Dangerous: YES
Filename:
winupgro.exe
Associated Files :
winupgro.exe, wintems.exe, flec006.exe, srosa.sys, hldrrr.exe, mdelk.exe, winfilse.exe, hidr.exe, re_file.exe, hidn.exe
File Behavior:
W32.Beagle downloads and executes malicious files from a remote server. This is a worm that uses the rootkit techniques to hide itself on the infected computer.
Malware Name:
W32.Beagle@mm,
Malware Type:
Trojan Vundo, Bagle Infection, W32.Beagle@mm, Worm
File Location:
C:\Documents and Settings\YourUserName\Application Data\drivers\winupgro.exe
C:\Documents and Settings\YourUserName\Application Data\m\flec006.exe
C:\Documents and Settings\YourUserName\Application Data\drivers\srosa.sys
C:\windows\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\Documents and Settings\LocalService\Application Data\drivers
C:\Documents and Settings\YourUserName\Application Data\m
Symptoms:
1. When your computer boots up a process called winupgro.exe starts up and uses all your CPU power.
2. It disables all of your antivirus programs. Example - Im using avast! Antivirus and when i click on it i see this message "AshAvast.exe is not a valid Win32 application"
3. Deleting only the winupgro.exe will not work there has been lots of copies and files it made on your computer, if you delete only the winupgro.exe file it will re-appear when you reboot.
Removal Procedure #1:
1. Reboot your PC
2. When windows is starting up press Alt+Ctrl+Delete to open up 'Windows Task Manager' locate the winupgro.exe file and left click then End Process. - Remember to do this fast because the winupgro.exe file will hide itself and you won't be able to click on it, if you take to long and don't see that process restart your computer untill you end that process.
3. Download F-Secure BlackLight and run it, after it will safe a log file on your desktop there it will show you where the malicious files are located.
Now go ahead and delete the files and folders listed in the File Location above. - For me the files where located in these locations
C:\Documents and Settings\YourUserName\Application Data\drivers\
C:\WINDOWS\system32\wintems.exe
4. After download ComboFix and save the file to your desktop, rename it from Combofix to Combo-Fix. - It' important you rename it to Combo-Fix during the download and not after or winupgro will corrupte it making it unable to open.
5. Open up Combo-Fix.exe file that you saved on your desktop let it run. 'Note - this might take some time so don't rush it if you want it to be removed properly' after it will automatically restart your computer.
6. After you have successfully removed the infection Re-install your Antivirus program or any other applications that have been corrupted.
If the first procedure didn't work then let's move on to the next procedure
Removal Procedure #2:
1. Repeat step 1. and 2. from the First Procedure. - Restart PC and then right click on winupgro.exe to End Process.
2. Download the AVZ Antiviral Toolkit.
3. Download the Script Code file script.txt Right Click and Save Target As...
4. Open AVZ Antiviral Toolkit then click on File and from the drop down menu click on Custom scripts.
5. In the Custom script box click on Load and find the script.txt that you downloaded, or enter this url in the box http://escoflip.i8.com/script.txt then Open.
6. And last but not least click on the Run button to Execute the Script. - Don't use your PC while the script is being executed and wait for you computer to reboot.
If your still having problems removing this Trojan, Try some online free virus scans:
Kaspersky
ESET Smart Security/ESET NOD32 Antivirus
Trend Micro HouseCall
AVG LinkScanner
F-Secure
BitDefender
Suggest Programs that can be useful for the removal of malware:
Registry Fix scan, repair, and restore your Registry.
(Download-registryfix.exe)
HijackThis scans then lists the contents of key areas of the Registry and also offers the ability to remove the registry contents.
(Download-HJTInstall.exe)
CCleaner it removes temporary files, history, cookies, Autocomplete form history, index.dat.
(Download-ccsetup222.exe)
Spybot - Search & Destroy checks your PC for adware and other system invaders.
(Download-spybotsd162.exe)
The Avenger is effective at removing malware that is deep in the computer's operating system, It's often difficult for most standard tools to do what this program does.
(Download-avenger.zip)
Pocket Killbox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.
(Download-KillBox.exe)
Rootkit Buster is a rootkit scanner that can scans hidden files, registry entries, processes, drivers, and Master Boot Record (MBR) rootkits.
(Download-RootkitBuster_2.52.1013.zip)
Prevx 3.0 keep your computer and personal information safe from malicious software like rootkits, MBR, Banking Trojans like Zeus, BOTs like Conficker and as well as regular viruses, spyware and adware.
(Download-PREVXCSIFREE.exe)
SuspectFile - SystemScan checks your PC for malware infections, like worms, trojans, rootkits and adwares.
(Download-sys.exe)
11 comments
Write commentsended the winupgro.exe first then i used the combo-fix and it worked you described this in such easy details the winupgro.exe file i was making my comupter go crazy, keep up the good work thanks so much for this adivce.
ReplyHi!
ReplyI recently was remove the winupgro with combofix. For details and instructions, please read :
http://www.computing.net/answers/security/winupgroexe-virusmdelkexe/24057.html
Use the response No1.
Save the program as Combo-fix, download, and after this, execute. Please, read and print the instruction guide in the combofix web page
i used the Kaspersky AVZ utility to get rid of the winupgro.exe
Replythanks alot it worked!
ReplyIT WORKED!!!!!!!!!
Replyits about time tanks alot!!!!!!!!! :)
thanks for this info on removing winupgro.exe
Replyok good this helped alot thanks for the advice! :) :) :)
Replyforget all they tell you, it wont work - tried it for a day -
Replymaybe this is a new variant of the worm, (mid feb 2010)
however it writes itself into your bios so even exchanging
the hard disk or reinstalling windows wont help,
and all the virus checkers are completely helpless.
you have to flash the bios chip(s) or replace them,
which means you might best leave the mainboard
at your local computer store for a day or two...
if you dont you will only think its gone, and it will be
either back to molest you or maybe turn your machine
into a robot, this time using a "silent mode", who knows ?
RE:Anonymous^
ReplyNot True this method dose work i didn't just post the info without any experience i too was infected with this Trojan and after long research i have seen that these methods worked.
When i first got it i took my computer to a rapier shop just to waste 50$ for nothing because the problem was still there except for the repair shop erased all my files on my computer which sucked, It dose not write into the bios that is false news.
ComboFix should fix your computer if your infected with W32.Beagle@mm/winupgro.exe make sure this is the virus you have its not strongly recommend to run the programme otherwise.
Like i said i just posted these removal procedures to help others I'm not asking for nothing in return follow every step correctly and you should be ok, its been a year since i was infected and my computer is running better then ever.
If you have any concerns or questions don't hesitate to ask.
Post your logs or screenshots over here and I'll be happy to help you out.
Hint: try deleting these files before running Combo-Fix
winupgro.exe, wintems.exe, flec006.exe, or any other files or folders that's listed in the File Location above.
well it worked for me so thanks escoflip!
Replyhey thanks for this it worked for me, Combo-Fix.exe did the job
Reply