Possible Virus or Trojan?

[Howard Hartman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello.

I have an unusual problem on an XP Professional computer that I think may be
a virus or trojan, but Norton Antivirus 2005 is ambiguous as to whether the
computer is infected or not.

I noticed one day that the process upnpclient.exe was running on this
machine. That was suspicious since the UPnP component was not installed. I
deleted the process.

As soon as I ended the process, Norton Antivirus popped up and issued a
virus warning in the category of Trojan Horse on the file c:\acrobat.dll.
Norton was unable to either repair or quarantine this file.

A few minutes later the upnpclient.exe process was running again.

I can delete c:\acrobat.dll in a DOS window. It only exists if the
upnpclient.exe process is ended via Task Manager. When the upnpclient.exe
process is reinstated, it creates the file c:\acrobat.dll which is 32,768
bytes in size. Each time it is created, Norton flags it as a possible virus
or trojan.

I do have Adobe Acrobat 6 installed on this computer. The UPnP Client is
still not installed. I have tried installing the UPnP Client and then
removing it. That had no affect. I tried deleting all files with the
specification upnp*.* on the computer. That had no affect either.

I have another computer that also has Adobe Acrobat 6 installed and this
behavior is not seen on that computer. The upnpclient.exe process is also
not running.

I have looked at the TCP/IP activity on the computer. The upnpclient.exe
process opens a port only to localhost so it doesn't seem to be posing a
risk to outside intrusion at this point.

Is this an infection? Why is the upnpclient.exe running and why does it
restart by itself? I don't think I have anything running that requires it.
Even if it was required by another process, wouldn't I be prompted to
install it rather than Windows running it itself?

Thanks.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Digital signature guarantees authenticity

iQA/AwUBQbdAoN/hBQ7O4WklEQL7fQCg16VwygF/tSaz+Uhn4GoZR7KDxJMAoMBa
Ay14R9UUtBrCV7sEgpr856Va
=XFB5
-----END PGP SIGNATURE-----

 

[Malke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello.

I have an unusual problem on an XP Professional computer that I think
may be a virus or trojan, but Norton Antivirus 2005 is ambiguous as to
whether the computer is infected or not.

I noticed one day that the process upnpclient.exe was running on this
machine. That was suspicious since the UPnP component was not
installed. I deleted the process.

As soon as I ended the process, Norton Antivirus popped up and issued
a virus warning in the category of Trojan Horse on the file
c:\acrobat.dll. Norton was unable to either repair or quarantine this
file.

A few minutes later the upnpclient.exe process was running again.

I can delete c:\acrobat.dll in a DOS window. It only exists if the
upnpclient.exe process is ended via Task Manager. When the
upnpclient.exe process is reinstated, it creates the file
c:\acrobat.dll which is 32,768
bytes in size. Each time it is created, Norton flags it as a possible
virus or trojan.

There's an excellent thread addressing this very issue here:

http://www.wilderssecurity.com/showthread.php?t=54750

It's very much worth reading through the whole thing.

Malke

 

[Guest]

I have the same msg from my anit-virus program. It states that the Trojan
virus came from Windows Update. Can someone explain this? Please???? Dawn
Loree

 

[Jeff G]

I have seen a malware app lately that names itself "winupdate" or something
similar, it is NOT windows update. It does drop a trojan virus however.
Follow Malke's advice to the letter on earlier posts about malware/spyware
removal, and I think you'll find the culprit...

HTH
J