winupgro.exe virus part 2

Computing.Net > Forums > Security and Virus > winupgro.exe virus part 2

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

winupgro.exe virus part 2

Name: fr0gman
Date: December 21, 2008 at 20:50:30 Pacific
OS: XP SP2
CPU/Ram: 2g/2g
Product: Emachine / NA

Comment:

My computer has been infected with winupgro.exe. It has disabled NOD and will not let me run:
HijackThis
SpyBot
Norton AV
ComboFix
I also cannot boot into SAFE Mode nor can I roll back with system restore.
It will not allow Kaspersky online scan to run either.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: December 21, 2008 at 21:09:47 Pacific

Reply:

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Download Combofix again and when you get to the point that the "enter name of file to save" box appears rename combofix.exe in the filename box to combo-fix.exe> click save and finish downloading it to your desktop and try to run it again.
It is a must that your antivirus and any antispyware be turn off while Combofix is running. Also do not move or click the mouse as it may lock up the computer.
Then post its log if possible.
Go to start> control panel> add/remove programs and uninstall Hijack This.
Then download/rename in the same manner as you did with Combofix and post its log.

Response Number 2

Name: fr0gman
Date: December 21, 2008 at 21:21:02 Pacific

Reply:

ComboFix was never installed. When you click on the exe the system locks up. But I will try your suggestions.
Windows cannot find 'combofix'...

Response Number 3

Name: fr0gman
Date: December 21, 2008 at 21:45:09 Pacific

Reply:

I went through the registry and located each instance of winupgro and removed it and also deleted it from a folder on the HDD. Still could not boot into safe mode and upon reboot winupgro.exe reappeared in the task list.

Response Number 4

Name: fr0gman
Date: December 21, 2008 at 22:04:50 Pacific

Reply:

Well it is midnight here and I have to go to work in the morning. Hopefully someone will have a fix.

Response Number 5

Name: fr0gman
Date: December 22, 2008 at 15:15:44 Pacific

Reply:

Anyone have any input on this?

ntkrnlpa.exe ereg.exe ntkrnlpa.exe	transparency C++ mdnsresponder.exe xpnetdiag.exe
See More

Response Number 6

Name: fr0gman
Date: December 23, 2008 at 09:34:50 Pacific

Reply:

Wow.. nobody has any suggestions?
I have tried deleting and renaming registry entries for:
winupgro.exe
flec006.exe
I have also tried deleting the dir containing these files and then running NOD from a bootable CD. Nothing has worked.
I still get "not a vaild Win32 app" errors when trying to run Combofix or any other AV-type program, HijackThis, Kespersky, etc.

Response Number 7

Name: fr0gman
Date: December 23, 2008 at 16:29:26 Pacific

Reply:

Ran MalwareBytes and it detected several bug, claimed to have fixed them and some needed to be deleted on reboot.
Rebooted and the bugs were back.

Response Number 8

Name: jabuck
Date: December 23, 2008 at 16:44:46 Pacific

Reply:

When you downloaded Combofix did you rename it before you downloaded it?
Do a search for these filenames but do not try to uninstall them yet but make a list of what is found and post it.
.
winupgro
flec006
wintem
mdelk

Download Registry Search and doubleclick to start it. Enter these one at the time

winupgro
flec006
wintem
mdelk
in the top box and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text for each files name.

Response Number 9

Name: jabuck
Date: December 23, 2008 at 16:47:22 Pacific

Reply:

Post that Malwarebytes log if you have it, if not run it again and post it.
At least the .exe's are working.

Response Number 10

Name: fr0gman
Date: December 23, 2008 at 18:49:01 Pacific

Reply:

I got ComboFix to run:
ComboFix 08-12-23.01 - Administrator 2008-12-23 20:41:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.40.1033.18.2047.1272 [GMT -6:00]
Running from: c:\users\Administrator\Desktop\cohnig.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\TaskSwitchXP\TaskSwitchXP.exe
c:\users\Administrator\Application Data\drivers\downld
c:\users\Administrator\Application Data\drivers\downld\140250.exe
c:\users\Administrator\Application Data\drivers\downld\141265.exe
c:\users\Administrator\Application Data\drivers\downld\141437.exe
c:\users\Administrator\Application Data\drivers\downld\64625.exe
c:\users\Administrator\Application Data\drivers\downld\67265.exe
c:\users\Administrator\Application Data\drivers\downld\77328.exe
c:\users\Administrator\Application Data\drivers\downld\77406.exe
c:\users\Administrator\Application Data\drivers\downld\81203.exe
c:\users\Administrator\Application Data\drivers\downld\81343.exe
c:\users\Administrator\Application Data\drivers\downld\82359.exe
c:\users\Administrator\Application Data\drivers\downld\85484.exe
c:\users\Administrator\Application Data\drivers\srosa.sys
c:\users\Administrator\Application Data\drivers\srosa2.sys
c:\users\Administrator\Application Data\drivers\winupgro.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\ban_list.txt
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SROSA
-------\Legacy_SROSA
-------\Legacy_SK9OU0S

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.
2008-12-23 11:53 . 2008-12-23 11:53 <DIR> d-------- c:\users\All Users\Application Data\Malwarebytes
2008-12-23 11:53 . 2008-12-23 11:53 <DIR> d-------- c:\users\Administrator\Application Data\Malwarebytes
2008-12-23 11:53 . 2008-12-23 11:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 11:53 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 11:53 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-22 21:22 . 2008-12-23 20:17 <DIR> d--h----- c:\users\Administrator\Application Data\drivers
2008-12-22 08:36 . 2008-12-22 08:36 <DIR> d-------- c:\users\All Users\Application Data\Grisoft
2008-12-22 08:36 . 2008-12-22 08:36 <DIR> d-------- c:\program files\blue
2008-12-21 21:16 . 2008-12-21 21:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-21 20:04 . 2008-12-21 20:04 <DIR> d-------- c:\program files\Novasoft Inc
2008-12-21 17:41 . 2008-12-21 17:41 <DIR> d-------- c:\program files\Turbo Tube
2008-12-21 15:59 . 2008-12-21 16:00 <DIR> d-------- c:\program files\Total Video Converter
2008-12-21 02:11 . 2008-12-23 11:45 <DIR> d--h----- c:\users\Administrator\Application Data\-badfile
2008-12-20 14:53 . 2008-12-20 14:55 <DIR> d-------- c:\program files\Advanced Find and Replace 3
2008-12-15 12:39 . 2008-12-23 18:20 <DIR> d-------- c:\users\Administrator\Application Data\skypePM
2008-12-15 12:39 . 2008-12-15 12:39 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-15 12:38 . 2008-12-23 20:36 <DIR> d-------- c:\users\Administrator\Application Data\Skype
2008-12-15 12:37 . 2008-12-15 12:37 <DIR> d-------- c:\users\All Users\Application Data\Skype
2008-12-15 12:37 . 2008-12-15 12:37 <DIR> d-------- c:\program files\Skype
2008-12-15 12:37 . 2008-12-15 12:37 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-13 01:08 . 2004-12-17 11:28 479,232 --a------ c:\windows\system32\vsrpt8.ocx
2008-12-13 01:08 . 2001-04-24 14:24 457,257 --a------ c:\windows\system32\GridEX20.ocx
2008-12-13 01:08 . 2004-11-17 17:13 417,792 --a------ c:\windows\system32\vsprint8.ocx
2008-12-13 01:08 . 2004-11-29 15:57 315,392 --a------ c:\windows\system32\c1sizer.ocx
2008-12-13 01:08 . 2006-01-26 09:24 221,184 --a------ c:\windows\system32\DartSock.dll
2008-12-13 01:08 . 2006-01-26 09:24 196,608 --a------ c:\windows\system32\DartSecure2.dll
2008-12-13 01:08 . 2004-11-29 15:57 196,608 --a------ c:\windows\system32\c1awk.ocx
2008-12-13 01:08 . 2006-01-26 09:24 155,648 --a------ c:\windows\system32\DartCertificate.dll
2008-12-13 01:08 . 2006-01-26 09:26 147,456 --a------ c:\windows\system32\DARTUTIL.DLL
2008-12-13 01:08 . 2003-02-02 04:01 65,536 --a------ c:\windows\system32\ReSize32.ocx
2008-12-13 01:08 . 2004-06-04 07:48 53,248 --a------ c:\windows\system32\AnimatedGif.ocx
2008-12-10 14:46 . 2008-12-10 14:46 <DIR> d-------- c:\program files\Veign
2008-12-10 14:46 . 2003-05-11 19:47 122,880 --a------ c:\windows\system32\vbalODCL6.ocx
2008-12-10 14:46 . 2003-01-26 12:41 40,960 --a------ c:\windows\system32\SSubTmr6.dll
2008-12-08 21:28 . 2008-12-08 21:56 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-05 21:26 . 2008-12-20 15:30 38 --a------ c:\windows\avisplitter.INI
2008-12-05 20:32 . 2008-12-05 20:32 <DIR> d-------- C:\plugins
2008-12-04 15:18 . 2008-12-04 15:54 <DIR> d-------- C:\clickbank
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 02:23 --------- d-----w c:\users\Administrator\Application Data\VMware
2008-12-24 02:22 --------- d---a-w c:\users\All Users\Application Data\TEMP
2008-12-24 02:22 --------- d-----w c:\users\LocalService\Application Data\VMware
2008-12-24 02:22 --------- d-----w c:\users\All Users\Application Data\VMware
2008-12-24 02:18 --------- d-----w c:\program files\TaskSwitchXP
2008-12-24 00:55 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-22 14:28 --------- d-----w c:\program files\Symantec
2008-12-22 03:02 --------- d-----w c:\program files\ESET2
2008-12-21 00:54 1,954 ----a-w c:\users\Administrator\Application Data\SAS7_000.DAT
2008-12-20 21:21 --------- d-----w c:\users\All Users\Application Data\ThumbsPlus
2008-12-20 20:52 --------- d-----w c:\program files\Advanced Find and Replace 4
2008-12-20 05:14 --------- d-----w c:\users\All Users\Application Data\Google Updater
2008-12-13 01:01 --------- d-----w c:\users\Administrator\Application Data\ThumbsPlus
2008-11-22 02:13 --------- d-----w c:\users\All Users\Application Data\InstallShield
2008-11-22 02:11 --------- d-----w c:\users\Administrator\Application Data\Nuance
2008-11-22 02:04 --------- d-----w c:\users\All Users\Application Data\ScanSoft
2008-11-22 02:04 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-11-22 02:04 --------- d-----w c:\program files\Common Files\Nuance
2008-11-22 02:04 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-22 02:03 --------- d-----w c:\users\All Users\Application Data\Nuance
2008-11-22 02:03 --------- d-----w c:\program files\Nuance
2008-11-21 01:50 --------- d-----w c:\users\Administrator\Application Data\TVDAT
2008-11-08 04:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 04:39 --------- d-----w c:\program files\eBay
2008-11-05 18:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
2008-11-05 18:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
2008-10-31 04:11 --------- d-----w c:\program files\Google
2005-05-27 15:54 271 --sh--w c:\program files\desktop.ini
2005-05-27 15:54 21,952 -c-h--w c:\program files\folder.htt
2008-08-10 23:12 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-08-10 23:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-08-10 23:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
2008-08-10 23:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
------- Sigcheck -------
2008-05-05 03:00 578048 894b313c52589628bb996e175b581e3a c:\windows\system32\user32.dll
2008-05-05 03:00 893952 12e74a87d576c25955df90726fbc8ec8 c:\windows\system32\wininet.dll
2008-05-05 03:00 361344 c6bfec6cc1dd2389d9334ee7838944fe c:\windows\system32\drivers\tcpip.sys
2008-05-05 03:00 557056 7dd9ce78dd441eea2bbaff6d3eeaad08 c:\windows\system32\winlogon.exe
2008-05-05 03:00 2227072 6c1885409da9fd564656592c0f4b6844 c:\windows\system32\ntkrnlpa.exe
2008-05-05 03:00 2350208 d52f7a81cf5115228fcc3a0db997179a c:\windows\system32\ntoskrnl.exe
2008-05-05 03:00 1572352 5f7009a7cb02ae2685746b34b063d3dd c:\windows\explorer.exe
2008-05-05 03:00 40448 c1d50243355a290cb3aa684fd8b38170 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-23_20.27.26.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-24 02:21:48 53,248 ----a-w c:\windows\Temp\catchme.dll
+ 2008-12-24 02:43:43 53,248 ----a-w c:\windows\Temp\catchme.dll
+ 2008-12-24 02:24:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-05-05 40448]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [BU]
"Taskbar Shuffle"="c:\windows\system32\taskbarshuffle.exe" [2008-04-17 818176]
"True Transparency"="c:\program files\Utilities\True Transparency\TrueTransparency.exe" [2008-04-19 401408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-22 1271808]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 4670704]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-09-01 173304]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"PowerTweak Menu"="c:\windows\system32\mmm.exe" [2005-07-05 828416]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-12-23 15872]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-03 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-03-03 55856]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2008-05-17 371626]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"!AVG Anti-Spyware"="c:\program files\blue\red\avgas.exe" [2007-06-11 6731312]
"AGRSMMSG"="AGRSMMSG.exe" [2004-04-13 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-12-04 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.exe" [2008-05-05 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NewUser"="c:\windows\LastXP\NewUser.cmd" [2008-05-05 2094]
"nltide_3"="advpack.dll" [2008-05-05 c:\windows\system32\advpack.dll]
c:\users\Administrator\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-07-27 2807144]
Visual Task Tips.lnk - c:\ppapps\VisualTaskTips\VisualTaskTips.exe [2008-08-10 61440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 FlashFolder;FlashFolder;"c:\program files\FlashFolder\FlashFolder.exe" [2008-03-20 71680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-13 24652]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2008-08-10 11696]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-23 38496]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d38ba64-6747-11dd-8eb9-005056c00008}]
\Shell\AutoRun\command - j:\jdsecure\Windows\JDSecure31.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder
2008-12-15 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- c:\program files\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2008-07-27 20:21]
2008-12-21 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- c:\program files\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2008-07-27 20:21]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-sglfb.sys
SafeBoot-tga.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\x543tw1k.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
inffile=c:\windows\system32\Notepad2.exe %1
inifile=c:\windows\system32\Notepad2.exe %1
txtfile=c:\windows\system32\Notepad2.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 20:43:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2008-12-23 20:45:58
ComboFix-quarantined-files.txt 2008-12-24 02:45:37
Pre-Run: 9,080,684,544 bytes free
Post-Run: 9,063,993,344 bytes free
277

Response Number 11

Name: jabuck
Date: December 23, 2008 at 19:59:12 Pacific

Reply:

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**
To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Response Number 12

Name: fr0gman
Date: December 23, 2008 at 20:52:45 Pacific

Reply:

Your suggestions seem to have worked.
Thanks a million.

Response Number 13

Name: jabuck
Date: December 23, 2008 at 21:24:22 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

Can't remove tdsserv.sys

Virus Au Travail, Arretez...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: winupgro.exe virus part 2

winupgro.exe virus

Summary

www.computing.net/answers/security/winupgroexe-virus/24101.html

winupgro.exe virus

Summary

www.computing.net/answers/security/winupgroexe-virus/24168.html

winupgro.exe virus

Summary

www.computing.net/answers/security/winupgroexe-virus/26444.html

From the Geek Dictionary
chat - A conversation between two or more people online in a Chat Room.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Batch file to synch FTP folder with local

Google Redirect/Invalid Security/Virus

wireless network overview

Monitor Screen Resolution

Wireless account used by others

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE