I do not know how I got this but since I got it, it uninstalled my zonealarm firewall and avast antivirus.
I cannot go into safe mode because it reboots continuously. Cannot run hijackthis because it says it is not a win32 compatible application.
Programs like malwarebytes, superantispyware, autoruns will hang after 30 seconds and bomb out.
I managed to run process explorer and killed the winupgro process but I am still not able to run programs to clean the infection.
If i try to install avg , the installation fails and cannot start the avg service.
I discovered that this spyware creates a hidden drivers folder under the user profile with wwinupgro, srosa.sys etc. I managed to delete this but it comes back.
Cleaned manually from recycler, prefetcher folders and dll cache, but to no avail. Even loaded the current user hive with the disk attached to another system and cleaned the load statement in hkcu\software\microsoft\windows\currentversion\run .
I believe there must be multiple copies of this with other names disseminated into the disk.
I do know at this stage if it has copied itself to the mbr. I tried bart pe but I am yet to work out how to install malwarebytes plugin.
Anyone please HELP! I can always reformat and re-install but I would prefer to remove this manually.
Thanks and regards
Edited by ipnotech, 10 January 2009 - 12:24 AM.