AVUPDCHK and WUAMGRD (was Re: CVMONITOR.EXE)
From: Dave Garrett (dave_at_compassnet.com)
Date: 05/09/04
- Next message: LJK: "ftp, cont'd."
- Previous message: buddy: "Re: Yahoo user's - Disguised SPAM post"
- In reply to: Dave Garrett: "Re: CVMONITOR.EXE"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 9 May 2004 18:16:40 -0500
In article <MPG.1b085c4d3c3d66bc989e68@207.14.113.17>,
dave@compassnet.com says...
> [etc - list snipped for brevity]
>
> I'm running Win2K instead of XP, but I ran across your post in a Google
> search and felt compelled to followup, as I'm at my wits' end. Both
> machines on my network (behind a Netgear router connected to the net)
> are exhibiting almost identical symptoms as the ones you describe,
> including the exact changes to my HOSTS file. Unfortunately, fixing the
> problem does not appear to be as easy as you describe in my case. I'm
> not showing the CVMONITOR.exe process in Task Manager, and when I tried
> to run regedit, it quit almost immediately. I was able to boot in safe
> mode and run regedit, but the registry keys you list were not present.
>
> My antivirus program (Grisoft's AVG Anti-Virus 6.0, updated regularly)
> also refused to run, quitting almost immediately after startup. I was
> also able to get it to run from the command line in safe mode, but it
> didn't detect anything.
>
> My net connection is also hosed, as it looks like something has screwed
> up DNS, but all the usual settings seem OK.
>
> Obviously, I've got malware on my machines somewhere - the question is
> where? Does anyone have any ideas as to how I should proceed from here?
> I'm about ready to reinstall Win2K, as I have all of my data backed up,
> but before I take that fairly drastic step without even knowing if it's
> going to get rid of the malware, I thought I'd ask here.
Following up on my own post, I think I've discovered the problem - a
particularly nasty combination of avupdchk.exe and wuamgrd.exe. The
former was the culprit preventing the antivirus program from running
(not that it would have mattered, as apparently many AV programs aren't
detecting these yet) and copying the loopback entries into the HOSTS
file - more info can be found here:
The latter was a lot nastier - check out this thread for info:
http://www.computercops.biz/postt24086.html
and this for removal instructions:
http://www.sophos.com/virusinfo/analyses/w32rbota.html
It is particularly insidious because it is memory-resident, and will
keep recopying itself into the registry if you delete the keys listed in
the page above. And you can't kill it with Task Manager - access is
denied. I finally downloaded a third-party task manager-like process
viewer called PrcView:
http://www.teamcti.com/pview/prcview.htm ,
and was able to kill the wuamgrd.exe process with it. Once I did so the
registry modifications stuck. For now, anyway, as I keep my fingers
crossed. There isn't a whole lot of info out there on either one of
these, so I'm hoping that this post will save someone else the effort of
expending almost an entire day trying to figure out why they're having
similar problems.
Dave
- Next message: LJK: "ftp, cont'd."
- Previous message: buddy: "Re: Yahoo user's - Disguised SPAM post"
- In reply to: Dave Garrett: "Re: CVMONITOR.EXE"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
