Hi, my laptop gets the infection with winupgro.exe. It takes 90% of the CPU. I read several threads regarding this virus. It seems like that the only hope is using combofix. Should I run it? My OS is WinXP with SP2. Thanks for the help.

Hi, yes you can use ComboFix, remember before you download it to your desktop to change the name with an alpha-numeric and a special value for example @ (eg cf@12) Finished brought in C:\ and loads on http://www.freefilehosting.net ComboFix.txt file, type the URL to download the report. Ciao, Marco

Thanks for the reply. I have run combofix and completed. Here is the link to the result log. http://freefilehosting.net/download... Do I need to do anything next?

btw, I am using Chinese verion of windows. Hence, the log contains chinese charaters. Also, the anti-virus program I have installed is Norton. Not sure if it matters. Thanks

Hi, excuse me for being late download http://swandog46.geekstogo.com/aven... disconnect from the Internet, disable anti-virus and any forms HIPS. Run avenger.exe, copy and paste inside the white box this script: Registry values to replace with dummy: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs registry keys to delete: HKLM\system\currentcontrolset\services\srosa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SROSA Files to delete: c:\documents and settings\Terry\Application Data\drivers C:\Documents and Settings\Terry\Application Data\drivers\srosa.sys C:\Documents and Settings\Terry\Application Data\drivers\winupgro.exe C:\WINDOWS\system32\wintems.exe c:\windows\system32\ban_list.txt c:\windows\system32\mdelk.exe C:\Documents and Settings\Terry\Application Data\m\flec006.exe C:\Documents and Settings\Terry\Application Data\drivers\srosa2.sys Folders to delete: C:\Documents and Settings\LocalService\Application Data\drivers C:\Documents and Settings\Terry\Application Data\drivers C:\Documents and Settings\Terry\Application Data\m Put a check "Automatically disable any rootkits found", click "Execute". The PC should reboot alone, otherwise you restart. Brought in C:\ copy and paste the contents of the file avenger.txt -- download to your desktop http://www.suspectfile.com/systemscan open it and make sure that all options are checked, click on "Scan Now" at the end of the scan will be released (always on your desktop inside the folder suspectfile) two files. Go to office http://www.freefilehosting.net the zip file and write in your next reply URL where I can get it. Remember the scan with no connection with the antivirus disabled unless then resume scanning finished. NB the duration of the scan may be long, it might even seem that the program is not working, do not worry is not so;) SystemScan is recognized, mistake, by some antivirus as infected. -- Ciao, Marco

There are still active infections, while I wait for the report SystemScan go on Start> Run and then type regedit OK helping with the + brought in HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2 Open the yellow folder mountpoints2 search and delete (click with the right mouse button and then "Delete") the value {49e82ab5-cd0a-11dd-bf27-000e3514ae26} press the F5 key close the Registry and reboot your computer --

No problem. Thank for spending time helping me. Appreciated. Here is the links to the zip file and the report. zip: http://freefilehosting.net/download... report: http://freefilehosting.net/download... btw, there are several errors reported in avenger.txt, regarding that several registry keys cannot be found. Is it expected? I also upload the file to the web, in case you would like to take a look. http://freefilehosting.net/download...