Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spyware.Password / Trojan.Upatre infection

  • This topic is locked This topic is locked
3 replies to this topic

#1 Yuusatsu


  • Members
  • 1 posts
  • Local time:04:39 PM

Posted 20 July 2015 - 06:21 AM

Dear BC users,


I happened to download an attachment with serious malware infenction that I've been struggling to fight against for too long.


What I've known so far about this infenction is that:


Processes it uses for presence

1. conhost.exe

2. consent.exe

3. SearchProtocolHost.exe (!)

4. WmiPrvSE.exe

5. dllhost.exe (COM Surogate) (!)

6. dllhost.exe *32  (COM Surogate) (!)


It infects every file, does not matter in what format a file is. It also propagates through network. My second computer in my network got infected without any action taken on it (downloading, opening, extracting et cetera).


It is also undetectable by any of top-ranked antiviruses/malware protection tools (Kaspersky, NOD, AVG). Please note I've got legal, working licenses for these products.


Only Malwarebytes Anti-Malware detected it but failed at fighting against it.


- - - 


Today I COMPLETELY formatted my HDD, repartitioned it and installed fresh copy. However, before doing so, I burned *.iso image on the infected computer. Guess what. After installing Windows and opening it for the first time, the malware started propagating itself. I managed to block temporarily consent.exe and conhost.exe with regedit, but the worm is still here.


Since Kaspersky, AVG and Nod are useless in this case and can do literally anything, I'm sitting dead helpless, struggling to find any solution against the malware.


Unfortunately, before getting to know I've got infected, I had to send some documents to my department at work and... the entire department got infected.


I will be really, really thankful for any support you can provide me with.


Do demand anything you wish from me to know what to do against the malware.


Thanks in advance for any help.


- - - 


Attached are FRST.txt and Addition.txt. They were created after my action in regedit.


- - - 


 (!) these processes open up whenever any action is taken; opening a notepad for instance.

Attached Files

Edited by Yuusatsu, 20 July 2015 - 06:46 AM.

BC AdBot (Login to Remove)


#2 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • Gender:Not Telling
  • Local time:10:39 AM

Posted 24 July 2015 - 12:02 PM

Hello and welcome to Bleepingcomputer.  My name is Dave and I'll be exploring this issue with you.
Before we get started, here are a couple requests to help this process happen as smoothly as possible:

  • Please refrain from making additional changes to your computer for the duration of time that I am helping you.  To help you properly, I need to know exactly what is happening on the computer, and if things are changing, that makes it hard for me to help.
  • Reply to this thread within 48 hours of last contact (even if just to say that you need more time to reply).  Threads that go inactive will be closed.
  • Read replies carfully and do not be afraid to ask questions if you are unsure about something.

After viewing your log, I've noticed that the version of FRST that you are using is out of date.  Please update to the latest version and generate a new log.  Instructions provided below:


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


#3 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • Gender:Not Telling
  • Local time:10:39 AM

Posted 28 July 2015 - 09:31 AM

Yuusatsu, are you still in need of assistance?  If so please reply to this thread within 48 hours.  If this thread remains inactive, it will be closed. 




#4 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:39 PM

Posted 01 August 2015 - 04:18 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users