PDA

View Full Version : winupie.exe - spyware?



Wolfweasel
22-06-2003, 05:10 PM
Help! winupie.exe turned up on the kid's PC yesterday and made itself apparent by attempting persistent outbound connections to 203.96.152.12:53 and 203.96.152.4:53, which were blocked by ZoneAlarm. It's fairly obvious about things and can be seen running in taskmanager.

I traced it to a zip package which had extracted itself under \temp and then installed the above file into \windows. It seems to relate to winpopup in some way.

Neither AdAware nor Spybot identify it as a problem, but I smell a big fat rat. I've disabled it by running msconfig and unchecking it in selective startup, then renaming the file to winupie.old. I don't think this is the solution though, as I'm noticing odd scrolling problems now and clicking on a hyperlink gets no action until you move the mouse. Weird.

Can anyone shed some light?

Thanks.

Jen C
22-06-2003, 05:27 PM
hmm ... not much on the net about winupie.exe.

The IP addresses that the program was trying to connect with, are your Paradise ISP Domain Name Servers:

203.96.152.4 = rachel.paradise.net.nz = Primary DNS
203.96.152.12 = kirsty.paradise.net.nz = Secondary DNS

You have given the PC a complete scan with an up to date antivirus program?

Pheonix
22-06-2003, 05:32 PM
Can't find much either. Had a reference on one site to a winupie.gif and directed to a Microsoft site. Not there anymore, and search reveals nothing. Could be WINdowUPdateInternetExplorer ?
What is your version of IE? Maybe an old update method?

Wolfweasel
22-06-2003, 05:51 PM
Thanks Jen. Stoopid me, should've been able to work out those two IP addresses...

Yep, system clean. On a positive note, since I'd renamed the file, I figured it'd be safe to turn off selective startup in msconfig. Rebooted and the scrolling problems have gone.

Cheers

Wolfweasel
22-06-2003, 06:00 PM
> Could be WINdowUPdateInternetExplorer ?
Could be I guess, although Zonealarm identifies it as winpopup. Viewing the file properties reveals the original filename as winpopup.exe - almost as if someone has taking the original microsoft file and modified it. Language lists as Spanish (Argentina).

> What is your version of IE? Maybe an old update method?
IE6.0, although the default browser is Mozilla 1.3. IE only flashes up when the kids are using MSN Messenger 5.0.

Appreciate the help.

bmason
22-06-2003, 07:06 PM
you bringing up properties on the file and going to the version tab.

It should tell you who made it, and perhaps its function. Assuming they're being honest.