upnpclient.exe

Discussion in 'malware problems & news' started by Kirschstrasse, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    I installed several programs the other day and not soon after, my firewall told me that this file was attemping to access the net.

    This is what my firewall tells me.

    "Application upnpclient.exe trying to establish a connection to the remote address dyn-8-99.myactv.net and by the port HTTP (80)."

    I blocked it but now I can't get rid of it.

    I couldn't find out much about it though....one site was talking about it being a trojan but nothing I have scanned with sees it.

    I uninstalled the programs I had installed because I didn't know which one put this file here.

    It shows up in windows/prefetch, and I can delete it/rename it/ move it....but when I restart my computer.....there it is again. So something keeps reinserting it into prefetch.

    Anybody have any ideas?

    Running Windows XP SP2
     
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Among a lot of other things you can disable this with SafeXP, upnp is not needed.
    Regards,

    Gerard
     

    Attached Files:

  3. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Windows has a service called Universal Plug and Play (upnp), but if it's this one or an malicious file you have i don't know. There a program called XP-Antispy which be used to disable UPNP and lots of other windows services.

    Have you tried some of the free online-scanners? (links in my signature) and have you tried a anti-trojan scanner? :)

    Regards
     
  4. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Thanks guys,

    I disabled the plug N play and the file is not asking for access anymore. So I assume that was it.

    But why did it ask just the other day for the first time? And what is that site that it was trying to access?
     
  5. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  6. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Update:

    I first installed the XP-Antispy and turned off the plug N play. I then removed the entry for the file "upnpclient.exe" from my firewall filters so I would know if it worked.

    Well, for about two hours....nothing....so I thought the problem was gone. But darn if it didn't ask for access again.

    So I was thinking maybe it wasn't the plug N play afterall.

    But just to make sure, I downloaded the UNPNP that gerardwil gave a link to and turned it off with that program.........No more problems with the file asking for access since yesterday.......I think the issue is taken care of.

    Thanks for the help.

    :) :)
     
  7. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Another Update:

    I was wrong in my above post. There is something else going on because the file "upnpclient.exe" has once again tried to access the internet.

    The program UNPNP says Plug N play is disabled.

    And one more funny thing...........you can see the file in "processes" and you can see the file in windows/prefetch............but when I do a search for that file name.....it says "file can not be found".
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  9. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Well, that took a while.....

    I ran Stinger......it found nothing (took the longest of all of them)

    TrojanHunter.....found nothing

    Spybot Search and Destroy.......found a couple of cookies it didn't like but nothing to do with this.

    Ad-Aware.......found nothing

    CWShredder....found nothing

    online trendmicro......found nothing

    My AVG.........found nothing

    This is a new install of Windows XP pro SP2 updated (2 weeks)

    If no one else has this file on their Windows, then what could it be?

    Could it be with one of the priograms I've installed.....there aren't that many. Maybe I just need to unistall all of them one by one.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    At least you know now that your system is clean, bar this mystery file. There is a thread running here on the same topic: http://www.sysopt.com/forum/showthread.php?threadid=172734

    You could also post a Hijack This Log at one of the forums mentioned in that General Cleaning thread.

    Let us know how you go...

    Cheers :D
     
  11. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Well, I may have figured this thing out.

    I went into "Task Manager" and and "processes" and I ended the process of "unpnclient.exe"

    I then went into Administrative Tools and looked at the event log and saw an "error" that said this:

    "The Universal Plug and Play Device Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service."

    Sure enough, the file popped back up in "processes"

    I then went into "Administrative Tools" and went to Component Services/Services(local).......and saw that I have TWO entries for "Universal Plug and Play Device Client". Why there are two entries....I don't know.

    One was disabled and one was not. I disabled the one that was not and rebooted. I went back into the "Services" and it was "abled" again. So I found out that I also had to tell it to "NOT" recover itself after failures.

    I don't know why I have two entries for the Plug N Play and I don't know if the program I download (unpnp) only disabled one of them.

    All I know so far is that I disabled BOTH of the entries, I removed the block from my firewall rules for that file to see if it asks for access...............and so far nothing.

    The file is not showing up in "processes" or "Applications" and the firewall is not reporting that "unpnclient.exe" is asking for access.

    Geeeesh, I hope this little ordeal is over.
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm finding this one rather confusing. As I understand it, in order to disable UPnP there are two services which must both be disabled, namely:-
    SSDP Discovery Service, and
    Universal Plug and Play Device Host.
    In addition to this you should click Control Panel/Add or Remove Programs/Add-Remove Windows Components/Networking Services/Details and uncheck the entry for UPnP User Interface.

    A third service, Plug and Play, has nothing to do with UPnP and should not be disabled. I don't know what the 'UPnP Device Client' is (is that a typo?).

    I'm sure someone will correct me if I'm wrong, but upnpclient.exe seems very suspect to me, I don't know what it is. I think that a HJT log is the best way forward for you. In the meantime don't allow upnpclient.exe to access the internet.

    Incidently, upnpservice.exe is a known virus, which is why I suspect upnpclient.exe!
     
    Last edited: Nov 15, 2004
  13. I found this page after having my firewall repeatedly chime in telling me that upnpclient.exe was trying to make a TCP connection (similar to the original poster)

    One difference (however) is that it was trying to access a456565474.dynip.com this looks MIGHTY suspicious to me. I disabled it via Admin Tools (I'm running XP SP2 BTW) and stopped it via the task manager.

    HOWEVER, I searched and found the file in my User\localsettings\TEMP folder. This also seems very suspicious to me. It had a creation date of late last night. I did more searching around and found a SECOND program with the exact same creation date, same size etc in my Windows\system32 folder. This file is a 100% identical file except its name is: msdebach.exe

    I Googled that name and came up with nothing. I virus checked etc but came up with nothing, but I'm pretty convinced that these files were up to no good.

    Anybody heard of the second one?
     
  14. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    This is a small image of the two entries in "services" for the Universal Plug and Play.
     

    Attached Files:

  15. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    I have heard that name before but I can't remember if it was good or bad. I want to say it's bad because I don't think I would have any reason to remember it if it was good.

    But since I disabled that second entry in services, "upnpclient.exe" has not reared it's ugly head.
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    So far as I am aware the Universal Plug and Plug and Play Device Client is not a service included with SP2, unless it has been created by a legitimate program that you know of it could well be a spoof set up by malware. Keep it disabled.

    Check your running processes and autorun programs carefully. If you find upnpservice.exe has been entered as an autorun you should be even more suspiceous. You say it has not reared it's ugly head again, by that I assume you mean it has not tried to get through your firewall; but if it is malware it is still on your machine getting up to no good.

    You really must do a HJT log. Why not download a copy from here http://www.subratam.org/?page=removal

    You need to be sure you locate it in it's own folder (eg in C/Program Files/HJT) because it needs to make backups in that folder.

    Before making a log read through the tutorials at:-
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
    http://www.tomcoyote.com/hjt/
    http://www.spywareinfoforum.com/~merijn/htlogtutorial.html

    And take it from there, good luck!
     
  17. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    I'll just throw the two I have up here. They are both fairly short.

    The first one was done two days ago and you can see the "upnpclient.exe" in there. It does not show up in the second one.

    Logfile of HijackThis v1.98.2
    Scan saved at 10:47:58 PM, on 11/14/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    c:\System Volume Information\upnpclient.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
    C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\system32\Acrobat.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



    Logfile of HijackThis v1.98.2
    Scan saved at 7:51:47 AM, on 11/16/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\system32\Acrobat.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52....com/pthalo/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  18. FWIW, it showed up on my system a day after I did a clean install on a new machine. The file date/time (not that it necessarily means anything) were identical to that of my Sun java2 run time installation.

    FWIW, I've just wiped the drive and started another clean install and (so far) it's not there. I've also NOT installed java runtime yet & I've only made my way through about 30% of the apps I'll be installing on this machine but I'll keep an eye out for this as I continue.
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You certainly run a tight ship as far as autostarts are concerned - there's not much to look through!

    I'm no expert so I can't give a definate answer, but those logs look clean to me. Apart from upnpclient.exe, the only other unknown is your BHO for Acrobat which has a CLSID different from the usual one, but that does not necessarily make it bad.

    I assume you have Kaspersky Anti-Hacker on your system, in which case the only other things to query are the entries for 016 (Active X objects), if you recognise the progs responsible then I don't think there is anything much else to look at. You certainly don't have any obvious infection.

    The problem still remains as to what upnpclient.exe and 'UPnP Device Client' are. Do you have something like 'Active Ports' or 'Tcpview' installed, because they would let you know if something was trying to contact the internet.

    Also 'Process Explorer' or 'GetActiveServices' will tell you exactly what is running (Task Manager is not really adequate for this).

    With a bit of luck this might all prove to be a red-herring, but you can't be too sure.
     
  20. Well, I don't think mine is a red-herring. I went through my step-by-step installation and now I know *exactly* how upnpclient.exe got installed on my system.

    My upnpclient.exe (and its partner msdebach.exe) were stealthfully installed while I was installing another piece of software. I had downloaded the software from a 3rd party. So I went to the softwares' official site and downloaded it from THERE and guess what, the legit file (from the software maker's site) is smaller and doesn't install those two .exe files on my system.

    In fact, with a hex-edit compare they're identical except for a chunk of stuff at the head of the file and a chunk at the end which I will assume are the loaders for this trojan.

    I'm still not sure exactly what these files do, but I am pretty sure they were up to no good.

    If anybody wants to visit a456565474.dynip.com (the site they're trying to contact) feel free.
     
  21. Yeah, that's exactly what mine looks like after I install the infected program.

    If I don't install the infected program there's only ONE entry. The single entry is the one that says "Unversal Plug and Play Device Host" (not the one that says "client") You know, it's the one that's NOT trying to contact remote dynamic IP websites sites and NOT running from my temp directory :)
     
  22. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    Sure would like to know what program you are talking about to see if we installed the same one or if there are different programs out there with this thing.
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, If you can would you please zip and send the upnpclient.exe to submit@diamondcs.com.au for analysis.
    I am sure Gavin would like to take a look at it :)

    Thanks. Pilli
     
  24. Kirschstrasse

    Kirschstrasse Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    16
    "I" would but it is gone on my computer as far as I can tell. If I knew what program installed it, I would be more than happy to send that.

    I could maybe re-enable the "client" in services and see if it reappears?
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    That would be very helpful :)

    Thanks. Pilli
     
Thread Status:
Not open for further replies.