What is windows\system32\wuagrd.exe ?

[DotNet Ed]

Hi,
Every time I start up WinXP Pro I receive a warning from Zone Alarm
indicating that wuagrd.exe is trying to act as a server or accessing the
internet (I believe it is the 1st).

This file is under \windows\system32\ and goes by the name wuagrd.exe. It
cannot normally be seen because it hides there as System & Hide
(attributes). The file date is quite recent (from a day or two ago). The
file is about 125KB and when I check the properties it does not show any
information like the other execs in the same directory which usually say
they come from Microsoft etc. this has a totally empty property screen.

When I run the anti-virus with the most recent definition it does not
complain about any virus (though it was wormed a few days ago when I was
upgrading, that infection was removed).

I used the explorer in that directory to show all hidden and system files to
be able to see it. Then I ran the virus scanner on that file (Verify with
....) and it also showed no infection.

However, like I said, every time I boot windows this file attempts to do
something that is caught by zone alarm (Zone Alarm has no further
information) and it shows in the task manager as a process running under my
name.

If I kill the process it does NOT come back again.

I have performed a search on the internet and wuagrd produces absolutely no
results. Can I safely remove this file? is it some sort of obscure WinXP or
other Microsoft file?

 

[DotNet Ed]

Some extra information...

a) A search for wuagrd*.* in the Windows XP CD produced no finds.
b) wuagrd.exe is active as soon as I log in. The ZoneAlarm logs show that
b-1) it tries to act as a server
b-2) it attempts to contact 194.134.0.97:53 or 194.134.5.5:53. Both
of these are shows by ipconfig /all as my DNS servers.
c) A search on the registry showed a key named "Microsoft Update Machine"
under HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices. It
is a key of type REG_SZ and value "wuagrd.exe".
There is also another key with the same value under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
HKUsers\.default\Software\Microsoft\Windows\CurrentVersion\RunServices\ and
in a couple other places.

It is strange that while it appears as a update (and the name kind of
suggests that) engine from microsoft -and is marked as Microsoft Update
Engine-, there is no mention of it on the web. A search on the Microsoft
site also produced no results.

 

[GB]

Some extra information...

a) A search for wuagrd*.* in the Windows XP CD produced no finds.
b) wuagrd.exe is active as soon as I log in. The ZoneAlarm logs show that
b-1) it tries to act as a server
b-2) it attempts to contact 194.134.0.97:53 or 194.134.5.5:53. Both
of these are shows by ipconfig /all as my DNS servers.
c) A search on the registry showed a key named "Microsoft Update Machine"
under HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices. It
is a key of type REG_SZ and value "wuagrd.exe".
There is also another key with the same value under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
HKUsers\.default\Software\Microsoft\Windows\CurrentVersion\RunServices\ and
in a couple other places.

It is strange that while it appears as a update (and the name kind of
suggests that) engine from microsoft -and is marked as Microsoft Update
Engine-, there is no mention of it on the web. A search on the Microsoft
site also produced no results.

I also tried a web-search, which produced nothing. That would tend to
suggest it is a virus/trojan/spyware. Somebody somewhere has written
complaining about *every* piece of MS software. Some of the viruses install
themselves with random names, which could be the case here.

Geoff