System32

[danielms2]

My WINDOWS\System32\wuamgrd.exe file has been infected
with the Morphine virus. McAfee cannot clean the file.
The other alternative is to delete the file. How will
deletion of the file affect the running of XP etc.?

 

[John Vogel]

My WINDOWS\System32\wuamgrd.exe file has been infected
with the Morphine virus. McAfee cannot clean the file.
The other alternative is to delete the file. How will
deletion of the file affect the running of XP etc.?

You can (and should) safely delete this file. Also, if found, delete the
dlcfg32.exe file (same location)... here's some further information:

(from
http://www.webuser.co.uk/cgi-bin/forums/showflat.pl?Cat=&Board=other&Number=
78281&page=2&view=collapsed&sb=5&o=93&part=2 )


Disable System Restore
1. Click Start | Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.
3. Click System Restore
4. Place a check in Turn Off System Restore.
5. Click OK. Click Yes

Modify Views in Explorer:
Click Start.
Open My Computer | Select C:
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK
End Processes:
Right click on the taskbar and open Task Manager.
Go to Processes and end task on the following:

dlcfg32.exe
wuamgrd.exe
*NOTE: WUAMGRD.EXE may not be on the system we believe DLCFG32.exe is a
variant of the WUAMGRD worm
Start | Network Connection | Right Mouse Click | Disable NIC

Delete Files:

Delete C:\Windows\System32\DLCFG32.exe
Delete C:\Windows\Prefetch\DLCFG32.exe-0d970858.pf
Delete C:\WINDOWS\System32\wuamgrd.exe (May not exist)
Delete C:\Documents and Settings\"userprofilename"\Local Settings\Temp
Delete C:\Windows\Temp
Registry Changes:

Start | Run | Regedit
Delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft DL Config 32bit"="dlcfg32.exe"
Delete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Microsoft DL Config 32bit"="dlcfg32.exe"
Install Patch:

Install the patch ms04-001 kb835732

Verify:

Start | Network Connection | Right Mouse Click | Enable NIC
Network Connection | Properties uncheck File and Print Sharing
Verify that the person assign to the PC is not an Administrator on the local
box
Empty the Recycle Bin
Cold Boot the PC
Power on
Verify that the Registry Settings are not back and that the deleted files
did not return
If the files are not back: Click Start | Control Panel | Double-click the
System icon
System Restore | Remove the check mark next to 'Turn off System Restore on
All Drives'.

 

[PA Bear]

WUAMGRD.EXE *is* the Trojan, Morphine's probably packed with it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

VirusScan should be able to deal with it in Safe Mode
http://aumha.org/forum/viewtopic.php?t=5878

Have you visited Windows Update lately? ...ever?

Do you use Kazaa or any other P2P app?
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx