winupgro.exe problem

Dell / STUDIO 1737
May 31, 2009 at 19:48:20
Specs: Microsoft Windows Vista Home Premium, 2 GHz / 4089 MB
I have contracted the evil "winupgro.exe" virus and cannot get rid of it. I cannot run System Restore, Windows Defender, Avast On-Access Protection, Wireless Networking. I have visited several forums and followed many instructions, nothing has worked thus far. No matter what I do it keeps coming back. I have tried Malwarebyte, Spyware Doctor, SUPERAntiSpyware Free Edition, and a couple others. I am at a loss so I am posting here in hopes that someone can help me Let me know where to go from here and I will do it. P.S. I cannot run Combofix as many have suggested because I have Vista x64. So I am told.

See More: winupgro.exe problem

Report •


#1
May 31, 2009 at 20:05:15
Hi,
Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

PS: can you also attach(upload to rapidshare.com) your superantispware and AV scan logs.

-------------------------------------------------


Report •

#2
May 31, 2009 at 20:41:09
Thank you so much for your quick response.

Here is the virusinfo_syscure.zip url:

http://rapidshare.com/files/2394699...

Here is the Malwarebytes' log url:

http://rapidshare.com/files/2394655...

Here is the SUPERAntiSpyware log url:

http://rapidshare.com/files/2394656...


Report •

#3
May 31, 2009 at 21:23:33
Please don't scan or fix anything wait for further instruction. If you scanned or fixed anything after AVZ log remake a new log and post it. I will wait for your reply..

-------------------------------------------------


Report •

Related Solutions

#4
May 31, 2009 at 21:35:51
Sorry about that here is the updated link:

http://rapidshare.com/files/2394699...

I also edited my previous post to reflect the current (and correct) links.


Report •

#5
May 31, 2009 at 21:51:09
Run this script in AVZ like before in order numbered:

1) Your PC will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\Users\futhermukker\AppData\Roaming\drivers\winupgro.exe','');
 QuarantineFile('C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe','');
 DeleteFile('C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe');
 DeleteFile('C:\Users\futhermukker\AppData\Roaming\drivers\winupgro.exe');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.

2) Run this script in AVZ:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

3) A file called quarantine.zip should be created in C:\. Then please upload it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

-------------------------------------------------


Report •

#6
May 31, 2009 at 22:21:16
When I try to run AVZ with the first script it terminates and does not complete. I did not run the second script.

Report •

#7
May 31, 2009 at 22:24:21
What do you mean by terminates?

-------------------------------------------------


Report •

#8
May 31, 2009 at 22:30:07
I get this Microsoft Windows error message:AVZ has stopped working

"A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

I cannot access the program and the only option is to Close program

P.S. The script seems to work for a second or two, but I see alot of things getting blocked in the info window. I would copy and paste the text, but cannot bring program into focus (access it to copy text)


Report •

#9
May 31, 2009 at 22:38:59
Ok leave that script for now and run a scan with this:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Note: Pause all the spyware/antivirus programs you have running.

Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

-------------------------------------------------


Report •

#10
May 31, 2009 at 22:52:20
Ok, This will probably take awhile so I will wait until morning to post the results. I will then edit this post with the updated information.

Again, thank you for all your help.


Report •

#11
June 1, 2009 at 06:29:45
Yes it will take some time what OS are you running? XP pro 64 bit?

-------------------------------------------------


Report •

#12
June 1, 2009 at 09:18:17
Yeah total time was 10 hours for the scan.....shew!
To answer your question, I am running Vista Home Premium x64.
I zipped the log file and uploaded it to rapidshare here is the url to the file:

http://rapidshare.com/files/2396542...


Report •

#13
June 1, 2009 at 09:50:39
Did you start AVZ as administrator when running previous scripts and making the log? Did you fix what kaspersky detected?

-------------------------------------------------


Report •

#14
June 1, 2009 at 10:07:35
Note: Make sure you re-download AVZ, uninstall old one. Start AVZ.exe as administrator.

begin
 DeleteService('srosa');
 StopService('srosa');
 QuarantineFile('C:\Users\futhermukker\AppData\Roaming\drivers\winupgro.exe','');
 QuarantineFile('C:\Windows\Installer\{F6CB42B9-F033-4152-8813-FF11DA8E6A78}\_B05EC2D3BF90F2C95A0B93.exe','');
 QuarantineFile('C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe','');
 QuarantineFile('C:\Users\futhermukker\AppData\Roaming\drivers\wfsintwq.sys','');
 DeleteFile('C:\Users\futhermukker\AppData\Roaming\drivers\wfsintwq.sys');
 DeleteFile('C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe');
 DeleteFile('C:\Windows\Installer\{F6CB42B9-F033-4152-8813-FF11DA8E6A78}\_B05EC2D3BF90F2C95A0B93.exe');
 DeleteFile('C:\Users\futhermukker\AppData\Roaming\drivers\winupgro.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

-------------------------------------------------


Report •

#15
June 1, 2009 at 12:48:35
Same problem as before...I run the custom script it works for a second and then the program stops working. I just don't get it. What's next.....ARGGG!!!

NOTE: to delete AVZ I just delete the zip file and file folder from my desktop right? Am I missing something in uninstalling it (or am I uninstalling it incorrectly?)


Report •

#16
June 1, 2009 at 13:31:20
About Response Number 13 ?

-------------------------------------------------


Report •

#17
June 1, 2009 at 14:13:18
Yes, I ran Avz as Administrator.
No, I did not let Kaspersky fix the problem I thought I was not suppose to fix anything unless you asked me to. I hope I didn't miss the boat, so to speak.

Sorry I didn't answer that post it must have slipped by me.
What should I do now?


Report •

#18
June 1, 2009 at 14:38:11
Try to Run Response Number 14 again i changed the script a bit.

-------------------------------------------------


Report •

#19
June 1, 2009 at 14:44:36
Yes that time it did work. My computer is rebooting as we speak, I am using my other laptop to respond to you.

What is the next step?


Report •

#20
June 1, 2009 at 14:49:19
remake a new log with Response Number 1 and also do a hijackthis log Upload both of them to rapidshare.com .

-------------------------------------------------


Report •

#21
June 1, 2009 at 15:07:40
I have news.... I rebooted my computer into safe mode and did a system restore to before I contracted the virus, and it worked. I know I was only suppose to follow instructions that you gave me, but I seem to have solved the problem.

Would you still like me to do Step 1 again and upload the log files?


Report •

#22
June 1, 2009 at 15:15:07
Yes post log again and a hijackthis log.

-------------------------------------------------


Report •

#23
June 1, 2009 at 15:30:36
Sure here are the log links.

avz log file:

http://rapidshare.com/files/2397655...

hijackthis log file:

http://rapidshare.com/files/2397663...

Let's hope it's clean, eh?


Report •

#24
June 1, 2009 at 15:46:49
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please upload it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Run a full scan with http://www.eset.eu/online-scanner

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Note: Fix what it detects.

4) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

5) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

PS: Your logs are clear now this is to remove any residual files so you won't get reinfected.

-------------------------------------------------


Report •


Ask Question