upnpclient.exe = Unknown program

The Lodge · 11-11-2004, 11:23 PM

This guy I know has this on his system. I had him scan with all the usual programs like adaware, spybot, and av but nothing comes up. In task manager this is running under the applications tab, MSLib16s. When ever he kills the upnpclient.exe service it comes back after a couple of minutes. A search of his files shows it in the prefetch folder. When he deletes that it still comes back. I’ve searched all over the net and have come up empty. He also used one of those reg cleaners and there’s no dice there either. Has anybody come across this?

Edit: XP Pro by the way.

Strawbs · 11-12-2004, 03:56 AM

MS' "upnp" is a feature not needed now or ever, it leaves the system open to hacking. Use WinPatrol to try to kill the Active process and remove it from the startup list.

Then use GRC's Un Plug & Pray to disable it! You can read all about it at the same link. You can also look for & disable it in the "services" console in Admin Tools. GRC's little tool confirms the process is dead.

Another thing: AV, Ad & Spyware scanners don't usually catch "Trojans".

fishybawb · 11-12-2004, 04:37 AM

Quote:

Originally posted by Strawbs
Another thing: AV, Ad & Spyware scanners don't usually catch "Trojans".

Most AV programs do detect trojans now, as do adware scanners like PestPatrol.

The Lodge · 11-12-2004, 06:22 AM

Thanks Strawbs. I'll give those a try this evening, hopefully it will work. He's been complaining about port scans and constant norton popups telling him it just blocked an intrusion attempt. Using whois and nortons visual tracking it all points to Korea.

G · 11-12-2004, 01:21 PM

Make sure System Restore is OFF and you have Enabled the Viewing of Hidden Files.

Look in C:\Windows\Prefetch for accdisk and Delete any entries

The Lodge · 11-12-2004, 05:01 PM

Will do G. I don't think he has hidden files shown. That's something I've always got going on with my rig. I didn't get a whole lot of time to mess with his computer. Tonight will be the true test.

The Lodge · 11-13-2004, 07:16 AM

I went over to his house and he was in the middle of a clean install. Oh well, another bit of info stored in the noggin for future reference.

Strawbs · 11-13-2004, 08:00 AM

You should still have him disable upnp in "admin tools>services" for security reasons.

Rocketmech · 11-13-2004, 01:12 PM

Quote:

You should still have him disable upnp in "admin tools>services" for security reasons.

And also the "SSDP Discovery Service" , both need to be disabled to turn off UPnP.
Be aware that some applications who need NAT traversal and some MS programs may not work , such as MSN Messenger and Remote Connection. I find its not too much of a security problem for home use myself , but it does leave a port open for an extended time when your done using it and my firewall logs get inundated from my WLAN side . Aside from that its safe IMO to disable it at the router and leave it in Manual in Services. Then, if you need it just turn it on at the router.

As to the files upnpclient.exe and MSLib16s , they are suspect. Theres a thread at TomCoyote's Forums , but the threat is new and probably rare and we'll just have to wait till its resolved. Someone will probably need to unpack the files to see whats up.

http://forums.tomcoyote.org/index.ph...62&hl=mslib16s