upnpclient.exe

Diablodood, your HJT log is not clean so you've probably got additional problems not related to the present one.

What happened to the associated file, msdebach.exe or whatever, have you cleared that out? Else no dice - it could be resurrecting upnpclient.exe on reboot even if you did clean it out of system restore.

It must be better to reformat now surely - or have you got rid of it at last?

 

Hi

Making progress. Get a firewall up and running. Run all the Anti Spyware programs you can, I would also include the 15 day trial of Giant antspyware.

Get any MS security patches including SP2, if you have not already done it.

Then, and only then, run HiJackThis and let's see how clean you are

Pilli

 

It's not come back so I can only assume it wasn't that file which leaves me where I started, a friend just rung he has the same thing too ...sigh ..

 

There is a thread here: https://www.wilderssecurity.com/showthread.php?t=50662 If you READ through the ENTIRE thread BEFORE proceeding, then download EVERY program suggested, and run EVERY program in SAFE MODE when your are at the SAFE MODE step, this should get you sorted.

What I have suggested is slightly different from the step by step instructions, in that you are downloading every program suggested and then running all in SAFE MODE.

Let us know how you go...

Cheers

 

I have come down with the same plague and nothing I do seems to get rid of it. Please tell me the name of the program you downloaded that gave you the infection.
I am running XP Home
. I have AVG 7, Mcaffee's suite, Spysweeper and AdAware Pro running and they did not catch it.
My computer became very slow and I checked running rpocesses. found UPNPCLIENT.EXE in caps as written. I have blocked access with McAfee firewall. But I cannot get rid of it permanently. Nothing I have read here today works. Anything further?

 

Have you tried my suggestion in the above post?

Cheers

 

Wow, i haven't found a way to remove this beauty either. But i'll keep trying.

 

Thanks to all who have written, I think I have purged it.

I got it via a MAC address changer that was pushed out on a newsgroup (there was, of course, a warning the next day). My AntiVirus (AVG) did not react to it, but Zone Alarm did stop it from sending anything out.

First, some preparation was required. Even logged in with Administrator privileges, one still has to authorize oneself to be able to delete anything one choses from the Registry (I had to use regedt32 rather than regedit) and System Volume Information folders.

That done, it is as described - get everything set up ready to delete upnpclient.exe from the SVI folder, then use task manager to end the process and immediately delete upnpclient.exe before it can get restarted.

After that, locate and delete temp.exe and msdebach.exe. When it comes to acrobat.dll, I didn't have any other than what the trojan installed - but I use a full Acrobat system, and I think it uses acrotray.exe instead. In any case I found the two registry references pointing to acrobat.dll and repointed them to acrotray.exe (there were two other registry entries with the correct pointers to acrotray.exe, so I now have four). If the more common acrobat reader is used, I suspect it may be simply a question of pointing to the correct version in the correct folder. Once the registry was updated, I deleted the offending acrobat.dll.

After that, it was simply a case of searching for registry references to 'upnpclient' and popping up the heirarchy to find the suitable point to delete. (Getting rid of LEGACY_UPNPCLIENT was what required extra authorization in regedt32). Didn't find any references to temp.exe nor msdebach.exe.

So far, so good.

 

Clean MAC Address changer:
http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

 

[QUOTE=I got it via a MAC address changer that was pushed out on a newsgroup
First, some preparation was required. Even logged in with Administrator privileges, one still has to authorize oneself to be able to delete anything one choses from the Registry (I had to use regedt32 rather than regedit) and System Volume Information folders.

That done, it is as described - get everything set up ready to delete upnpclient.exe from the SVI folder, then use task manager to end the process and immediately delete upnpclient.exe before it can get restarted.>>>


This makes perfectly good sense to a computer pro but Granny here cannot follow unless you give me 1, 2, 3.
I have the Acrobat.dll, the upnpclient.exe and the other.
I do belong to a newsgroup. I have uninstalled all programs installed in past few days (I am a software junkie).
I also have a legit full copy of Acrobat.
This is going to make granny bald and she is missing West Wing!

 

Once we get you cleaned up, then I would suggest purchasing Process Guard 3, this would have stopped this in it's tracks, full stop.

Cheers

 

I have been trying to get into System Volume Information using the instructions I found on MS with no success. That sucker will not open.
I did dl dellater.exe and got rid of acrobat.dll.
Now if someone could just tell me how to get into the SVI folder maybe ...?

 

Well, I have been wanting to upgrade to Pro version. I give up. This is a monster. I am going to format the hard drive tomorrow and overwrite with 0's.
Start fresh and stay outta the newsgroups!

 

Well, if you're running WinXP, get to the SVI folder, right click on it, select "Sharing and Security..." from the drop-down menu, then select the "Security" tab on the new "properties" page, then click the "Add" button. Add your login ID (there should only be "System" when you brought up the page), click the "Check Names" button to make sure you haven't made a typo, then click on the "Allow" box for "Full Control" (which ticks on everything) and close out.

Same idea for regedt32, only the right-click drop-down menu entry is "Permissions", and "Security" is the only tab.

 

I gave up. Reformat and overwrite with 00's.
Installed XP Pro and immediately went and bought the suite suggested ( TD 3 etc.).
Hope it works and thanks for all the help boys and girls.
granny tech

 

Now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

Hope this helps...

Cheers

 

Hi All,
First off, this forum is great.. This is the only place that gives me any hope of deleting this puppy, Norton AV 2005 finds it, tells me it's there but can't do anything about it. I've printed out the step by step from various bits of this post, so hopefully that will sort it. Has anybody worked out what it actually does yet? there was a post further up that thought it might be a password stealer, was this ever confirmed?

 

Hey Waylander, one point to mention, when you get into the System Volume Info file and try to delete upnpclient.exe, you must first set it up for deletion/name change by right clicking and clicking delete/name change - but DON'T click the confirmation at this stage. Then bring up Task Manager and highlight upnpclient.exe; then you need to act fast - click to terminate the process and immediately click delete/name change. You only have a split second to do this, because as soon as you terminate upnpclient.exe as a running process it will be resurrected again (thus preventing deletion/name change of the file!).

I think this is the point that may have been missed by those who tried and failed. But let us know how you get on so others may learn, one way or the other!

 

No worries, going home in a few minutes, so I'll give it a try and update on (hopefully) my success...

 

You can also use another method which is creating a folder with the same name as the file and copying the folder and pasting it where the file was right after deleting it so it cant replace itself.

 

Just a thanks to all, got the critter out.

 

Can you please provide your removal experience so as to help others, there as of yet does not seem to be a single definitive approach that can be used, though I am working on one with a friend.

Cheers

 

ok, I seem to have got rid of most of it.. at least it isn't pinging my anti virus every 5 seconds, nor is it trying to get out through the firewall.

I started in safe mode, enabled access to system vol info, disabled the upnpclient service in services, then deleted all occurences of upnpclient, msdebach. then stripped the registry entries..

the only thing is, the second entry in services, upnpclient still shows. although it is disabled and has stayed that way. Although as an earlier poster mentioned you do need to make sure that the recovery options are disabled or it tries to start itself again..
If anyone has some advice how to get rid of the spurious services entry, I'd be very grateful, I must almost have it all, as if you try to right-click on the service then properties it gives you an error saying it can't find reg keys.

Once agian, thanks for the help guys.