Dangerous: YES
Filename:
winupgro.exe
Associated Files :
winupgro.exe, wintems.exe, flec006.exe, srosa.sys, hldrrr.exe, mdelk.exe, winfilse.exe, hidr.exe, re_file.exe, hidn.exe
File Behavior:
W32.Beagle downloads and executes malicious files from a remote server. This is a worm that uses the rootkit techniques to hide itself on the infected computer.
Malware Name:
W32.Beagle@mm
Malware Type:
Trojan Vundo, Bagle Infection, W32.Beagle@mm, Worm
File Location:C:\Documents and Settings\YourUserName\Application Data\drivers\winupgro.exe
C:\Documents and Settings\YourUserName\Application Data\m\flec006.exe
C:\Documents and Settings\YourUserName\Application Data\drivers\srosa.sys
C:\windows\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\Documents and Settings\LocalService\Application Data\drivers
C:\Documents and Settings\YourUserName\Application Data\m
Symptoms:
1. When your computer boots up a process called winupgro.exe starts up and uses all your CPU power.
2. It disables all of your antivirus programs. Example - Im using avast! Antivirus and when i click on it i see this message "AshAvast.exe is not a valid Win32 application"
3. Deleting only the winupgro.exe will not work there has been lots of copies and files it made on your computer, if you delete only the winupgro.exe file it will re-appear when you reboot.
Removal Procedure #1:
1. Reboot your PC
2. When windows is starting up press Alt+Ctrl+Delete to open up 'Windows Task Manager' locate the winupgro.exe file and left click then End Process. - Remember to do this fast because the winupgro.exe file will hide itself and you won't be able to click on it, if you take to long and don't see that process restart your computer untill you end that process.
3. Download F-Secure BlackLight and run it, after it will safe a log file on your desktop there it will show you where the malicious files are located.
Now go ahead and delete the files and folders listed in the File Location above. - For me the files where located in these locations
C:\Documents and Settings\YourUserName\Application Data\drivers\
C:\WINDOWS\system32\wintems.exe
4. After download ComboFix and save the file to your desktop, rename it from Combofix to Combo-Fix. - It' important you rename it to Combo-Fix during the download and not after or winupgro will corrupte it making it unable to open.
5. Open up Combo-Fix.exe file that you saved on your desktop let it run. 'Note - this might take some time so don't rush it if you want it to be removed properly' after it will automatically restart your computer.
6. After you have successfully removed the infection Re-install your Antivirus program or any other applications that have been corrupted.
No comments :
Post a Comment