wuamagr32.exe\[UPX]-can`t get rid of this virus

My avast has detected this virus,

wuamagr32.exe[UPX]

but when i try deleting it all moving it to chest, it says “access denied”. The same happens in Safe Mode.

I also tried deleting it “at next system start”

http://www.asw.cz/eng/support/faq/avast_4_home_profe/virus_detection_and/index.html#idt_1547

But i got a message saying “cannot proceed”

Please, can someone suggest how i can delete this virus?

wuamagr32.exe is related to the Spybot .CG worm, it shouldn’t be hard to remove it. I wonder why it is for you. Anyway, click on the link in my signature and follow the instructions on that page. That should work.

Since your system is infected, I would apreciate it if you also run HijackThis and the HijackThis log file analyzer and send me both logs as explained in the read.me
That will help me develop the HijackThis log file analyzer. (Yes I wrote that one) It ain’t a must, just a request.

Hi,

you have WIn XP or ME ?

if the file is located in the _RESTORE / System Volume Information
folder, then disable RESTORE & reboot

See link " VirusRemoval" below, or User’s FAQ’s or avast FAQ’s

:wink:

the file that is infected is not a system restore file, i disabled system restor and tried removing the virus in safe mode but is said “access denied”

i pressed ctrl-alt-del to bring up task manager, but there is no option in my task manager that says “processes” so i can`t end the task.

Here is my log file, for some reason the R0s wont show!

StartupList report, 16/07/2004, 00:40:07
StartupList version: 1.52.2
Started from : C:\Documents and Settings\james\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

  • Using default options

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe
C:\documents and settings\colin\local settings\temp\Dq.exe
C:\documents and settings\colin\local settings\temp\A.exe
C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wapisvsu.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\james\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hpoddt01.exe.lnk = ?
hp psc 1000 series.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SUPASTATUS = C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
CnxDslTaskBar = C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe

avast! = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
MessengerPlus2 = “C:\Program Files\Messenger Plus! 2\MsgPlus.exe”
LoadHTML = rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre
TkBellExe = “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
QuickTime Task = “C:\Program Files\QuickTime\qttask.exe” -atboottime

WSAConfiguration = SYSTEM.DLL
C73DC3C0 = C:\WINDOWS\System32\aumhgn.exe
Microsoft Update Machine = qwerty.exe
Adstartup = C:\WINDOWS\System32\automove.exe

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

WSAConfiguration = SYSTEM.DLL
C6C73160 = C:\WINDOWS\System32\aumhgn.exe
Microsoft Update Machine = qwerty.exe

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine = qwerty.exe
Bssn = C:\Documents and Settings\james\Application Data\euea.exe
msnmsgr = “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
WTSS = C:\WINDOWS\System32\wapisvsu.exe
Windows Firewalll = svvhost.exe
Microsoft Update = wuamagr32.exe

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\POSTIG~1.SCR
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry key not found
HKLM..\Policies: Shell=Registry value not found

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966}
(no name) - C:\WINDOWS\System32\mshtmpre.dll (file missing) - {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1069455535.job

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

You postet a startuplist not a Hijackthis log. That is easier to say what to do.

These things are “bad” and should be deleted in windows save mode:

C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe

and some more( LoadHTML = rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre ) So please post the Hijackthis log.

Ok, here are the things that are definatly harm your system. Remove them all.
I suspect that there are more things that need to be removed, so please post the entire HijackThis log here, or send it to the email address in the read.me which comes with the HijackThis logfile analyzer program.

C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe
C:\documents and settings\colin\local settings\temp\Dq.exe
C:\documents and settings\colin\local settings\temp\A.exe
C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\WINDOWS\System32\wapisvsu.exe

For more info on wapisvsu, look at the followinf site under Winservn
http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm

LoadHTML = rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre
C6C73160 = C:\WINDOWS\System32\aumhgn.exe
Microsoft Update Machine = qwerty.exe
Bssn = C:\Documents and Settings\james\Application Data\euea.exe
WTSS = C:\WINDOWS\System32\wapisvsu.exe
Windows Firewalll = svvhost.exe
Microsoft Update = wuamagr32.exe
(no name) - (no file) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966}
(no name) - C:\WINDOWS\System32\mshtmpre.dll (file missing) - {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}

as requested:

Logfile of HijackThis v1.98.0
Scan saved at 21:22:38, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe
C:\documents and settings\colin\local settings\temp\Dq.exe
C:\documents and settings\colin\local settings\temp\A.exe
C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\documents and settings\judith\local settings\temp\zC.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\james\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.timecomputers.com/
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: HTML Class - {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9} - C:\WINDOWS\System32\mshtmpre.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [CnxDslTaskBar] C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MessengerPlus2] “C:\Program Files\Messenger Plus! 2\MsgPlus.exe”
O4 - HKLM..\Run: [LoadHTML] rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM..\Run: [C73DC3C0] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKLM..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM..\Run: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM..\Run: [Dq] C:\documents and settings\colin\local settings\temp\Dq.exe
O4 - HKLM..\Run: [A] C:\documents and settings\colin\local settings\temp\A.exe
O4 - HKLM..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM..\Run: [qs4X37e] rmbpdmoe.exe
O4 - HKLM..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM..\Run: [Windows Firewalll] svvhost.exe
O4 - HKLM..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM..\Run: [zC] C:\documents and settings\judith\local settings\temp\zC.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\RunServices: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM..\RunServices: [C6C73160] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM..\RunServices: [Microsoft Update Machine] qwerty.exe
O4 - HKLM..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM..\RunServices: [Windows Firewalll] svvhost.exe
O4 - HKLM..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKCU..\Run: [Bssn] C:\Documents and Settings\james\Application Data\euea.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU..\Run: [Windows Firewalll] svvhost.exe
O4 - HKCU..\Run: [Microsoft Update] wuamagr32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra ‘Tools’ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: ScreenSaverPlus - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\ScreenSaverPlus (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip..{A860EBB1-22CD-42F1-A309-67ACB7E8A92D}: NameServer = 213.40.66.126 213.40.130.126
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll

tell what to delete and how to do it. Does it need to be done in safe mode?

wowee…

flattening might be an option…

otherwise install & update SPYBOT & Ad-Aware, then reboot to safeMode and scan & fix with them several times, until nothing more is found/removed…

reboot again to safeMode, and post a new Hijackthis-Log here then, please
*
Read “VirusRemoval” below for details… also secure your system as described there: passwords, Browser, shares etc etc…

Is avast Uptodate ? which version for prog & VPS ?
Are all Windowsupdates
:wink:

I`m using avast Home Edition, it is all up to date.I have all windows critical updates up to date.

I ran hijackthis yesterday, and chose the process manger option, this showed me all the processes that are running on the computer. I found Wuamagr 32, i highlighted it, and pressed “kill” to end the process.

I scanned with avast but again when i tried deleting the virus or moving it to chest it said “access denied”.

In safe mode, all my programmes are there except adaware-it seems to be missing. i cant see adaware anywhere in safe mode. I have tried searching for it, So i cant use. Adaware is there when i run the computer normally.

I aint the expert, but i`m sure you will agree I need to end the wuamagr process.

what about running hijack this, and fixing the following-should it be done in safe mode.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe

O4 - HKLM..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKCU..\Run: [Bssn] C:\Documents and Settings\james\Application Data\euea.exe
O4 - HKCU..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU..\Run: [Microsoft Update] wuamagr32.exe

Although i have tried fixing the 2 wuamagr32 entries with hijackthis but it was not in safe mode, when i scanned with avast it said “access denied”

Please advise?

Also, in the past week avast has detected over 30 viruss-why am i getting so many viruss? What can i do about it?

please help!

Hi,

here’s the analysis for your LOG:
http://hijackthis.de/logfiles/b35707ba845692d58997c53a049f0b43.html
read carefully, and then fix everything in RED and YELLOW that you don’t know or need

@1) empty avast’s chest, than do a boot timescan with avast

@2) in normal-Boot, right-click on the icon/link to ad-aware, select properties → Program. Note the path/filename of the EXE
in SafeMode, browse to the EXE-file and doubleclick to run ad-aware
what about SPYBOT ?

@3) reread the above advice and follow the links & instructions to secure your system:

  • passwords, shares, browser etc etc etc…

P.S.:

  1. check all (Startup-)entries in HJT-Log if they are malicious or useless,
    and fix them if so…
    → with Log-file from Hijackthis
    http://www.spywareinfo.com/~merijn/htlogtutorial.html (english tutorial) in combination with:

a) database http://www.sysinfo.org/startuplist.php or OFFLINE: http://www.pacs-portal.co.uk/startup_pages/start_ups.exe or
http://www.windowsstartup.com/wso/search.php & http://www.reger24.de/processes.php & www.google.de
b) KAV-Scanner (see below)

reboot…

should the entries be fixed with hijackthis, in safe mode?