Bagle (winupgrow) problem. Please help.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Rigwald, Feb 14, 2009.

  1. Rigwald

    Rigwald Private E-2

    I believe I got infected with the bagle (winupgrow) virus this morning. I have been battling it ever since. :cry

    I am on Vista Ultimate x64 and have gone through the Vista cleanup procedures. The only thing that I couldn't do is use combofix. It says it will only work on Win 2000 / XP. I don't know if this is a function of the virus, but I had killed the process and deleted the .exe file from its location.

    Upon every reboot, winupgro and the accompanying .sys (srosa, etc...) "reappear". It also disables Windows Defender and my Avast services. It attempts to shutdown Avast on reboots, but Avast blocks that.

    I am attaching the logs I did get done.

    Any help with this would be greatly appreciated. :wave
     

    Attached Files:

    Rigwald, Feb 14, 2009
    #1
  2. Rigwald

    Rigwald Private E-2

    I have since manually deleted the srosa.sys and other sys file found in my AppData/Roaming/drivers directory. I deleted the winupgrow.exe and replaced it with a renamed notebook.exe (named winupgrow.exe).

    Before any reboot, I have gone into the the services manager and selected automatically startup for my Avast and Windows Defender and Firewall (which the virus appears to constantly try to disable).

    After the last reboot (which was caused by a BSD crash), Avast and Windows Defender loaded fine and BLOCKED another file from starting at startup (ISUSPM.exe, which had the same icon and "publisher" as the winupgrow.exe). I removed it from startup.

    Windows Defender also blocked a flec006.exe that was found hiding in a hidden folder on my C: drive.

    That is where I stand right now. Any suggestions as to what to do next?
     
    Rigwald, Feb 15, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It runs on Vista too. It just does not support any 64 bit versions of Windows which many other tools do not support either. If we find any other stubborn entities in your logs that require forceful removal (and Bagle infections always do) you may have to use a bootable Vista x64 DVD to boot to the Recovery Console to manually delete files. Registry entries would still be a problem thoug and that may require restoring to a older restore point prior to the infection occurring. Do you have your bootable Vista x64 DVD?

    You are the first person with a 64 bit version of Windows who has had a Bagle infection. I tend to doubt it could hook into x64 the way it does with 32 bit OS's.


    Uninstall the below old software:
    Java(TM) 6 Update 2
    LiveReg (Symantec Corporation)
    LiveUpdate 3.2 (Symantec Corporation)

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [mule_st_key] C:\Users\Main\AppData\Roaming\m\flec006.exe
    O4 - HKCU\..\Run: [drvsyskit] C:\Users\Main\AppData\Roaming\drivers\winupgro.exe
    O4 - HKUS\S-1-5-18\..\Run: [SpybotSD TeaTimer] E:\Utilities\Spybot - Search & Destroy\TeaTimer.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] E:\Utilities\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZU

    After clicking Fix, exit HJT.

    Then attempt to delete the below files if they still exist:
    C:\Windows\system32\CF11061.exe
    C:\Windows\system32\CF12811.exe
    C:\Windows\system32\CF13556.exe
    C:\Windows\system32\xa246375.exe
    C:\Windows\system32\xa247906.exe
    C:\Windows\system32\xa784197234.exe
    C:\Windows\system32\xa784199453.exe
    C:\Windows\system32\xa785374375.exe
    C:\Windows\system32\xa785375796.exe
    C:\Windows\SysWOW64\CF11061.exe
    C:\Windows\SysWOW64\CF12811.exe
    C:\Windows\SysWOW64\CF13556.exe
    C:\Windows\SysWOW64\cmd.execf
    C:\Windows\SysWOW64\xa246375.exe
    C:\Windows\SysWOW64\xa247906.exe
    C:\Windows\SysWOW64\xa784197234.exe
    C:\Windows\SysWOW64\xa784199453.exe
    C:\Windows\SysWOW64\xa785374375.exe
    C:\Windows\SysWOW64\xa785375796.exe
    C:\Users\Main\AppData\Roaming\m\flec006.exe
    C:\Users\Main\AppData\Roaming\drivers\winupgro.exe

    Also delete below folder if it exists:
    C:\Users\Main\AppData\Roaming\m

    If any of the above would not delete, reboot into safe mode and try again.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Users\Main\AppData\Local\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 17, 2009
    #3
  4. Rigwald

    Rigwald Private E-2

    Thanks Chaslang! :)

    After reboots, I haven't had the issues with the anti-virus/defender not loading (as stated in my previous reply after manually deleting winupgrow, flec, etc...)

    Here are the latest logs. In order to get them all to run properly, I went into the command prompt (ran via admin) and then ran the .bat from in the command prompt environment. Otherwise, it stated that it didn't know the commands "GetRunKey.bat", etc...

    If need be, I do have the vista dvd around here in this mess I call my office. :-o

    Thanks again. :wave
     

    Attached Files:

    Rigwald, Feb 17, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Delete the ComboFix.exe file from your Desktop if you still have it there.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 20, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds