upnpclient.exe

The package appears to have been included in a "cracked" version of the newsreader program newsleecher.

If you've installed this recently, you may well have gotten it from that.

cheers mate

 

Hey guys i found this site by googling for upnpclient.exe, since i found it running in my task manager.

I noticed that it runs as a service so i ran a program called service manager, it allows you to control services aswell as delete them.

I killed the process with task manager then i immediately used the service manager to delete the service and so far it has not restarted itself. I guess all i need to do now is delete the file itself and any registry references.

You can get the service manager i used here... http://www.l5sg.com/
Its free btw.

I've noticed someone mentioned a cracked newsleecher off usenet is to blame, i happened to download the newsleecher keygen and execute it, i believe that is the time that this upnp crap installed itself.

I only executed the newsleecher keygen out of curiosity since i am a registered user of newsleecher.

 

I did those steps 3 times and still it came back. I just dl'd Service manager and deleted the UPNPclient. so far so good. In the meantime I have about 8 new programs installed just to check and fix what is going on.

Now lets see if it comes back. If so it appears the only solution is to format. I do have a Ghost backup from Nov 22nd but not sure if it was in the computer at that time.

Any other suggestions?

Meggie

 

I have replied to you with a PM.

Cheers

 

I was able to remove the service by deleting the key under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPNPClient] since I couldn't stop the service through the control panel. Thanks to those who suggested how to remove it from the system volume info. Everything seems ok now...

 

After trying all the above ideas and a few of my own I was unable to delete upnpclient.exe in C:\System Volume Information.

Ultimately I succeded using "cacls" and giving myself full control, then deleting it.

This is a nasy virus!

 

Nasty eh! Well what does it do then

 

I have this same trojan.. But it came along with another file called msdebach.exe.. I've followed all the steps to get rid of acrobat.dll and upnpclient.exe and that worked great, but I still cannot delete msdebach.exe.

If someone has any ideas how to delete this file please let me know, i've tried about everything. Norton keeps flashing up with a virus alert and says it cannot do anything with the file

Thank you

 

I'd just like to say thanks to all in here.
I too came down with this virus and a search on Google took me right here. Being limited in my knowledge of computers, I.ve tried just about everything, some worked for me some didn't. However, its gone now without a trace.
For what it's worth, I did not download newsleecher or the crack. However I do frequent the news groups, mostly for music. So I'm not sure what or how I got it except it showed up on Dec 1.
Thanks again!.

TP

 

Liex, do you have a file path for msdebach.exe? What about Temp.exe and the UPnP Client service - have you dealt with them?

Tpsl13, out of interest, are you telling us you could have got this on a 'drive-by' basis, rather than with a download?? Howabout telling the guy above how you got rid of msdebach!

 

To delete msdebach.exe I used the "dellater" utility described earlier in the posts (http://www.diamondcs.com.au/index.php?page=dellater).

We know this trojan is trying to phone home. Has anyone determined what it's up to? Or is this just another lame game somebody's playing?

 

If someone who already is infected were to use a program like netpeeker (http://www.net-peeker.com/) they could see exactly what it is sending and maybe even post the packet logs from it here where it could be examined.

 

I'll try to summarize my understanding.

This is a what I believe is called a 'dropper' package; it can be 'wrapped' around any install package so that it and the real intended program gets installed. It seems to authorize itself in the Windows firewall, but not in others (Zone Alarm).

Two components, temp.exe and msdebach.exe seem to be solely for the purpose of installation. I assume the acrobat.dll and the associated registry references to it are to trigger a reinstall. The actual virus, unpnclient.exe is stored in the System Volume Information folder and is set as a service with the registry entry LEGACY_UNPNCLIENT.

To delete the registry entry LEGACY_UNPNCLIENT, I had to give myself (even when logged in with Administrator status) authorization to do so (see previous post). To delete unpnclient.exe from the SVI folder, I also had to give myself authorization to do so (also see previous post), but I had to stop the task (the program cannot be stopped via Services Mgmt) using Task Manager and then immediately deleting the program before it could be restarted. I had no problem deleting temp.exe nor msdebach.exe (might have had to remove a 'read-only' attribute). All that then remained was to delete the 'bad' acrobat.dll and find the registry entries to it and repoint them to the correct entry (in my case, with a full Acrobat system, it seems to be acrotray.exe; don't know if the Reader-only system uses acrotray.exe or a 'good' acrobat.dll).

 

Sorry, seem to always want to misspell upnpclent as "unpnclient". My bad.

 

Can't believe I just managed to misspell again. Virus must have gotten into my brain. It's always upnpclient - ignore my 'creativity'.

 

Hi,

Had the exact same problem. Thank you for posting the "Fix". Everything appears to be working fine now.

 

just an update.... i originally had infected myself with this virus and used this forum to fix my system... while playing with this virus on a test system, i noticed it was transparent to norton antivirus (corp ed 8.0). yesterday, after a new virus update, norton detected the virus and deleted it...

anyone else notice if norton worked for them

 

Can you please submit the file to samples@nod32.com

Cheers

 

.. And zipped to submit@diamondcs.com.au Thanks

 

Alan Strassberg: Thank you for the advice to use dellater, that worked like a champ.. awesome app..


TopperID: FYI. The msdebach.exe was in my C:\windows\system32 directory

Thanks for your help

 

Can you please submit the file to samples@nod32.com

.. And zipped to submit@diamondcs.com.au Thanks


i already sent a copy (from my work accnt (grant.dittmer@xxx.com)) to submit@diamondcs.com.au... and then i deleted it... perhaps i have a copy in my sent mail folder at work... i will check later this week (i am out of the office for a few days) and if i have a copy, will send and resend....

 

Thanks for that, the more AV and AT companies that have it the better

Cheers

 

does anyone know what info got sent by this program?

 

I would also like to know. I do know now I will be changing ALL of my passwords

Here's my situation...

After a while of ignoring SAV8.0 corporate of warnings of a trojan on my system I finally decided to lookup what msdebach was. That's how I got to here. Well I managed to delete the files from the SVI by giving my user account access (turn off simple file sharing, go to the SVI sharing and security and add your user account name to the list of authorized users) Deleted all files and deleted upnpserver.exe msdebach and acrobat.dll. Well I checked my services and it isn't running. Furthermore, when I try to start it it says file path not found. It is not present in my task manager list either.

 

I found this thread, like others here, as a result of a google search for upnpclient.exe. I'm most appreciative of all the posted resolutions to eliminating this trojan and was able to successfully remove it from my system. I'm so relieved not to have to perform another clean install, having performed one last month and finally have the system tweaked just right.
If it's of any help, I found ipnpclient.exe in HKEY_USERS\S-1-5-21-790525478-1563985344-725345543-1003\Software\Stardock\IconPackager. I captured the image prior to editing the registry.

http://img.villagephotos.com/p/2003-9/373620/christmastimeupnpclient.jpg

I downloaded the files directly from the wincustomize and vladstudio sites. I've never installed newsleacher, as I use another newsreader.

Again, many thanks to everyone here.