<Buddy B@yippy.ti.ye> wrote in message news:25sc21hlds1jq225cukddckeh1ep6qfp6d@4ax.com
| I am still getting the f-prot for windows warning about
| upnpclient.exe being w32/backdoor.SO.
|
| Restore is OFF.
|
| upnpclient.exe is unchecked in msconfig.
|
| Zone alarm firewall alerted that Process 1508; upnpclient.exe was trying to
| contact: 65.130.111.232HTTP
|
| Properties of upnpclient.exe shows:
| cmd line shortcut is C:\system volume info\upnpclient.exe
|
| Windows PIF settings show:
| Autoexec file name %SystemRoot%\System32\Autoexec.NT
| Config file name %Systemroot%\System32\Config.NT
|
| Acrobat.dll has been deleted several times from safe mode and windows and is
| back again in C:\windows.
|
| I`m at a loss.
| Ideas appreciated.
|
| Regards Buddy B
Buddy:
Have you tried BHOdemon to see if it is a Browser Helper Object
?http://www.definitivesolutions.com/bhodemon.htm ?
I also suggest going to Sysinternals --
http://www.sysinternals.com/ntw2k/utilities.shtml and obtaining both TCPVIEW and Process
Explorer to find what are the dependencies are what DLLs are associated with this Trojan.
I also suggest repairing AUTOEXEC.NT and CONFIG.NT, then rebooting into Safe Mode and
scanning with F-Prot...
AUTOEXEC.NT and CONFIG.NT Fix Method 1:
copy; c:\windows\repair\autoexec.nt
to
c:\windows\system32
and
copy; c:\windows\repair\config.nt
to
c:\windows\system32
AUTOEXEC.NT and CONFIG.NT FIX Method 2:
Go to; Start --> Run
enter; cmd.exe
{ assuming the WinXP CDROM disk is in drive "D:" }
In the Command Prompt enter...
expand D:\i386\autoexec.nt_ %windir%\system32\autoexec.nt
expand D:\i386\config.nt_ %windir%\system32\config.nt
The last time you posted about this you indicated F-Prot found; W32/backdoor.AOP
now you are saying it's; W32/backdoor.SO
When I do a McAfee search on upnpclient.exe and acrobat.dll, I get the following...
BackDoor-CLS -- http://vil.nai.com/vil/content/v_130352.htm
Please send me an email so I can provide you with more information. It is for a licensed
product so I can't post it in public.
--
Dave
