:20:38 -0400, Sparky <3@t2.com> wrote:

>This is an old worm that is playing hell on one of my computers. Does
>anyone have a way to eradicate it?
>
>OS: XP
>A/V: NV2003
>
>NV2003 did not find this worm. It appears on start up every time. I
>have booted to safe mode and deleted the executable. I used Mcafee as
>well but it neither sees this worm.


Dump NAV, buy Kaspersky.

On Wed, 25 Jun 2003 13:20:38 -0400, Sparky <3@t2.com> wrote:

> This is an old worm that is playing hell on one of my computers. Does
> anyone have a way to eradicate it?
> OS: XP
> A/V: NV2003
> NV2003 did not find this worm. It appears on start up every time. I
> have booted to safe mode and deleted the executable. I used Mcafee as
> well but it neither sees this worm.

From what little I can find on it, deleting it should be enough, provided
you get all copies of it.

Run msconfig and look at the startup list. Uncheck all programs you don't
don't recognize, reboot, rename them, and then check each to see what it
is.

Also try to stop it from reinfecting your system. Turn off file sharing,
or at least restrict it to folders that aren't used for anything else, and
use strong passwords.

Change the admistrator account password to something that won't be found
via a dictionary attack.

See http://www.claymania.com/safe-hex.html
for mor info.

Regards, Dave Hodgins

"Sparky" <3@t2.com> wrote in message news:0gljfv0f7tvmj2rmdq77s01uams2qcnk8l@4ax.com...
> This is an old worm that is playing hell on one of my computers. Does
> anyone have a way to eradicate it?
>
> OS: XP
> A/V: NV2003
>
> NV2003 did not find this worm. It appears on start up every time. I
> have booted to safe mode and deleted the executable. I used Mcafee as
> well but it neither sees this worm.

Which begs the question ~ how have you determined that it is
indeed a worm? It looks like a suspicious filename, but what's
in a name....

Sparky wrote:
> This is an old worm that is playing hell on one of my computers. Does
> anyone have a way to eradicate it?

at a guess, the referenced filename is generated and is of little or no
use in identifying what you have...

> OS: XP
> A/V: NV2003
>
> NV2003 did not find this worm. It appears on start up every time. I
> have booted to safe mode and deleted the executable. I used Mcafee as
> well but it neither sees this worm.

2 obvious options are: a) keep trying more products, or b) send a copy
of the file to the av developer and have them sort it out...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."

On Wed, 25 Jun 2003 21:48:58 GMT, "David W. Hodgins"
<dhodgin1661@rogers.com> wrote:

>On Wed, 25 Jun 2003 13:20:38 -0400, Sparky <3@t2.com> wrote:
>
>> This is an old worm that is playing hell on one of my computers. Does
>> anyone have a way to eradicate it?
>> OS: XP
>> A/V: NV2003
>> NV2003 did not find this worm. It appears on start up every time. I
>> have booted to safe mode and deleted the executable. I used Mcafee as
>> well but it neither sees this worm.
>
>From what little I can find on it, deleting it should be enough, provided
>you get all copies of it.
>
>Run msconfig and look at the startup list. Uncheck all programs you don't
>don't recognize, reboot, rename them, and then check each to see what it
>is.
>
>Also try to stop it from reinfecting your system. Turn off file sharing,
>or at least restrict it to folders that aren't used for anything else, and
>use strong passwords.
>
>Change the admistrator account password to something that won't be found
>via a dictionary attack.
>
>See http://www.claymania.com/safe-hex.html
>for mor info.
>
>Regards, Dave Hodgins


David,

Thanks for the advice. I have eradicated all evidence of this file in
registry, C: drive, etc. Related problem I continue to have is IE
keeps auto loading and transmitting data on a specific port. I have
looked everywhere to stop IE from auto loading. Registry run areas,
autoexec.bat, system.ini, task manager, msconfig, Windows start up
menu specific and all users. Do you have any suggestions?

Sparky

On Thu, 26 Jun 2003 09:29:33 -0400, Sparky <3@t2.com> wrote:
> Thanks for the advice. I have eradicated all evidence of this file in
> registry, C: drive, etc. Related problem I continue to have is IE
> keeps auto loading and transmitting data on a specific port. I have
> looked everywhere to stop IE from auto loading. Registry run areas,
> autoexec.bat, system.ini, task manager, msconfig, Windows start up
> menu specific and all users. Do you have any suggestions?

You've omitted from your list a few other startup axis possibilities...
config.sys, winstart.bat (either in root dir or %windir%),
win.ini, other .ini files, task scheduler, etc. There are many
registry entries that are not obvious.

Try Art's startup axis viewer from
http://www.epix.net/~artnpeg/STARTUP.ZIP
which will show you most of them. I don't know
of any specific ones that are missing.

I don't think auto starting IE is part of the activity of this
worm. You probably have other infections too. Try a trojan
scanner like Spybot Search & Destroy downloadable from
http://security.kolla.de/index.php?...n&page=download
(donation ware that specializes in, but is not limited to spyware)

or

Trojan Remover
From: http://www.simplysup.com/download/trjsetup.exe
(trial version expires after 30 days).

Have you checked/reset the file sharing and/or admistrator
account passwords yet?

A full online AV scan may help identify the culprit as well.
I like http://www.ravantivirus.com/index.php
To scan your entire pc, you have to use Internet Explorer,
with activeX etc. turned on. From the page shown above,
select Online scan in the menu on the left, then scan
without registering...

Let us know how you make out.

Regards, Dave Hodgins