UPXDND.EXE - Dangerous

What you should do about UPXDND.EXE:

Check Your PC Now
Your PC may be infected. The presence of a file called UPXDND.EXE is a possible sign of infection.


You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including UPXDND.EXE. Don't take the risk, check your PC now by clicking the green button.

Download Prevx CSI Now

Who Uses Prevx CSI?

Prevx has been detecting the threats that others miss since 2004.

More than 2,077,870 people have scanned with Prevx CSI and between them have checked 30.4 billion files. 68% of the PCs scanned had malware present.

What we know about UPXDND.EXE:

The filename UPXDND.EXE was first seen on Jun 19 2007 in SPAIN. It has also been seen in the following geographical regions of the Prevx community:

  • The EUROPEAN UNION on Oct 6 2007
  • NORTHERN MARIANA ISLANDS on Sep 24 2007
  • HONG KONG on May 10 2008
  • VIET NAM on Jun 19 2007
  • The UNITED KINGDOM on Jun 20 2007
  • JAPAN on Mar 17 2008
  • MALAYSIA on Dec 28 2007
  • PAKISTAN on Dec 28 2007
The filename UPXDND.EXE refers to many versions of an executable program.

The most common file size is 26,624 bytes. But the following file sizes have also been seen:

  • 12,644 bytes
  • 27,136 bytes
  • 52,224 bytes
  • 29,696 bytes
  • 19,966 bytes
  • 16,064 bytes
  • 20,261 bytes
  • 16,921 bytes

The unsafe files using this name are associated with the malware group PSW.OnlineGames.NAJ.Some files using the name UPXDND.EXE are also associated with the malware groups:
  • PSW.OnlineGames.LDL
  • PSW.Generic4.UOK
  • Worm.Looked
 These files have no vendor, product or version information specified in the file header.

UPXDND.EXE has been seen to perform the following behavior(s):

  • This Process Creates Other Processes On Disk
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • This Process Deletes Other Processes From Disk
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Modifies Windows Initialization And System Settings Used On Start up
  • Registers a Dynamic Link Library File
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • The Process is polymorphic and can change its structure
  • The Process is packed and/or encrypted using a software packing process
  • This Process uses Anti Dissasembly Tricks

UPXDND.EXE has been the subject of the following behavior(s):

  • Executed as a Process
  • Executed from Temporary Folders
  • Created as a process on disk
  • Terminated as a Process
  • Added as a Registry auto start to load Program on Boot up
  • Deleted as a process from disk
  • Has code inserted into its Virtual Memory space by other programs
  • Copied to multiple locations on the system

UPXDND.EXE can also use the following file names:

  • 54091758.DAT
  • A5.EXE
  • ZT0616[1].EXE
  • K11905596269.EXE
  • K11906471639.EXE
  • K11906563749.EXE
  • 22376989.DAT
  • K11906630559.EXE
  • WRIWEB.EXE
  • K11906854239.EXE
  • K11906860769.EXE
  • OARSNX.EXE
  • DC1331.EXE
  • 23825389.EXE
  • K11906458619.EXE
  • K11906494779.EXE
  • K11906530959.EXE
  • K11906567129.EXE
  • K11906603309.EXE
  • K11906639479.EXE
  • K11906675639.EXE
  • K11906711809.EXE
  • K11906748009.EXE
  • K11906784209.EXE
  • K11906820369.EXE
  • K11906856539.EXE
  • K11906892799.EXE
  • K11906928969.EXE
  • K11906965169.EXE
  • K11907001339.EXE
  • K11907037509.EXE
  • K11907073769.EXE
  • K11907109939.EXE
  • K11907135079.EXE
  • K11907254839.EXE
  • K11907512619.EXE
  • K11907796039.EXE
  • K11907932459.EXE
  • K11908572519.EXE
  • K11908976249.EXE
  • DQTQOV.EXE
  • 73616825.DAT
  • K119107359110.EXE
  • K112801366110.EXE
  • K119110637510.EXE
  • K119111695510.EXE
  • K119114218710.EXE
  • K119114638710.EXE
  • 58438705.SVD
  • 69044816.EXE
  • 05661175.SVD
  • DPTRROPKLC-260.PMS.EXE
  • 3BA1FA2325AA9D73D5B04D3F44B40724.EXE
  • 8[1].EXE
  • DPTRRO~1.EXE
  • D#DOCUMENTS AND SETTINGS_GANESH_LOCAL SETTINGS_TEMPORARY INTERNET FILES_CONTENT.IE5_IV8LGT6D_8[1].EXE#$# 0317_0724-51_8[1].EXE.EXE
  • 3.EXE
  • 3[1].EXE
  • Z02[1].EXE
  • Z02.EXE
  • Z02[5].EXE
  • Z02[3].EXE
  • A0038099.EXE
  • 1[1].EXE
  • 59920038.SVD
  • DPTRRIPDXS-620.PMS.EXE
  • A6ED5831D481B7F6EEFF977112EE970E.EXE
  • DPTRRI~1.EXE
  • 22716457.DAT
  • 00013[1].EXE
  • CSI17.TMP
  • SFFMOW.EXE
  • 15870012.EXE
  • K119177206010.EXE
  • K119178315810.EXE
  • K119178687110.EXE
  • K97096564610.EXE
  • K119181394410.EXE
  • ZT0616[2].EXE
  • K119181831810.EXE
  • K119182333910.EXE
  • K119182995110.EXE
  • K119183306110.EXE
  • K119183051610.EXE
  • K119183552310.EXE
  • K119181508710.EXE
  • 20601376.DAT
  • K119185649510.EXE
  • 96775693.DAT
  • K119186933110.EXE
  • K119189658110.EXE
  • K112886295210.EXE
  • K119193386010.EXE
  • ZT0616.EXE
  • 95505889.EXE
  • K119198006110.EXE
  • 83410994.EXE
  • 32383816.EXE
  • K119200302710.EXE
  • 14992389.EXE
  • K112899354610.EXE
  • K119207193710.EXE
  • K119207509210.EXE
  • 74793237.EXE
  • 07398236.EXE
  • K119210867410.EXE
  • K119212200910.EXE
  • 32650357.SVD
  • 51985309.EXE

Virus, Spyware & Malware Center