Dave re upnpclient.exe being w32/backdoor.SO and acrobat.dll WAS Trojan in c:\windows.

Discussion in 'Anti-Virus' started by Buddy B, Mar 3, 2005.

  1. Buddy B

    Buddy B Guest

    I am still getting the f-prot for windows warning about
    upnpclient.exe being w32/backdoor.SO.

    Restore is OFF.

    upnpclient.exe is unchecked in msconfig.

    Zone alarm firewall alerted that Process 1508; upnpclient.exe was trying to
    contact: 65.130.111.232HTTP

    Properties of upnpclient.exe shows:
    cmd line shortcut is C:\system volume info\upnpclient.exe

    Windows PIF settings show:
    Autoexec file name %SystemRoot%\System32\Autoexec.NT
    Config file name %Systemroot%\System32\Config.NT

    Acrobat.dll has been deleted several times from safe mode and windows and is
    back again in C:\windows.

    I`m at a loss.
    Ideas appreciated.

    Regards Buddy B
     
    Buddy B, Mar 3, 2005
    #1
    1. Advertisements

  2. | I am still getting the f-prot for windows warning about
    | upnpclient.exe being w32/backdoor.SO.
    |
    | Restore is OFF.
    |
    | upnpclient.exe is unchecked in msconfig.
    |
    | Zone alarm firewall alerted that Process 1508; upnpclient.exe was trying to
    | contact: 65.130.111.232HTTP
    |
    | Properties of upnpclient.exe shows:
    | cmd line shortcut is C:\system volume info\upnpclient.exe
    |
    | Windows PIF settings show:
    | Autoexec file name %SystemRoot%\System32\Autoexec.NT
    | Config file name %Systemroot%\System32\Config.NT
    |
    | Acrobat.dll has been deleted several times from safe mode and windows and is
    | back again in C:\windows.
    |
    | I`m at a loss.
    | Ideas appreciated.
    |
    | Regards Buddy B


    Buddy:

    Have you tried BHOdemon to see if it is a Browser Helper Object
    ?http://www.definitivesolutions.com/bhodemon.htm ?

    I also suggest going to Sysinternals --
    http://www.sysinternals.com/ntw2k/utilities.shtml and obtaining both TCPVIEW and Process
    Explorer to find what are the dependencies are what DLLs are associated with this Trojan.

    I also suggest repairing AUTOEXEC.NT and CONFIG.NT, then rebooting into Safe Mode and
    scanning with F-Prot...

    AUTOEXEC.NT and CONFIG.NT Fix Method 1:
    copy; c:\windows\repair\autoexec.nt
    to
    c:\windows\system32

    and

    copy; c:\windows\repair\config.nt
    to
    c:\windows\system32


    AUTOEXEC.NT and CONFIG.NT FIX Method 2:
    Go to; Start --> Run
    enter; cmd.exe

    { assuming the WinXP CDROM disk is in drive "D:" }
    In the Command Prompt enter...
    expand D:\i386\autoexec.nt_ %windir%\system32\autoexec.nt
    expand D:\i386\config.nt_ %windir%\system32\config.nt


    The last time you posted about this you indicated F-Prot found; W32/backdoor.AOP
    now you are saying it's; W32/backdoor.SO

    When I do a McAfee search on upnpclient.exe and acrobat.dll, I get the following...

    BackDoor-CLS -- http://vil.nai.com/vil/content/v_130352.htm

    Please send me an email so I can provide you with more information. It is for a licensed
    product so I can't post it in public.
     
    David H. Lipman, Mar 3, 2005
    #2
    1. Advertisements

  3. Buddy B

    donnie Guest

    ############################
    Disable the Universal Plug & Play Device Host in Services. (Control
    Panel > Administrative Tools > Services)
    |
    |
    |
    V
    http://www.winguides.com/forums/showflat.php?Cat=&Board=genwinxp&Number=125011&page=8&view=collapsed&sb=5&part=
     
    donnie, Mar 4, 2005
    #3
  4. | On Wed, 02 Mar 2005 21:09:21 -0500, Buddy wrote:
    |
    || Zone alarm firewall alerted that Process 1508; upnpclient.exe was trying to
    || contact: 65.130.111.232HTTP
    ||
    || Properties of upnpclient.exe shows:
    || cmd line shortcut is C:\system volume info\upnpclient.exe
    | ############################
    | Disable the Universal Plug & Play Device Host in Services. (Control
    | Panel > Administrative Tools > Services)
    | |
    | |
    | |
    | V
    |
    http://www.winguides.com/forums/showflat.php?Cat=&Board=genwinxp&Number=125011&page=8&view=collapsed&sb=5&part=

    Donnie:

    I think that thread is a Red Herring. Otherwise you would see the uPnP IP Multi-cast
    address at the FireWall, not 65.130.111.232 @ TCP Port 80.
     
    David H. Lipman, Mar 4, 2005
    #4
  5. Buddy B

    Buddy B Guest

    EMAIL ON THE WAY.
    --------
    ***Again my deepest thanks for your help.

    ***Glad you mentioned BHOdemon. Ran it and Acrobat.dll was
    "investigated and disabled in the registry.

    ***Acrobat.dll is W32/Backdoor.AOP (f-prot).
    I renamed it acrobat.dll.bak and rebooted. I DID NOT get a new acrobat.dll in
    c:\Windows, just the renamed file, which I deleted.

    ***The other problem has been f-prot saying that upnpclient.exe was
    W32/Backdoor.SO.
    I had closed it before installing BHODemon. After running BHODemon and
    I hit Cntrl + Alt + Del, it was running again and F-prot pops up with it`s
    warning.
    Rebooted twice and NO Acrobat.dll in WINDOWS or warnings about either
    problem.
    I ran fprot again from windows: NO FLAGS.
    Ran Spybot S&D: NOTHING.
    --------
    this Trojan.
    -------
    Will Do.
    -------

    Q. DO next from a cmd prompt?
    ----------

    ***I have no cdrom with XP, just a restore cd in image form.
    ***See above for which trojan is which. Sorry if I mixed them.
    ---------------------
    ***That`s it.
    ---------
    On the way.
     
    Buddy B, Mar 5, 2005
    #5
  6. Buddy B

    Buddy B Guest

    Sent to "David H. Lipman"
    Is that it?
    Regards Buddy B
     
    Buddy B, Mar 5, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.