upnpclient.exe

OK, I re-enabled the client in "services"

When I look in "task manager"......Applications shows "upnpclient.exe" running..............Processes shows "upnpclient.exe" with username "system".

BUT.......when I do a search for "upnpclient.exe", it turns up nothing. So I do a search (with wildcards) for *upnp* and I get this (all in windows/system32):

dpnhupnp.dll
upnp.dll
upnpcont
upnphost.dll
upnpui.dll

But the file has still not asked for access to the internet.

 

You might have hit upon something new here, in which case it's not surprising it got through your AV and failed to show up on those scans you did. Even HJT logs do not show up all these trojan activities (though I'm still interested to Know why Adobe is using an entirely unknown CLSID).

I did a *upnp* search on my system and it threw up the same results as you; so that might not be a problem (unless the locations are different).

If you feel it is worth doing one more scan you could try eScan from MicroWorld:- http://www.mwti.net/antivirus/free_utilities.asp

This free utility is report only, but it is more powerful than the other scanners you have tried. Though if you have been hit by something new.... Still it is worth a try.

 

Well, the file tried to access the internet again.

I finally said, "you win".............and I wiped the hard drive and reinstalled windows.

I have a feeling we haven't heard the last of this thing. I think I was just unlucky enough to be one of the first to get it.

 

I thought somebody would never ask!

Unfortunately I did another HD wipe and started fresh. HOWEVER, I can re-infect myself again.

I'm going to PM you

 

FWIW, mine was a hidden file and initially I couldn't locate it either. I had to utilize XP's "additional search options" to make it "search hidden files and folders" for it to show up.

I guess it doesn't matter now since you've wiped your drive, but if it shows up again, you should be able to find it. I mean, if you've got a program running called "upnpclient.exe" then you should probably be able to find it somewhere.

BTW, YGPM

 

Could you PM me with the name of the program you think did this to you?

And tell me the places you found the file?

 

OK guys. here is what i found after reading the above posts.....

I downloaded what was supposed to be a trial version of visualware's VisualRoute from some jerk on a P2P client. It installed and everything ran fine. however I too noticed a slowdown and suddenly i was getting these unsolicited attempts to access dyn8-9.myactv.com or something like that. So I looked around and this is what i found.

The Install program: VisualRoute_setup.exe installed into my system32 dir all of the following: temp.exe (which was the real VisualRoute Installation file), ps.exe, ps.bat, acrobat.dll, msdebach.exe also creating upnpclient.exe in my c:\system volume information\ folder. and yes, hexworkshop says they are identical down to the last byte. ps.bat is run which simply says run ps.exe and output to ps (no extension, even tho it is plain text) this is where the real fun begins.. the trojan embeds itself in the volume info folder because most users dont have acces to delete it even on their OWN systems at home. it tells the registry that it is a service for legacy pnp devices and so services.exe will try to load it every few minutes and keep it loaded even after a reboot. I installs acrobat.dll into IE as a BHO so that whenever you load IE it knows it is online and starts pounding away at its home address. Which when i did a packet capture on it i came up with these:


as the upnpclient.exe runs it constantly updates to tracking.log I think. It was encrypted or something so I didnt bother with it. but it was the only other file in my system volume information folder so we will just assume that it does. Anyway when it connects via port 80(http) it sends this info to its awaiting recipient. I'm still doing packet captures and hex dumps of these files i will add more as i figure it out but that is the basics....

If you want to know what the offending file was that gave you this virus/trojan you should be able to search for a file named temp.exe or another generic name that was created within seconds of the msdebach.exe file and do some hex editing or hell just run it again (that file is a harmless install util)

To get rid of this thing, you'll will have to be able to look inside your c:\system volume information\ folder (search this or another site to figure that out) and get an explorer window looking there. bring up the task manager and kill the process quickly rename upnpclient.exe to anything else. services.exe will try to restart it again in 60 seconds so try to rename it quickly. now go to system32 and delete the above mentioned files and also the files in the system info folder. acrobat.dll will not delete until you go about removing that from Internet Explorer. It was installed as a BHO (BackasswardsHelperObject). Once again, search elswhere for that procedure. Maybe this has helped some lonely soul from having to wipe and re-install his drive.

More on this sucker in just a moment.

 

Thanks for that comprehensive lodown, from someone who obviously knows a lot more about these things!

What a complete bastard that trojan is - it gives itself a plausible name, creates a service similar in name to a legitimate one and creates a BHO named after a known one.

Kischstrasse and VisitorNumber13 are lucky their firewalls were up to the task - anyone relying on XP's firewall, or just using a hardware FW, would be none the wiser and the trojan would be doing it's dirty work unchallenged.

 

Yes, great report. I'm sure if (or should I say when) someone searches for that file name and gets directed here, they will have a lot more information than I had when this thing got me.

I have a question though........

What was the end purpose of this? What was going to happen if it got connected to the site/s it was trying to access?

 

Hi jackOrip,

Welcome to Wilders.

If you have not done so already, could you please zip up a copy of the VisualRoute that you have, and email it to submit@diamondcs.com.au for analysis? It would be very much appreciated.

With the experts' analysis of all the files involved, they may be able to figure out what kind of payload this thing has, and add detection/removal for it.

Regards,

snap

 

I guess the reason I had extended periods where the file wasn't trying to access the internet was because "most" of the time I use Firefox as my browser and until I pulled up IE, the BHO it installed in IE, was just sitting there waiting.

If I had never used IE, the thing may never have activated.

 

Hello all,

Good info from JackOrip.

JackOrip, if you've sent the file to DCS already, let us know so I don't have to do yet another re-installation Otherwise I'll re-install the trojan tonight and then zip it up and send it to DCS.
Cheers

 

Hi,

Nice work.. the installer does indeed drop 2 files and a temp.exe which is the real installer. You'll need to unregister acrobat.dll in your SYSTEM folder if you have it

regsvr32 /u acrobat.dll

And delete it after reboot, also delete that msdebach.exe
So far it looks like a password stealer, I'll verify it first and add detection if so

ALL 3 files you sent seem to be droppers of this thing.. not exactly the same but one dropper detection might be enough to pick them all up. Will see what we can do

I'd assume wherever you obtained these files, there are more similar nasties..

 

Sorry I must make an amendment to the above Really long post... Im still getting used to ntfs... but the tracking.log is legit. Got this off of microsoft.com:

Note: The Distributed Link Tracking Client service monitors activity on NTFS volumes and stores maintenance information in a file called Tracking.log, which is located in a hidden folder called System Volume Information at the root of each volume. This folder is protected by permissions that allow only the system to have access to it. The folder is also used by other Windows services, such as the Indexing Service.

If the Distributed Link Tracking Client service is stopped, the links on your computer will not be maintained or tracked.

So Other than that file i think i was guessing pretty good.

and I can send you an infected file and the original i redownloaded straight from visualware. so you can see the additional bytes. about 99kb extra right at the front. nothing special really about the wrapper but as you guys said.. this was one sneaky bastard when it finally run. this file ive emailed you also has a reference in the PE header to a mslib16s.lib32 ... so apparently it will load one or the other initially.. i dunno visual basic worth a squat, so, someone else will have to take it up from here.. however i will post in another individual post what the upnpclient was doing in memory... no wonder there was a performance drop!! Over and Over every few seconds.. geez.

 

here is what it writes and reads to the registry... just in case anyone's interested... somebody let me know if I'm posting to much, However, Im sure someone would like to know this if they are infected.


51.12560619 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upnpclient.exe NOTFOUND
51.12887951 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.12891108 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
51.12948769 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.13133625 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option NOTFOUND
51.13138011 upnpclient.exe:1528 OpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Key: 0xE2B804D8
51.13140301 upnpclient.exe:1528 QueryValue HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled SUCCESS 0x1
51.13144129 upnpclient.exe:1528 CloseKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Key: 0xE2B804D8
51.13150079 upnpclient.exe:1528 OpenKey HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers NOTFOUND
51.13435423 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.13438356 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
51.13442183 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.13454308 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.13456487 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
51.13458442 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled SUCCESS 0x0
51.13461459 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Key: 0xE2B804D8
51.13466432 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Key: 0xE2B804D8
51.13469086 upnpclient.exe:1528 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack NOTFOUND
51.13555494 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Key: 0xE2B804D8
51.13563372 upnpclient.exe:1528 OpenKey HKLM SUCCESS Key: 0xE2B804D8
51.13568736 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics NOTFOUND
51.13592817 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Key: 0xE2B2CFB8
51.13595359 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NOTFOUND
51.13600332 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Key: 0xE2B2CFB8
51.13818488 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument\ NOTFOUND
51.13851453 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS Key: 0xE2B2CFB8
51.13854303 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32\upnpclient NOTFOUND
51.13858018 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS Key: 0xE2B2CFB8
51.13862181 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS Key: 0xE2B2CFB8
51.13864080 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility\upnpclient NOTFOUND
51.13866651 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS Key: 0xE2B2CFB8
51.14174595 upnpclient.exe:1528 OpenKey HKCU SUCCESS Key: 0xE2B2CFB8
51.14177444 upnpclient.exe:1528 OpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NOTFOUND
51.14184065 upnpclient.exe:1528 OpenKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE102D368
51.14187893 upnpclient.exe:1528 QueryValue HKCU\Control Panel\Desktop\MultiUILanguageId NOTFOUND
51.14190519 upnpclient.exe:1528 CloseKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE102D368
51.14193173 upnpclient.exe:1528 CloseKey HKCU SUCCESS Key: 0xE2B2CFB8
51.14216779 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Key: 0xE2B2CFB8
51.14219181 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SUCCESS ""
51.14223679 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Key: 0xE2B2CFB8
51.14297208 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2B2CFB8
51.14347410 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 9A 70 8A 25 82 30 CB 3B ...
51.14351992 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2B2CFB8
51.14368754 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS Key: 0xE2B2CFB8
51.14371687 upnpclient.exe:1528 QueryValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout SUCCESS 0x278D00
51.14375598 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS Key: 0xE2B2CFB8
51.14382526 upnpclient.exe:1528 OpenKey HKCR\Interface SUCCESS Key: 0xE2B2CFB8
51.14384035 upnpclient.exe:1528 QueryValue HKCR\Interface\InterfaceHelperDisableAll NOTFOUND
51.14385488 upnpclient.exe:1528 QueryValue HKCR\Interface\InterfaceHelperDisableAllForOle32 NOTFOUND
51.14386801 upnpclient.exe:1528 QueryValue HKCR\Interface\InterfaceHelperDisableTypeLib NOTFOUND
51.14389790 upnpclient.exe:1528 CloseKey HKCR\Interface SUCCESS Key: 0xE2B2CFB8
51.14393645 upnpclient.exe:1528 OpenKey HKCR\Interface\{00020400-0000-0000-C000-000000000046} SUCCESS Key: 0xE2B2CFB8
51.14395405 upnpclient.exe:1528 QueryValue HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAll NOTFOUND
51.14396886 upnpclient.exe:1528 QueryValue HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAllForOle32 NOTFOUND
51.14399847 upnpclient.exe:1528 CloseKey HKCR\Interface\{00020400-0000-0000-C000-000000000046} SUCCESS Key: 0xE2B2CFB8
51.14465190 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
51.14478823 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra NOTFOUND
51.14484606 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
51.14557688 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Locale SUCCESS Key: 0xE2B2CFB8
51.14562298 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts SUCCESS Key: 0xE102D368
51.14566432 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Language Groups SUCCESS Key: 0xE2BFB770
51.14569673 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000409 SUCCESS "1"
51.14571377 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1"
51.14617053 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback NOTFOUND
51.15057389 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15067502 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS EC 03 84 3F 5A 8F A4 CA ...
51.15070463 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15109658 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15120413 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS EF 1B F2 04 93 BB E3 30 ...
51.15123151 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15154803 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15163044 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 6C DA FD 12 F7 19 47 C6 ...
51.15165643 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15195563 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15203636 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS BE DB 6C 51 EC 36 81 7C ...
51.15206262 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15235959 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15243893 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 8F F4 40 A7 91 F6 57 B3 ...
51.15246491 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15276355 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15284317 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS F0 BF 99 18 D5 7B F1 7A ...
51.15286943 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15316667 upnpclient.exe:1528 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15324713 upnpclient.exe:1528 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 33 1B 84 F5 44 73 00 E9 ...
51.15327311 upnpclient.exe:1528 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE2C0F870
51.15524794 upnpclient.exe:1528 OpenKey HKCU SUCCESS Key: 0xE2C0F870
51.15530438 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager SUCCESS Key: 0xE2457548
51.15532728 upnpclient.exe:1528 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing NOTFOUND
51.15536975 upnpclient.exe:1528 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager SUCCESS Key: 0xE2457548
51.15539796 upnpclient.exe:1528 CloseKey HKCU SUCCESS Key: 0xE2C0F870
51.15547842 upnpclient.exe:1528 OpenKey HKCU SUCCESS Key: 0xE2C0F870
51.15551781 upnpclient.exe:1528 OpenKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE2457548
51.15555105 upnpclient.exe:1528 QueryValue HKCU\Control Panel\Desktop\LameButtonText NOTFOUND
51.15558346 upnpclient.exe:1528 CloseKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE2457548
51.15561112 upnpclient.exe:1528 CloseKey HKCU SUCCESS Key: 0xE2C0F870
51.15927974 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM SUCCESS Key: 0xE2C0F870
51.15930628 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM\Ime File SUCCESS "msctfime.ime"
51.15934930 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM SUCCESS Key: 0xE2C0F870
51.16365711 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers NOTFOUND
51.16850410 upnpclient.exe:1528 OpenKey HKCU SUCCESS Key: 0xE2C0F870
51.16856388 upnpclient.exe:1528 OpenKey HKCU\SOFTWARE\Microsoft\CTF SUCCESS Key: 0xE2457548
51.16858316 upnpclient.exe:1528 QueryValue HKCU\SOFTWARE\Microsoft\CTF\Disable Thread Input Manager NOTFOUND
51.16862450 upnpclient.exe:1528 CloseKey HKCU\SOFTWARE\Microsoft\CTF SUCCESS Key: 0xE2457548
51.16878598 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\CTF\SystemShared SUCCESS Key: 0xE2457548
51.16880861 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\CTF\SystemShared\CUAS SUCCESS 0x0
51.16884101 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\CTF\SystemShared SUCCESS Key: 0xE2457548
51.16895807 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers NOTFOUND
51.17098207 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Codepage SUCCESS Key: 0xE2457548
51.17105526 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Codepage\932 SUCCESS "c_932.nls"
51.17108906 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Codepage\949 SUCCESS "c_949.nls"
51.17112175 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Codepage\950 SUCCESS "c_950.nls"
51.17115360 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Codepage\936 SUCCESS "c_936.nls"
51.17123070 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\VBA\Monitors NOTFOUND
51.17261998 upnpclient.exe:1528 OpenKey HKLM\SOFTWARE\Microsoft\VBA\Monitors NOTFOUND
51.17294712 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17300355 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17302869 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "MONSTER"
51.17307116 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17310133 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17445932 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17451603 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17454090 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "MONSTER"
51.17458308 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17461437 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17472528 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Rpc\PagedBuffers NOTFOUND
51.17477808 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Rpc SUCCESS Key: 0xE2974B78
51.17479987 upnpclient.exe:1528 QueryValue HKLM\Software\Microsoft\Rpc\MaxRpcSize NOTFOUND
51.17482948 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Rpc SUCCESS Key: 0xE2974B78
51.17486357 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upnpclient.exe\RpcThreadPoolThrottle NOTFOUND
51.17494374 upnpclient.exe:1528 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\Rpc NOTFOUND
51.17515299 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17520271 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17522450 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "MONSTER"
51.17525970 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE26CD710
51.17528904 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Key: 0xE2974B78
51.17893000 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.17897331 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.17900599 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.17903309 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.17966501 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.17971306 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18012178 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18015055 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18032934 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18035979 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18038605 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18041148 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18045506 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18347444 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters SUCCESS Key: 0xE1244D80
51.18350489 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version SUCCESS "2.0"
51.18352472 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version SUCCESS "2.0"
51.18358926 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 SUCCESS Key: 0xE26CD710
51.18361188 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num SUCCESS 0x4
51.18366189 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num SUCCESS 0x4
51.18371413 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000004 NOTFOUND
51.18373508 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID SUCCESS 0x3F8
51.18375268 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries SUCCESS 0xF
51.18380912 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries SUCCESS Key: 0xE29A0FB8
51.18385605 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 SUCCESS Key: 0xE29BA340
51.18387700 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem BUFOVRFLOW
51.18389684 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem BUFOVRFLOW
51.18394293 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18398986 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 SUCCESS Key: 0xE29BA340
51.18403847 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 SUCCESS Key: 0xE29BA340
51.18407004 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem BUFOVRFLOW
51.18408932 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem BUFOVRFLOW
51.18411474 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18414771 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 SUCCESS Key: 0xE29BA340
51.18419129 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 SUCCESS Key: 0xE29BA340
51.18421196 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem BUFOVRFLOW
51.18423012 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem BUFOVRFLOW
51.18425526 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18428571 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 SUCCESS Key: 0xE29BA340
51.18432650 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 SUCCESS Key: 0xE29BA340
51.18434745 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem BUFOVRFLOW
51.18436589 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem BUFOVRFLOW
51.18439075 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18442204 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 SUCCESS Key: 0xE29BA340
51.18446255 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 SUCCESS Key: 0xE29BA340
51.18448350 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem BUFOVRFLOW
51.18450194 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem BUFOVRFLOW
51.18452708 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18455753 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 SUCCESS Key: 0xE29BA340
51.18459693 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 SUCCESS Key: 0xE29BA340
51.18461704 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem BUFOVRFLOW
51.18463492 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem BUFOVRFLOW
51.18468213 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18471454 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 SUCCESS Key: 0xE29BA340
51.18475812 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 SUCCESS Key: 0xE29BA340
51.18477851 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem BUFOVRFLOW
51.18479639 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem BUFOVRFLOW
51.18482126 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18485199 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 SUCCESS Key: 0xE29BA340
51.18489277 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 SUCCESS Key: 0xE29BA340
51.18491261 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem BUFOVRFLOW
51.18493077 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem BUFOVRFLOW
51.18495563 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18498664 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 SUCCESS Key: 0xE29BA340
51.18502771 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 SUCCESS Key: 0xE29BA340
51.18504866 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem BUFOVRFLOW
51.18506738 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem BUFOVRFLOW
51.18509224 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18512297 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 SUCCESS Key: 0xE29BA340
51.18516264 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 SUCCESS Key: 0xE29BA340
51.18518415 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem BUFOVRFLOW
51.18520231 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem BUFOVRFLOW
51.18524142 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18527941 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 SUCCESS Key: 0xE29BA340
51.18532244 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 SUCCESS Key: 0xE29BA340
51.18534283 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem BUFOVRFLOW
51.18536099 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem BUFOVRFLOW
51.18538641 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18541742 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 SUCCESS Key: 0xE29BA340
51.18545765 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 SUCCESS Key: 0xE29BA340
51.18547860 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem BUFOVRFLOW
51.18549676 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem BUFOVRFLOW
51.18552162 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18555347 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 SUCCESS Key: 0xE29BA340
51.18559566 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 SUCCESS Key: 0xE29BA340
51.18561661 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem BUFOVRFLOW
51.18563477 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem BUFOVRFLOW
51.18565907 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18568980 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 SUCCESS Key: 0xE29BA340
51.18573199 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 SUCCESS Key: 0xE29BA340
51.18575406 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem BUFOVRFLOW
51.18577221 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem BUFOVRFLOW
51.18579736 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18582809 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 SUCCESS Key: 0xE29BA340
51.18586804 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 SUCCESS Key: 0xE29BA340
51.18589541 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem BUFOVRFLOW
51.18591413 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem BUFOVRFLOW
51.18595240 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ...
51.18598509 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 SUCCESS Key: 0xE29BA340
51.18601554 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries SUCCESS Key: 0xE29A0FB8
51.18608818 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 SUCCESS Key: 0xE29A0FB8
51.18617226 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num SUCCESS 0x4
51.18621808 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num SUCCESS 0x4
51.18624658 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004 NOTFOUND
51.18626697 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries SUCCESS 0x3
51.18631027 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries SUCCESS Key: 0xE29BA340
51.18635804 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SUCCESS Key: 0xE1633C20
51.18638179 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll"
51.18640190 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll"
51.18642649 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip"
51.18644660 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip"
51.18646727 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip"
51.18648599 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip"
51.18652901 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId SUCCESS 40 9D 05 22 9E 7E CF 11 ...
51.18654801 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily NOTFOUND
51.18656729 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace SUCCESS 0xC
51.18658545 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled SUCCESS 0x1
51.18661310 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version SUCCESS 0x0
51.18663210 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo SUCCESS 0x0
51.18666953 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SUCCESS Key: 0xE1633C20
51.18671926 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SUCCESS Key: 0xE1633C20
51.18674273 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath SUCCESS "%SystemRoot%\System32\winrnr.dll"
51.18676200 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath SUCCESS "%SystemRoot%\System32\winrnr.dll"
51.18678268 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS"
51.18680084 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS"
51.18682011 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS"
51.18683939 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS"
51.18686593 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId SUCCESS EE 37 26 3B 80 E5 CF 11 ...
51.18688520 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily NOTFOUND
51.18690392 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace SUCCESS 0x20
51.18692152 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled SUCCESS 0x1
51.18693884 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version SUCCESS 0x0
51.18695756 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo SUCCESS 0x0
51.18698829 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SUCCESS Key: 0xE1633C20
51.18703439 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SUCCESS Key: 0xE1633C20
51.18705813 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll"
51.18707741 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll"
51.18709948 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace"
51.18712630 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace"
51.18714920 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace"
51.18716960 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace"
51.18719586 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId SUCCESS 3A 24 42 66 A8 3B A6 4A ...
51.18721402 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily NOTFOUND
51.18723329 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace SUCCESS 0xF
51.18725201 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled SUCCESS 0x1
51.18726961 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version SUCCESS 0x0
51.18728805 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo SUCCESS 0x0
51.18731878 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SUCCESS Key: 0xE1633C20
51.18735035 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries SUCCESS Key: 0xE29BA340
51.18738247 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters SUCCESS Key: 0xE1244D80
51.18748444 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Services\Winsock2\Parameters SUCCESS Key: 0xE1244D80
51.18750595 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Ws2_32NumHandleBuckets NOTFOUND
51.18753668 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\Winsock2\Parameters SUCCESS Key: 0xE1244D80
51.18779230 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18783169 upnpclient.exe:1528 OpenKey HKCU\Software\VB and VBA Program Settings\VB6Defaults\SP5 NOTFOUND
51.18805798 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5} SUCCESS Key: 0xE1244D80
51.18814039 upnpclient.exe:1528 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5}\(Default) SUCCESS "Adobe Acrobat Helper"
51.18820576 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5} SUCCESS Key: 0xE1244D80
51.18833846 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18837534 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\ErrorControl SUCCESS 0x1
51.18841417 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18849211 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18856167 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\FailureActions SUCCESS 00 00 00 00 00 00 00 00 ...
51.18860749 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18868599 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18871588 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\Start SUCCESS 0x2
51.18874913 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18881450 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18884244 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\Type SUCCESS 0x110
51.18887596 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18894217 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18897793 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\Description SUCCESS "Provides support to host Universal Plug and Play."
51.18901257 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.18907124 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18911426 upnpclient.exe:1528 SetValue HKCU\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions SUCCESS "yes"
51.18914890 upnpclient.exe:1528 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18920310 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18923858 upnpclient.exe:1528 SetValue HKLM\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions SUCCESS "yes"
51.18927098 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18932071 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18935228 upnpclient.exe:1528 SetValue HKLM\Software\Microsoft\Internet Explorer\Main\Use FormSuggest SUCCESS "yes"
51.18938524 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18943581 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18947073 upnpclient.exe:1528 SetValue HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest SUCCESS "yes"
51.18950425 upnpclient.exe:1528 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main SUCCESS Key: 0xE1244D80
51.18955957 upnpclient.exe:1528 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete SUCCESS Key: 0xE1244D80
51.18958862 upnpclient.exe:1528 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion SUCCESS "yes"
51.18962298 upnpclient.exe:1528 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete SUCCESS Key: 0xE1244D80
51.18967941 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete SUCCESS Key: 0xE1244D80
51.18970931 upnpclient.exe:1528 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion SUCCESS "yes"
51.18974199 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete SUCCESS Key: 0xE1244D80
51.18980764 upnpclient.exe:1528 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5} SUCCESS Key: 0xE1244D80
51.18983865 upnpclient.exe:1528 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5}\(Default) SUCCESS "Adobe Acrobat Helper"
51.18988363 upnpclient.exe:1528 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5} SUCCESS Key: 0xE1244D80
51.19042616 upnpclient.exe:1528 OpenKey HKLM\System\CurrentControlSet\Control\ServiceCurrent SUCCESS Key: 0xE1244D80
51.19045409 upnpclient.exe:1528 QueryValue HKLM\System\CurrentControlSet\Control\ServiceCurrent\(Default) SUCCESS 0x14
51.19049488 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Control\ServiceCurrent SUCCESS Key: 0xE1244D80
51.19132767 upnpclient.exe:1528 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.19137404 upnpclient.exe:1528 SetValue HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient\Start SUCCESS 0x2
51.19141734 upnpclient.exe:1528 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\UPNPClient SUCCESS Key: 0xE1244D80
51.19212861 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 SUCCESS Key: 0xE26CD710
51.19221381 upnpclient.exe:1528 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 SUCCESS Key: 0xE29A0FB8



sorry about the formatting but see if you can figure it out

 

Okay... thats enough outta me. I'll let you guys have it from here. btw ive never heard of wilders security... I take it you are australian from youre email.. nonetheless you seemed closer to finding the real truth than anyone else online so i decided to share what i know here..


keep up the good work and please forward a copy to norton so that my signatures can be updated. hehe.

later

oops almost forgot... in the infected setup file.... the hackers injected code contains a unicode string for his custom VB form that says "lick my balls" that should be pretty easy to program into any virus engine. hehe

P.S. ive emailed you three individual programs that are each infected and their legitimate counterparts off of the original site. should be easy to compare and update your security thingy.

 

Its quite nasty, its a backdoor (the upnpclient.exe)
We have added full detection for all parts to TDS-3, thanks to everyone for sending those files in, looks like I have them all

WildersSecurity is not our forum, but the owner generously hosts our public product forums here as well as many other security related forums as you can see. Come back any time

 

re: all the registry entries a few posts up.
i have managed to remove all of the originally placed files that this nasty f*^$ placed on my computer from my system32 and sys volume folder.
do i really need to (or is it possible to) remove all of the info that this program has written to my registry ?

ps - thanks VERY much for ur help......after my ZA firewall alerted me that upnpclient.exe was trying to phone home a google search brought me here - i doubt i'd have been able to stop this trojan, short of a clean windows install, without the posts here.

 

I have tried all the steps outlined here BUT I can't delete upnpclient.exe it's not accessible I can't rename,move or delete it..please help

 

Probably because it is in use.
You need to disable the universal plug and play service in services. Here is how:-
Control Panel - Addministrative tools - click Services, look down the list when you find universal plug and play service in - right click and select stop from the pop up menu, then open properties and switch it to manual.
You should now be able to delete the file.

HTH Pilli

 

That's the problem it is disabled and NOT running!!

 

Do you mean you cannot gain access to your c:\system volume information\ folder? It is difficult in XP Home with NTFS - you would need to use Calc to gain access.

Why not try using a tool that will delete on reboot. If you know the file path to both upnpclient.exe and it's associated files you could try using Dellater from DiamondCS:- http://www.diamondcs.com.au/index.php?page=dellater

You would need to delete everything simultaneously, including the Acrobat dll. (By the way did you disable BOTH the UPnP services - i.e. Host and Client?).

If you have difficulty with using Dellater, let us know.

 

It can't find it as it's hid itself in C:\System Volume Information I am really stuck with this and could sure use some help

 

First click Start/Search and in the 'Search' box, click 'All files and folders'; then in 'more advanced options' ensure that 'search hidden files and folders' is ticked. Then do a search to get the correct file path. Once you know that you can proceed to the next stage.

If you can't find the files that way and you want to access the c:\system volume information\ folder directly, you should follow the instructions here:- http://support.microsoft.com/kb/309531

Don't forget that to find c:\system volume information, in Windows Explorer, you must first click Tools/View /Folder Options and in the View tab make sure 'Show Hidden Files and Folders' is selected; and also that 'Hide protected operating system files' is unchecked.

If this is not the help you need, please be more specific.

 

ok, I can see file in windows explorer, I can enter the directory fine no probs, I can highlight the file, BUT I can't rename , delete, or move it says access denied.. I have NOT deleted acrobat.dll as this was in windows NOT system32, and is I think, part of adobe acrobat..in services plug and play client has gone,no longer there, and host is disabled, so I don't know what else to do to release it for deleting...any ideas?