upnpclient.exe

Firstly, with regard to the Acrobat dll, do not delete the version found in the C:\Program Files\Adobe\Reader file, since this is genuine. You should delete the 'spoof' version which will have been placed in C:\WINDOWS\system32\Acrobat.dll.

As for deleting the upnpclient.exe file, why not do it on a reboot using dellator.exe?

 

UPNP is rather dangerous. Try this free utility to stop UPNP from working once and for all: http://www.grc.com/files/unpnp.exe

 

excellent thread, and very usefull to me. i had the exact thing happen to me. i downloaded a simple NFO viewer program that had upnpclient.exe as a payload. i went through the normal stuff (cleaned out registry entries and the prefetch directory. also deleted the files) but did not expect to look in services (and i probably would not have spotted it anyway). excellent detective work. i am glad the google search found this thread. if anyone wants a copy of the .exe, send me an e-mail, and i will pass it on for further inspection...

also, i found the trojan as soon as the install was completed. zone alarm let me know it was trying to phone home....

thanks very much for your help...

 

Hi Dittmerg,

Please send a zipped copy to: submit@diamondcs.com.au - Gavin will make sure that it is analysed and detected.

Thanks. Pilli

 

ok, I have run the program and it says its now disabled, BUT I still cant delete it
Here's a hijack this log hope it helps

Logfile of HijackThis v1.97.7
Scan saved at 08:14:19, on 01/12/2004
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Eudora\Eudora.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NewsShark\nShark.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\butter\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\Acrobat.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1088502737031
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1054332.exe
O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDB1D4EB-D785-475B-B418-840A59001F52}: NameServer = 62.241.162.200 158.43.240.3

 

You have 3 BHOs for Acrobat, the two located in C:\Program Files\Adobe are O.K.; the one to deal with is this:- Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\Acrobat.dll.

What program have you run? Do the following steps:-
D/L Dellater from the link I gave, unzip dellater.exe and place it into C:\Windows (you must do this). Bring up Notepad and type out the file paths as follows:
dellater.exe C:\System Volume Information\upnpclient.exe
dellater.exe C:\WINDOWS\Acrobat.dll
(The above is an example, you must type in the correct file path if it differs from the above).
Then save the file to your desktop but be sure to type del.bat as the file name and enter All Files in the 'As Type' box. This will create a DOS batch file on your desk top; doubleclick it, click O.K. on the notification and reboot. Then navigate back to the file locations and if there is any residue try deleting it normally.

I don't think the rest of your HJT log relates to this matter but later you could check out and if necessary fix these two items:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Generally all R3 items should be fixed, unless you recognise them.

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1054332.exe
I don't like the look of it check it out?

 

Ok done that BUT it says unable to mark for delete - C:\System Volume Information\upnpclient.exe
So its still there and I still can't manually delete it, god this is so annoying thanks for the help though ..Any more ideas??

 

Ah, It's actually a part of System Restore; the tool that allows you to set points in time to roll back your computer. The System Volume Information folder is where XP stores these points and associated information that makes them accessible. If you have System Restore enabled but don't see this folder, go into [Tools] [Folder Options] [View] and click the radio button next to [Show Hidden Files and Folders] and it will be visible.

You need to disable system restore then reboot to clear the remaining problem. Control Panel, System, System restore then click the disable system restore box.

After rebbot, untick the box and then use the help & support centre to create a new restore point.

HTH Pilli

 

Oh, of course! I was forgetting that; you can't mark things for delete if they are in System Restore - always best to turn it off when dealing with these matters!

 

Turned off, cleared everything out of dir EXCEPT upnpclient.exe and tracking.log I then restarted and TRIED to delete upnpclient.exe again, and yes you guessed it IT WON'T LET ME ... AHHHH!!! It's filling my reg with adware poo .. anymore ideas guys? I can't format yet too much to do and back up ..

 

Hi diabloddod You cannot "clear out" that folder except by disabling system restore and rebooting.
Make sure that you are not connected to the net when you reboot and see if it is gone then.

Have you got a firewall enabled? If so there is usually a switch / option to disable all connections. If you have no firewall I would get one ASAP.

With all the time you have spent on this, I might also suggest a reformat & clean install of windows as we appear to be going around in circles on this one and it might be a lot quicker to just start again

Pilli

 

have disabled system restore and rebooted, the dir is empty except for those 2 files. No firewall on ..

 

Can you right click on those files and select properties. Please post the details.

Thanks. Pilli

 

They are not read only -

 

OK, One more go for me then the others will have to try & solve it

Get into safe mode by pressing F8 a few times just prior to windows starting If you can see upnpclient.exe running in Task Manager use "End Task" and then find it and delete it. If one or two others pop-up try again in safe mode and better still disable your entire MSCONFIG startup list and re-boot until you are clean. At least this way you may find what service is causing the problem and may be able to delete it.

HTH Pilli

 

Ok have gone into safe mode , there were a handful of processes none of which were upnpclient.exe , but then it does show in normal mode. I tried to delete in safe mode with no joy ... sigh

 

oh, forgot to say what it is doing is putting adware everywhere. I clean them out with adaware BUT soon as I restart 46 come straight back ...

 

Diablooddod I had the same problem as you....had everything deleted and system running "smoothier" again but still couldn't delete file in system volume information folder.

Followed thread for a few days...well this worked for me and as always the answer is usually much easier and obvious then some think.

Ok here we go:

First I assume you can access the system volume information folder from C: directory ( do all the usual under folder options etc )

Second you need to disable simple file sharing in XP ( running XP pro?):

http://www.theeldergeek.com/system_volume_information_folder1.htm

ok here is the kicker (need to do this to delete FULLY):

by default is gives you only read control when you select a user or group

YOU NEED TO CHECK FULL CONTROL

Wham it did it for me

Gool luck

I will be back to see if you have any questions or problems.

I assume tracking log text file shoudln't be there....BTW I did disable system restore first

 

I can get into folder I can see the file..now how do I turn off disable simple file sharing on xp pro? And get the full control?

 

forget it done it
Thank so much everyone for the help

 

Wow fast

OK under windows explorer... tools....folders options....view tab at very bottom....simple file shareing is probably checked (it has recommended)...uncheck and then go to link i gave above about accessing SVI folder through security tab when right click on that folder...add whatever user you are....but while doing that you will see a nunber of options in that window...make sure you check full control.

 

Good Stuff and you welcome.

BTW now we need to remove from services as it stills appears there but has been disabled and not running for a while now....yours still there under services...UPAP client that is.

 

After all that it wasn't that at all, I have deleted it BUT the 46 adware things still come back .. So I dunno its all bargain buddy stuff ..

 

host is still in services and disabled BUT client has gone ...

 

You should try ad-aware + search and destroy +- pest control maybe?? As usual run updated anti-virus...

BUT BACK to ON-TOPIC.....

How to remove the service?? from admin tools...services...has not been enable for awhile but would still like to remove from list (client NOT host). Perhaps remove 'hardware" under system devices??

Anyhow what alittle nasty this thing was....SYGATE personal firewall picked it up for me......under details told me exactly where 'running' from....cool little back trace that took me to Chevron corporation LOL.