Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Member / Old Lurker... WPU.EXE problem


  • Please log in to reply
6 replies to this topic

#1 McZombie

McZombie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 10 January 2011 - 11:18 PM

We've recently discovered a virus or backdoor agent on a few of our user's PCs at work. WPU.exe has replicated itself to the user's C: and D: drive and any drive they're mapped to. The registry has several entries for the same file. You have to search for hidden system files in order to find them. If you remove the entries in the registry, you'll get an error that WPU.EXE cannot be found when you open MY COMPUTER and double-click on the C: or D: drive. After you reboot, the files are back on the C: and D: and all entries in the registry are found. Malwarebytes and Superantispyware don't detect the infection.

Has anyone dealt with this before?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 PM

Posted 11 January 2011 - 01:03 AM

Hello, we will need a deeper look to see whay's going on.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 McZombie

McZombie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 12 January 2011 - 09:15 PM

Trend was made aware of this infection and included it in today's update.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 PM

Posted 12 January 2011 - 09:31 PM

So today's scan cleared it up?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 McZombie

McZombie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 13 January 2011 - 01:56 AM

Yes and No.... UWP.exe seems to have a goal of replicating itself to any drive it can get it's hands on. Trend would remove it, after the update, but then the machine would get infected again. We also noticed an autoexec file on C: that was starting UWP.exe

It's going to be a battle, but I'm sure they'll get it cleaned up soon.

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:41 PM

Posted 13 January 2011 - 02:15 AM

I would now follow the steps in the second post of this thread.

#7 McZombie

McZombie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 13 January 2011 - 09:52 PM

It appears to be gone now. I'll try to list all the locations for anyone who might be dealing with this

Symptoms: Unable to double click on shortcuts to your mapped drives
Reason: Each drive has a hidden PWU.exe and autoexec.inf file

The registry has an entry for each drive mapping as well.

C:\Windows\System32 has PWU.reg and PWU.bat

After you delete these files, you might get an error when attempting to open shortcuts to drives.
Error: the file pwu.exe cannot be found. Please use the search function...blahblahblah

You will need to remap your drives




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users