WinUpGro not detected by Avast and knocks it down!!!

When I executed a file downloaded from Emule, it took some time and then I watch the Avast’s icon to change, and then Avast say that a process was taking it down. I answer not, but not avail… avast is gone and winupgro.exe is running… I send the file to http://virusscan.jotti.org that said this:

2009-10-29 Found nothing

2009-10-29 Found nothing

2009-10-29 Trojan-Downloader.Win32.Bagle!IK

A-Sqared: Trojan-Downloader.Win32.Bagle
Avast: Found nothing
Avg: Trojan-Downloader.Win32.Bagle.blj
Bitdefender: Found nothing
AntiVir: Found nothing
CLam-AV: Found nothing
CP Secure: Found nothing
Sophos: Sus/ComPack-C
DrWeb: Trojan.Siggen.10859
F-Prot: W32/Themida_Packed!Eldorado
Kaperskey: Trojan-Downloader.Win32.Bagle.blj

How do I remove it???

Hi gbonora,

It could be a heuristic find, and flagged because an encrypted part of a legit download.
See this developer comment: http://www.wilderssecurity.com/archive/index.php/t-184840.html
where he states:

I’m a developer in Oreans Technologies and we have developed Themida to protect applications against cracking. We are receiving many complain from our clients saying that NOD32 reports their applications as potential thread (Win32/Packed.Themida)Themida tries to make a good job to protect applications against cracking. It’s not our fault that hackers use it to protect malware.

If indeed bagle, download: http://www.sophos.com/support/cleaners/baglegui.com
then run it
then click GO,

polonus

It is not an heuristic find. It is a real virus!!! Everytime I boot, Avast starts loading and then shuts down and winupgro.exe runs with 50% of CPU (one core). I can send you the file if you have interest.

Since this is definitely a Beagle infection, either do what Polonus said or Download Kaspersky Rescue Disk or Dr. Web CureIT from a non-infected computer and burn it onto a CD.

The Baglegui.com didn’t find anything. I wonder… Why Avast doesn’t detect anything? I found this forum http://forum.avast.com/index.php?topic=40749.0 that in in December 08 they had exactly the same problem that I have, and in the last messages they say that in June 09 still didn’t detect it!!! Why Avast doesn’t still detect almost one year later???

Send the sample you uploaded to Jotti to avasts.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

I just send it. Let see what they found out.

Hi gbonora,

For removal of this generic bagle variant consider the following removal info:
W32/Bagle.gen [McAfee] is known to be created as:

%AppData%\hidires\flec003.exe
%AppData%\hidires\hidr.exe
%AppData%\hidn\hidn2.exe
%AppData%\hidn\hldrrr.exe
%AppData%\m\flec006.exe
%System%\1.exe
%System%\anti_troj.exe
%System%\drivers\hidr.exe
%System%\drivers\hldrrr.exe
%System%\drivers\mdelk.exe
%System%\flec003.exe
%System%\hldrrr.exe
%System%\mdelk.exe
%System%\noat.exe
%System%\winlog.dll
%System%\winlog.exe
%System%\winshost.exe
%System%\wintems.exe
%System%\zzzzzzzzz.exe
%Temp%\87a75629.exe
%Temp%\bed85dd7.exe
%Temp%\c80a161e.exe
%Temp%\dgmhbjhknmvw.exe

W32.Bagle.gen Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.

Step 1 : Use Windows Task Manager to Remove W32.Bagle.gen Processes
Remove the “W32.Bagle.gen” processes files:

winresw.exe
regisp32.exe
wimanager.exe
winresw.exevcualts32.exe
regisp32.exe
wimanager.exe
vcualts32.exe

Step 2 : Use Registry Editor to Remove W32.Bagle.gen Registry Values
Locate and delete “W32.Bagle.gen” registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"anti_troj"=C:\WINNT\SYSTEM32\ANTI_TROJ.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “anti_troj” = C:\WINNT\SYSTEM32\ANTI_TROJ.EXE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"anti_troj"=C:\WINNT\SYSTEM32\ANTI_TROJ.EXE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “anti_troj” = C:\WINNT\SYSTEM32\ANTI_TROJ.EXE

Step 3 : Use Windows Command Prompt to Unregister W32.Bagle.gen DLL Files
Search and unregister “W32.Bagle.gen” DLL files

vcremoval.dll

Step 4 : Detect and Delete Other W32.Bagle.gen Files
Remove the “W32.Bagle.gen” processes files

vcremoval.dll
winresw.exe
regisp32.exe
wimanager.exe
vcualts32.exe
block_list.txt

polonus