Home » Threats, Worm » W32.Uporesc

W32.Uporesc

24 January 2008
Overall Risk Level:

W32.Uporesc can download additional threat from remote computer. It spreads by infecting executable and .html files and by creating a copy of itself on removable drives.

Other Alias: -

Threat Level: Low

Systems Affected: Windows – All

Source: Symantec

Related posts:

  1. W32.Ackpra.A W32.Ackpra.A can donwload backdoor trojan on to the computer. It...
  2. W32.Ceted W32.Ceted spreads by creating a copy of the worm on...
  3. W32.Dranyam W32.Dranyam is another worm that executes and spreads itself via...
  4. W32.Roty.B@mm W32.Roty.B@mm spreads by mass-mailing itself on the contacts found on infected...
  5. W32.Baki.A W32.Baki.A can lower security settings on the infected computer by...

How to Remove W32.Uporesc - Discussion

On this page is our suggested (by precisesecurity) removal procedure and Visitor's own suggestion. We cannot control and evaluate each suggested procedure so please use it at your own risks. If no suggestion is present to remove virus, spyware, adware and malware, you may try the following:
- Scan W32.Uporesc with MalwareByte's Anti-Malware
- Remove W32.Uporesc with Standard Virus Scan

Email Email     Print This Post Print This Post

One Comment »

  • 1 }
    precisesecurity (author) said:

    1. Temporarily Disable System Restore (Windows Me/XP). [how to]
    2. Update the virus definitions.
    3. Reboot computer in SafeMode [how to]
    4. Run a full system scan and clean/delete all infected file(s)
    5. Delete/Modify any values added to the registry. [how to edit registry]
    Navigate to and delete the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Drivers

    Navigate to and delete the following registry entries:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Drivers
    \”ImagePath” = “%System%\api32.exe”
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    \”DisableTaskMgr” = “1″
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
    \”DisableWindowsUpdateAccess” = “1″
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \360Safe.com\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \360Safe.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \360tray.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \adam.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \AntiArp.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \AppSvc32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \autoruns.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \AvMonitor.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \avp.com\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \avp.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \CCenter.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \ccSvcHst.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \FileDsty.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \HijackThis.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \IceSword.com\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \IceSword.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \iparmo.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \isPwdSvc.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \kabaload.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KASMain.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KASTask.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KAV32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KAVDX.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KAVPFW.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KAVStart.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KISLnchr.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KMFilter.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KPFW32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KPFW32X.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KPFWSvc.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KsLoader.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KvDetect.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KvfwMcl.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KVScan.kxp\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \kvwsc.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \KWatch.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \MagicSet.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \mmqczj.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \mmsk.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \msconfig.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \nod32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \nod32krn.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \nod32kui.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \QHSET.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \Ras.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \rav.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \RavMon.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \RavMonD.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \RavTask.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \RegClean.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \rfwcfg.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \rfwProxy.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \rfwsrv.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \runiep.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \safelive.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \scan32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \shcfg32.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \SmartUp.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \SREng.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \symlcsvc.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \SysSafe.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \TrojanDetector.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \Trojanwall.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UIHost.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UmxAgent.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UmxAttachment.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UmxCfg.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UmxFwHlp.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \UmxPol.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \WoptiClean.exe\”debugger” = “c:\api32.exe”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    \zxsweep.exe\”debugger” = “c:\api32.exe”

    Navigate to and restore the following registry subkeys from a clean backup, if required:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    \Folder\Hidden\SHOWALL
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    \Minimal\{36FC9E60-C465-11CF-8056-444553540000}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    \Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    \Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    \Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
    \Minimal\{36FC9E60-C465-11CF-8056-444553540000}
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
    \Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

    Navigate to and restore the following registry entry to its previous value, if required:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    \Folder\Hidden\NOHIDDEN\”Text” = “BMW”

    6. Exit registry editor and restart the computer.
    7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

    25 January 2008 at 2:07 am

Leave your response!

Add your comment below or subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.