winupgro.exe virus

Ibm / T42
January 1, 2009 at 08:58:50
Specs: Windows XP, 1.7G/512M
Hi, my laptop gets the infection with winupgro.exe. It takes 90% of the CPU. I read several threads regarding this virus. It seems like that the only hope is using combofix. Should I run it?

My OS is WinXP with SP2.

Thanks for the help.

See More: winupgro.exe virus

Report •

January 1, 2009 at 09:25:21

yes you can use ComboFix, remember before you download it to your desktop to change the name with an alpha-numeric and a special value for example @ (eg cf@12)

Finished brought in C:\ and loads on
ComboFix.txt file, type the URL to download the report.


Report •

January 1, 2009 at 10:06:15
Thanks for the reply. I have run combofix and completed. Here is the link to the result log.

Do I need to do anything next?

Report •

January 1, 2009 at 10:18:45
btw, I am using Chinese verion of windows. Hence, the log contains chinese charaters.

Also, the anti-virus program I have installed is Norton. Not sure if it matters.


Report •

Related Solutions

January 2, 2009 at 09:32:01
excuse me for being late


disconnect from the Internet, disable anti-virus and any forms HIPS.

Run avenger.exe, copy and paste inside the white box this script:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:

Files to delete:
c:\documents and settings\Terry\Application Data\drivers
C:\Documents and Settings\Terry\Application Data\drivers\srosa.sys
C:\Documents and Settings\Terry\Application Data\drivers\winupgro.exe
C:\Documents and Settings\Terry\Application Data\m\flec006.exe
C:\Documents and Settings\Terry\Application Data\drivers\srosa2.sys

Folders to delete:
C:\Documents and Settings\LocalService\Application Data\drivers
C:\Documents and Settings\Terry\Application Data\drivers
C:\Documents and Settings\Terry\Application Data\m

Put a check "Automatically disable any rootkits found", click "Execute".
The PC should reboot alone, otherwise you restart.

Brought in C:\ copy and paste the contents of the file avenger.txt

download to your desktop
open it and make sure that all options are checked, click on "Scan Now" at the end of the scan will be released (always on your desktop inside the folder suspectfile) two files.
Go to office the zip file and write in your next reply URL where I can get it.

Remember the scan with no connection with the antivirus disabled unless then resume scanning finished.

the duration of the scan may be long, it might even seem that the program is not working, do not worry is not so;)

SystemScan is recognized, mistake, by some antivirus as infected.


Report •

January 2, 2009 at 09:48:21
There are still active infections, while I wait for the report SystemScan go on

Start> Run and then type regedit OK

helping with the + brought in


Open the yellow folder mountpoints2 search and delete (click with the right mouse button and then "Delete") the value


press the F5 key close the Registry and reboot your computer

Report •

January 2, 2009 at 11:11:10
No problem. Thank for spending time helping me. Appreciated.

Here is the links to the zip file and the report.


btw, there are several errors reported in avenger.txt, regarding that several registry keys cannot be found. Is it expected? I also upload the file to the web, in case you would like to take a look.

Report •

January 2, 2009 at 12:46:53
For values in the registry is normal.
All values were removed from ComboFix, I wanted to see not only that they had recreated.

ComboFix a value that never fails to remove, because it is not sought during its use, is the "drivers" in C:\Documents and Settings\ username\Application Data\drivers, and The Avenger we have removed.

The report is ok, you have some other problem?


Report •

January 2, 2009 at 13:08:06
ic. Thanks a lot.

One more problem. I could not activate the auto-protect of my norton anti-virus program. It was turned off when the laptop was infected by the virus. Any idea how I can fix it? or I need to uninstall/install the program again ?

Report •

January 2, 2009 at 14:46:25
winupgro.exe (Bagle malware) infected programs for security, uninstall and reinstall Norton again :)



Report •

January 2, 2009 at 19:51:24
ok.. thanks million times.

Report •

January 14, 2009 at 05:49:05
Here is a guide to get rid of winupgro.exe

Report •

Ask Question