InterMute - Spyware - Threat Research

Winupie is a process run at Windows startup that opens pop-up advertising.

Distribution

Installed by ActiveX drive-by-download, thought to be on pop-up adverts.

What it does

Advertising

Yes. Periodically spawns untargeted pop-ups as directed by its controlling server www.tradeexit.com.

Privacy violation

No.

Security issues

The ActiveX installer used to load Winupie may be used in any web page to load code from the controlling server.

Stability problems

None known.

Removal

The software producer's web site www.dugoto.com offers an 'uninstaller', which doesn't work.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System" 

                      regsvr32 /u AxConfig.dll

Next, open the registry (click 'Start', choose 'Run' and enter 'regedit'), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'winpopup' entry pointing to 'winupie.exe'.

Restart the computer and open the Windows folder. You should now be able to delete the file winupie.exe, the entry 'Installer Class' from the Downloaded Program Files folder, and the file AxConfig.dll from the System folder (called 'System32' under Windows NT, 2000 and XP).