Re: Possible Virus or Trojan?

From: Keith (keith_at_nospam.freeserve.co.uk)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 16:10:22 -0000

Dawn Loree wrote:
> I have the same msg from my anit-virus program. It states that the
> Trojan virus came from Windows Update. Can someone explain this?
> Please???? Dawn Loree
>
> "Howard Hartman" wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello.
>>
>> I have an unusual problem on an XP Professional computer that I
>> think may be a virus or trojan, but Norton Antivirus 2005 is
>> ambiguous as to whether the computer is infected or not.
>>
>> I noticed one day that the process upnpclient.exe was running on this
>> machine. That was suspicious since the UPnP component was not
>> installed. I deleted the process.
>>
>> As soon as I ended the process, Norton Antivirus popped up and
>> issued a virus warning in the category of Trojan Horse on the file
>> c:\acrobat.dll. Norton was unable to either repair or quarantine
>> this file.
>>
>> A few minutes later the upnpclient.exe process was running again.
>>
>> I can delete c:\acrobat.dll in a DOS window. It only exists if the
>> upnpclient.exe process is ended via Task Manager. When the
>> upnpclient.exe process is reinstated, it creates the file
>> c:\acrobat.dll which is 32,768 bytes in size. Each time it is
>> created, Norton flags it as a possible virus or trojan.
>>
>> I do have Adobe Acrobat 6 installed on this computer. The UPnP
>> Client is still not installed. I have tried installing the UPnP
>> Client and then removing it. That had no affect. I tried deleting
>> all files with the specification upnp*.* on the computer. That had
>> no affect either.
>>
>> I have another computer that also has Adobe Acrobat 6 installed and
>> this behavior is not seen on that computer. The upnpclient.exe
>> process is also not running.
>>
>> I have looked at the TCP/IP activity on the computer. The
>> upnpclient.exe process opens a port only to localhost so it doesn't
>> seem to be posing a risk to outside intrusion at this point.
>>
>> Is this an infection? Why is the upnpclient.exe running and why
>> does it restart by itself? I don't think I have anything running
>> that requires it. Even if it was required by another process,
>> wouldn't I be prompted to install it rather than Windows running it
>> itself?
>>
>> Thanks.
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP 8.0.3
>> Comment: Digital signature guarantees authenticity
>>
>> iQA/AwUBQbdAoN/hBQ7O4WklEQL7fQCg16VwygF/tSaz+Uhn4GoZR7KDxJMAoMBa
>> Ay14R9UUtBrCV7sEgpr856Va
>> =XFB5
>> -----END PGP SIGNATURE-----

Have you installed the latest Acrobat 6.0.2 updates intended to fix a
security issue. This may help.

Loading