what is the "Windows\System|wnmngm1.exe" file and what does it do? 
Mine is infected with a Trojan Horse virus.

---

Request for Question Clarification by blader-ga on 26 Jul 2002 20:19 PDT

Are you sure you don't mean "winmgmt.exe?"

---

Request for Question Clarification by livioflores-ga on 26 Jul 2002 20:52 PDT

I think you must check the spell

---

Clarification of Question by wheii-ga on 27 Jul 2002 10:05 PDT

I have double checked the spelling and the "infected file" is
definately spelled "wnmngm1.exe", or maybe THIS IS the virus itself!?

Hi wheii-ga,

It does indeed seem like "wnmngm1.exe" is a trojan (which means you
can delete it as it does not seem to be a windows required file). I do
suggest submitting this file to an AV company to tell you what exactly
it is (if you are interested)

I will provide you with the links below.

Hope this has answered your question.

Additional links:

How to submit the trojan to Symantec : <
http://service2.symantec.com/SUPPORT/nav.nsf/docid/2000031615501306 >

How to submit the trojan to McAfee AVERT : <
http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/submit-sample.asp
>

Search Strategy:

< http://groups.google.com/groups?q=wnmngm1&hl=en&lr=&ie=UTF-8&selm=32a9641f.0207262312.a9c2e5f%40posting.google.com&rnum=5
>

Best wishes, 
mistajon-ga

---

Clarification of Answer by mistajon-ga on 31 Jul 2002 00:26 PDT

I did not notice you posted a comment below. Let me answer it for you.

I recommend deleting the dialer123.exe and wnmngm1.exe as this is NOT
a windows file.

You can delete this file by:

Start -> Shutdown -> Exit to MS DOS mode. 
(if you are using WinME you may need to make a bootup disk by going to
Start -> Settings -> Control Panel -> Startup -> Create startup disk.

Type:

c:
cd \progra~1
deltree dialers 

(or if this does not work:
cd dialers
del *.*
cd ..
rd dialers)

cd \windows\
del wnmngm1.exe
cd \windows\system
del wnmngm1.exe

If you need any more help please allow me to clarify.

Best wishes,
mistajon-ga

I searched the MS Knowledge Base web page and nothing came up. I also
searched my win98 machine and did not find a copy. I am thinking of
two likely scenarios.
1. the file name is spelled wrong. 
2. that file is not infected with a virus, IT IS the virus, and
doesn't belong there. I have herd of viruses that store themselves
with file names that are cryptic or 'windows like' to fool people in
to leaving them alone. Of corse my instillation could be different.

Something you might try is right-clicking on the file and selecting
"properties", then clicking on the "version" tab. There should be a
"Description" line that you can copy and paste into a reply. Also, run
the System File Checker (click "start" then "run" and type in "sfc"
hit enter. Scan for altered files. If it finds the wnmngm1.exe file
corrupted, you will have the chance to restore it from the win98
instillation CD.

Please check the spell

It is a file that reinstalls the virus dialer123.exe if you delete the
dialer file itself.

I have double checked the spelling and the "infected file" is
definately spelled "wnmngm1.exe", or maybe THIS IS the virus itself!?

I checked the properties of this file (there is no version tab).  It
is 27.5KB and was created on 7/13/02.  It cannot be deleted or
quarantined.  There is also a file called wnmngm1c.dll which is not
infected.

I will run sfc now and report back.  Any more thoughts?

I just scanned my hard drive for altered files using sfc.  No altered
files were detected.  There is a file called dialer123.exe though in
my C\Windows folder and in my C\Program Files\Dialers folder.  This is
some malicious file I believe.  Can I delete it?  If I do will I then
be able to delete the wnmngm1.exe file?  If not and this wnmngm1.exe
file is malicious or a virus how do I delete it as I have already
tried the normal ways and it does not delete?

What you need to do to get rid of those files is to boot into DOS and
delete them there. Here's how to do it:

Restart your computer and press F8 before the Windows 98 loading
screen comes up. You should get a menu. Select MS-DOS Command Prompt
(option 6?).

You should then see a C:\ prompt. If you see some other directory in
your C drive type in "cd \" without the quotes.

Next, type in the following pressing enter after each line.
cd windows
cd system
del wnmngm1.exe
cd \
cd progra~1
del dialers
y
rd dialers

Hopefully that'll fix your problem.
Good luck!

The reason you can't delete the file is because the virus adds a value
in the registry that runs the file when windows starts (you can't
delete a file that is in use). You must remove the file and the
registry entry.

To remove the file.
1. follow deadlychiapet's instructions

To remove the registry entry.
1. click "start" then "run" then type in "regedit" and hit enter.
2. use the left pane to navigate to
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
3. select the "fn" value in the right pane and delete it.
4. exit the registry editor.

Here is some info on the virus
http://vil.nai.com/vil/content/v_99580.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.ultimax.html

Also, according to Symantec, this virus spreads by using open shares
on windows machines (sharing files through Network Neighborhood). So
you should stop sharing folders that are not nessary and put passwords
on thoes folders that you do share. It would be nice of you to inform
anyone else that accesses shared folders of this infection because you
might have given it to them or they might have given it to you.