Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Debating Chamber > Security

Reply
 
Thread Tools Display Modes
Old 07. Jun 2009, 06:15 PM   #1 (permalink)
Progradminstrateditor
 
george's Avatar
 
Join Date: Mar 2008
Location: Frankfurt, GER
Posts: 2,351
Default Infected with 'winupgro'

Hi guys,

just wanted to share an experience that I had yesterday. By being not careful enough I ran a dubious exe file that infected my Vista machine with winupgro virus. (Avira did not throw an alarm btw).

It wasn't the first time I got infected with a virus and usually I succeed in surgically removing it. But not this time. It disables all commonly know antivirus programs (they quit with message: Not a valid Win32 program) and recovers itself even though you have removed all the obvious files in safe mode.

I have been through quite a couple of forums that describe in detail how to remove it. I did all of them step by step - to no success. I finally restored an Acronis image because I didn't want to wast more time on this.

Has anybody run into this virus and removed it manually?
__________________
Best regards, George

Last edited by George; 07. Jun 2009 at 06:36 PM.
george is offline   Reply With Quote
Old 07. Jun 2009, 06:40 PM   #2 (permalink)
Banned
 
Join Date: May 2009
Posts: 95
Default

I used this once on a friend's machine to remove winupgro, ( there are also a couple called "Wingo" and "Winupgo" ) when nothing else I had worked. It was a "last ditch attempt" before doing a fresh install, ( he had no backup!).

http://www.combofix.org/

I am not recommending it, as I only used it once, and I am not entirely sure what it actually did! But you might like to try it?

User guide is here; http://www.bleepingcomputer.com/comb...o-use-combofix

Regards.....

Mike

Last edited by Mike Connor; 07. Jun 2009 at 06:50 PM.
Mike Connor is offline   Reply With Quote
Old 07. Jun 2009, 07:23 PM   #3 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,390
Default

My sympathy's George, but at least you've now got it sorted.

What might be of interest to others though is how you came about this .exe file in the first place and why you decided to run it?

If you don't mind sharing this information it might just prevent others from suffering similar circumstances.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is offline   Reply With Quote
Old 07. Jun 2009, 10:53 PM   #4 (permalink)
Progradminstrateditor
 
george's Avatar
 
Join Date: Mar 2008
Location: Frankfurt, GER
Posts: 2,351
Default

Actually, I don't know what the proggy exactly was. I collected a whole bunch of them in a "tiny tools" folder for later testing. So at one point I must have found it interesting. I tried a few of them and deleted them afterwards. I thought Avira would yell at me if one of them was infected. I am pretty sure that one of them was the bad guy.

I used combofix btw. and followed the exact description at bleepingcomputers. I did it in safe mode and it all seemed to work. I removed a whole bunch of files and Kaspersky online scanner didn't find anyting anymore. But when I restarted in normal mode the drivers were loaded again and a bunch of exe files named with numbers appeared in my task manager periodically. I specifically checked all autoruns but couldn't find it. Two sys files were loaded as drivers through the registry and I deleted them entries. After reboot there were in again.
__________________
Best regards, George
george is offline   Reply With Quote
Old 07. Jun 2009, 11:30 PM   #5 (permalink)
Banned
 
Join Date: May 2009
Posts: 95
Default

A friend sent me this after I told him about the winupgro problem, ( came too late so I didn't use it). I have not tried it, and don't know anything about it, but maybe it's worth a try if this happens to anybody else?

http://www.prevx.com/filenames/X2333...UPGRO.EXE.html

If it was on my machine I would format and re-install a clean image.

Regards.....

Mike Connor
Mike Connor is offline   Reply With Quote
Old 08. Jun 2009, 12:18 AM   #6 (permalink)
J_L
Co-Author, Best Free Security List
 
J_L's Avatar
 
Join Date: Dec 2008
Posts: 2,003
Default

Next time, try increasing your security instead of depending on Avira.
Include a HIPS (article) to your setup, maybe some other things if needed. Also, always remember to check the file online (VirusTotal, Anubis, Google, etc.), and scan with whatever you have if it's from an untrustworthy source. If you truly suspect it, run it with limited rights (GesWall if needed), in a sandbox (SandBoxie) or even within a virtual machine (Returnil). As a last resort, you can backup your system before running it (drive image preferably).
As experts always say, prevention is better than a cure.

Last edited by J_L; 08. Jun 2009 at 12:20 AM.
J_L is offline   Reply With Quote
Old 08. Jun 2009, 12:25 AM   #7 (permalink)
Been Here Since the Begin
 
kendall.a's Avatar
 
Join Date: Apr 2008
Location: Colorado, USA
Posts: 2,346
Default

Quote:
A friend sent me this after I told him about the winupgro problem, ( came too late so I didn't use it). I have not tried it, and don't know anything about it, but maybe it's worth a try if this happens to anybody else?

http://www.prevx.com/filenames/X2333...UPGRO.EXE.html
As I understand Prevx (and I could be corrected), you would not have been able to get rid of it with the free version of Prevx. You would have had to purchase Prevx. My understanding is that the free version will identify spyware, malware, etc., but it will not remove it.
__________________
Been here since the beginning.
kendall.a is offline   Reply With Quote
Old 08. Jun 2009, 12:53 AM   #8 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,390
Default

Quote:
Originally Posted by kendall View Post
As I understand Prevx (and I could be corrected), you would not have been able to get rid of it with the free version of Prevx. You would have had to purchase Prevx. My understanding is that the free version will identify spyware, malware, etc., but it will not remove it.
Correct. Also, some HIPS are more use than others when it comes to warnings about drivers. From my experience the commercial System Safety Monitor is about the most comprehensive tool although strange as it may seem Spyware Terminator will also offer to block drivers loading.

I agree with 'big MC' on this one although I wouldn't even restore a previous image unless I was certain that this stuff wasn't lurking in it somewhere. Bit disappointing about Avira though - might be an idea to post this on their forum.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 09:32 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2021, vBulletin Solutions, Inc.