sysupd.exe in Security http://www.dslreports.com/forum/r10091594 en Mon, 30 Nov 2009 13:27:13 EDT Mon, 30 Nov 2009 13:27:13 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10387705 anon : :)

thank you folks.
i killed the file using Safe Mode/regedit/HighJackThis

so far it worked for me and my antivir no longer
displays the "small/tr.gs.2" trojan warning in the
atpartners.dll located at system32 folder under win2k.

jesus, fuck sysupd.exe !]]> http://www.dslreports.com/forum/remark,10387705 Mon, 31 May 2004 20:18:18 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10362945 anon : Hi! I experienced the same problem yesterday. It appeared that this program installed VX2.BetterInternet and other spy & adware (keenvalue, favoriteman, Euniverse,etc.) on my computer. Ad-aware 6 deleted the related files, but they kept coming back. It was really frustrating. I tried to stop the process in taskmanager, but sysupd.exe kept running again. This prevented me from deleting sysupd.exe in my c:/winnt directory.

To fix the problem, I created an empty sysupd.txt file in another directory and then renamed it to sysupd.exe. Then, I ended the sysupd.exe process in task manager and moved my new dummy sysupd.exe file into the c:/winnt directory (you need to see where this program is on your computer). I had to do this quickly, because my computer somehow kept starting sysupd.exe back up.

Once I made sure that sysupd.exe was no longer running, I also found that I had to delete this program from my startup programs. Since I am using winnt, I was able to download a freeware program called autoruns.exe that showed me what programs run on my computer at startup. I deleted sysupd.exe from this list. I found that it was necessary to stop the sysupd.exe process before removing it from my startup list; otherwise, it kept reappearing in my list of startup programs.

Maybe someone can suggest a better solution, but this one worked for me. Once you've solved this problem, run your spy/adware remover again for any applications that VX2 may have installed.

Good luck! There should be something illegal about this sort of thing.]]> http://www.dslreports.com/forum/remark,10362945 Fri, 28 May 2004 13:28:02 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10350495 anon : That previous batch file almost worked for me but after copying pskill to winnt directory I modified the batch file a littlebit.. run this a few times from cmd prompt and it will kill the process and then remove the file.

@echo off
pskill sysupd.exe
del sysupd.exe
echo.
echo.
echo Usage: RemoveSysUpd 35
echo.
echo Where 35 is the process ID of sysupd.exe. Open task manager and look
echo for the ID number and then restart this script.
echo.
echo Script requires DELTREE.EXE and PSKILL.EXE.
echo.
echo Copy this script, DELTREE.EXE and PSKILL.EXE into WINNT or WINDOWS
echo run the script from a command prompt. When it is done you should look in
echo task manager and see that sysupd.exe is not running. You may now delete
echo its entry from RUN in the registry.
echo.
echo HKLM\Software\Microsoft\Windows\CurrentVersion\Run
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Run
echo.
echo DELTREE is part of MS-DOS 6 or Windows 9x. PSKILL is part of the PSTOOL
echo kit from www.sysinternals.com.
echo.
echo.
:end]]> http://www.dslreports.com/forum/remark,10350495 Thu, 27 May 2004 02:05:04 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10347128 anon : Ok, here's how I had to do it to remove this wretched piece of *#$%&, I'm running windows 2000 on these machines:
1)install spybot
2)reboot into safemode (press f8 at that little bar that goes across the window before the splash screen)
3)edit the registry, do a search for "sysupd", it'll likely be in /Hkey_local_machine/software/microsoft/windows/current_version/run/ Delete it.
4) close regedit, and press the restart key on the computer, to to a cold reboot. (if you don't have a reboot key, then hold down the power button for 10 seconds)
5) restart in safe mode again, and delete the file c:/winnt/sysupd.exe
6) run spybot/adaware again, and it'll remove some remaining parts of it.
7) restart normally.

Hope this helps!
~Wonko The Sane
ebeaar09@email.pct.edu]]> http://www.dslreports.com/forum/remark,10347128 Wed, 26 May 2004 19:54:34 EDT Re: sysupd.exe - Possible cause? http://www.dslreports.com/forum/remark,10335523 scarabaeus7 : Well, this may be a stab in the dark, but Michael said to present ideas even if they are "guesses". I first noticed I was infected when 1) McAfee kept screaming at me while visitng some sites and 2) ad-aware came across the "FavoriteMan" hijacker app. I was trying to get rid of "FavoriteMan" (deleting it's dlls and supporting files) and it just kept coming back again and again.

I noticed that it's .dll (ATpartners.dll located in my system32 dir) was being modified once per minute. At that point, it lead me to believe that a service might be running in the bg. I started ending unknown processes with Task Manager. Once I killed "sysupd.exe", the .dll's modify date stopped changing. I went through and unregistered sysupd.exe, then deleted it from my WINNT directory and system registry along with another entry that kept appearing with it "lysbsu.exe".

I believe, the way that I got infected with FavoriteMan was from loose security permissions in my IE settings. I learned from a few web sites that "FavoriteMan" is an ActiveX "Helper" app that installs wile using IE (without prompting) while visitng some unscrupulous sites. The helper app installs in the background and is a Pain to get rid of. It also allows for the installation of other pests, possibly sysupd.exe. I have changed my security permissions to "prompt" before running ActiveX objects. Hopefully this will do the trick and keep this pest away. It might be a loose connection between the two, but since I've removed both parasites, I haven't had this problem since. Also, since there are MANY different versions of FavoriteMan removal varies.

Let me know if I'm even on the map with this, and if so, when you write your whitepaper for MS or Symantc please use the correct spelling. Thats 'AEUS' in scarabaeus... :p

-s]]> http://www.dslreports.com/forum/remark,10335523 Tue, 25 May 2004 15:58:41 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10330970 anon : I have tried for several hours to rid this thing but to no avail. Finally, I ran an un-updated older version of Spybot S&D. Sure enough, it found it and deleted it without any problems. Its been 2 days and it has not came back. For some reason the new updated version often comes back "CONGRATULATIONS NO SPYWARE FOUND" where as the old version will WILL find spyware even being run right after the new version. Wierd...]]> http://www.dslreports.com/forum/remark,10330970 Tue, 25 May 2004 01:14:12 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10302760 anon : "JosephStalin" the user that made the post about Media Player was absolutely right. I have Media Player 6.4 and 7.1, 6.4 the default one that comes with Win2000 was unaffected, the 7.1 would not launch, but instead it executed sysupd.exe and made a copy of it in %systemroot%.

So follow my previous instructions, then reinstall Media Player. I did it, tested, and it works!

I don't know about WinXP and Media Player 9, someone please comment on that.

For the people that have XP or 2000 with FAT32 you can convert your file system to NTFS. This will allow you to have files larger then 4GB, give you file security, and it is overall a better file system. You will not however be able to read your hard drive from DOS/Win9X if you have multiple operating systems installed (most people don't)

To do this go to Start/Run type cmd and click OK

You should get a Command Prompt (Black window, DOS like)

Type "convert c: /fs:ntfs" without the quotes and hit enter, it might ask you to type volume label (I don't remember) if you don't know what it is click enter as it might be blank. It will fail if volume label is not correct, to find out you volume label type dir in the same window and hit enter you should get something like this

C:\>dir
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX

Directory of C:\

As you can see my drive has no label. After you type correct vloume label (if required) you'll get confirmation box answer yes and the system will start converting your file system. This might take some time, after this follow my previus instructions for removal and don't forget about Media Player.

I'd still like to find out how I got this thing, any comment are welcome. Thanks!

Michael K. (CCNP, CCDP, MCSE)]]> http://www.dslreports.com/forum/remark,10302760 Fri, 21 May 2004 20:11:37 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10302668 CalamityKen : Even in Safe Mode this thing keeps restarting according to the person I am helping. ]]> http://www.dslreports.com/forum/remark,10302668 Fri, 21 May 2004 19:59:19 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10300842 MrMaster : Go into safemode.]]> http://www.dslreports.com/forum/remark,10300842 Fri, 21 May 2004 16:16:08 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10298791 CalamityKen : In WinXP Home the option to set file permissions is not present so how can this nasty be removed?

Other than booting the XP CD and using the Recovery Console is there an easier method to remove it? ]]> http://www.dslreports.com/forum/remark,10298791 Fri, 21 May 2004 12:03:06 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10296633 JosephStalin : Also, if you are a Windows Media Player user, you will have to re-install it after you get rid of this nasty trojan. ]]> http://www.dslreports.com/forum/remark,10296633 Fri, 21 May 2004 02:47:32 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10295870 anon : This solution will allow you to remove it if you follow my steps! I'd like to know how this thing spreads or how did you get it???

When you try to kill the process it just comes back and all the registry entries you deleted get recreated when it restarts, it can not be deleted because there is a file lock.

This is what you do, find the executable (search for sysupd) it may return many entries but only one is in use, in your %systemroot% folder (c:\winnt or c:\windows). Delete all but the one in %systemroot% cause your system won't let you. (This will work on NT based systems, like 2000 or XP that have NTFS as the file system because it implements file security, other operating systems or 2000 and XP with FAT32 will have to look for other options) Then right click on the remaining sysupd and choose properties, then select security tab and uncheck the box "Allow inheritable permission from parent to propagate to this object" on Win200, on XP there will be something similar, you might have to click advanced to see this option. After you uncheck it you get a box asking you to copy existing permissions, remove them or cancel. Choose remove, then add "everyone" group, and add "system" for both you will select the checkbox to deny "full control", then click apply/ok you might get a confirmation box because you're locking everyone out from accessing this file so the automatic restart of sysupd.exe will not work and get "access denied". Click OK on the confirmation box, at this time even you should get "access denied" when trying to run this file, you can give it a try... After you did that everyone and the system will be denied access, at this time launch task manager (taskmgr.exe) and kill the sysupd.exe process, if you did everything right it will not come back. Optional, at this time you can clean out the registry entry under LOCALMACHINE/software/microsoft/windows/run but if there is no sysupd.exe to execute it won't matter. Now that the process has been successfully killed (verify in Task Manager process list) you can right click on the sysupd file again and select properties, again on security tab and for everyone group select Allow Full control checkbox, leave the system account as is, and click apply/ok . Now delete the last sysupd file and because it is not in use anymore the system will allow you to delete it.

And now you're done. Reboot is not required.

As careful as I'm with things like this, it somehow got on my computer too, that's why I'm writing removal instructions. If some one has any idea, even a guess please reply with your comments. I will try to look for your comments for the next month, Thanks! MK]]> http://www.dslreports.com/forum/remark,10295870 Fri, 21 May 2004 00:00:21 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10284888 bigisle : HOW do I FIND what you are referring to here?

"Anyways, I tried bobr_66062's resolution, "

What was his solution to getting rid of this TROJ.AGENT.L
I need an answer to fix it and get rid of it!

Thank you
Antoinette (bigisle)]]> http://www.dslreports.com/forum/remark,10284888 Wed, 19 May 2004 20:34:24 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10284819 bigisle : How do you know WHAT FILES to DELETE??? You refer to the sysupd.ini "stuff" and the dpusy. "stuff" what exactly is the stuff. I need to know WHAT files to delete. I can't even FIND the sysupd.exe in my registry or in safe mode registry. So I need to know what other file names to look for. Where are you finding this out?
Thank you,
Antoinette]]> http://www.dslreports.com/forum/remark,10284819 Wed, 19 May 2004 20:27:46 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10284802 bigisle : I've got this too. Only Trend Micro House Calls named it:
TROJ.AGENT.L but then it says: C:\WINDOWS\sysupd.exe

I can't find it in my registry not even in safe mode. I have been trying to follow all the posts people put here.
But don't understand a lot of it. I read the previous post and that one is NOT the same virus his is TSCASH.
Also that Pest Patrol did not show any TROJ.AGENT.L
one to find out a fix for.
If you come up with any solutions will you tell me please or post it here. I have gone to Major Geeks who sent me here and also to SpyWare Info. All to no avail thus far. I still have it.
Thank you,
Antoinette (bigisle)]]> http://www.dslreports.com/forum/remark,10284802 Wed, 19 May 2004 20:25:13 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10265046 JosephStalin : Alright, was able to use this guy's solution to delete the sysupd.exe file in my WINNT folder, but I was unable to delete the sysupd.exe files in my other directories which contain spaces.
How do you make it so that the command prompt recognizes spaces?
»computercops.biz/postt36896.html]]> http://www.dslreports.com/forum/remark,10265046 Mon, 17 May 2004 17:17:17 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10260994 JosephStalin : No, it's not the same thing. Same filename of sysupd.exe, but not the same file.
Also, no tstime.exe, so definitely the link you posted is for some other, older malware. ]]> http://www.dslreports.com/forum/remark,10260994 Mon, 17 May 2004 05:25:13 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10254090 John2g : There are removal instructions here:

»pestpatrol.com/PestInfo/t/tscash.asp]]> http://www.dslreports.com/forum/remark,10254090 Sun, 16 May 2004 06:53:00 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10254034 JosephStalin : I got rid of it yesterday (though I was unable to delete the actual Sysupd.exe files) , but it is now back on and I can't seem to disable the process even though I'm following the same steps I did yesterday.
It disabled my Windows Media Player, so I had to reinstall it yet again.

This thing is getting pretty annoying...]]> http://www.dslreports.com/forum/remark,10254034 Sun, 16 May 2004 06:26:10 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10253843 bigisle : I've got it to! All the way here on The Big Island of Hawai'i.
I was referred here by Computer Geeks thank goodness as it is the MOST I have been able to find on this topic.
I need to get it off my computer too. Norton did not find it, nor did Ad Aware prevent it. Trend Micro found it on my computer and yet it can't delete it or clean it. I tried my registry, it does not show up there. Am going to go try to find it and delete it in SAFE MODE but after reading how someone had no success there either, I am perplexed as I don't understand ALL and EVERYTHING that people are writing in this thread. I am printing out ALL of these posts and am going to try it ALL HOPING that something works! Who ever made this virus trojan/worm is a real jerk, on my blank Internet Explorer extra screen that comes up everytime I open up one I get a noise of laughter too from this virus. Yeah they sure got me. I HOPE I can be like some of the few success posts here and get rid of it.
I AM going to TRY!!!
Thank you for all your posts everyone as I had no idea where to go or what to do. I hope something in here works!
WISH ME LUCK!
Aloha
Antoinette
islandantoinette@earthlink.net]]> http://www.dslreports.com/forum/remark,10253843 Sun, 16 May 2004 04:17:54 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10253762 gmillikan : So does anyone know how this is spreading? I was quite surprised when I got it last week since I'm behind a SPI firewall with XP Pro, NAV2002,v8 and with IE6,SP2 set on 'medium' security. I just don't want to be surprised again.]]> http://www.dslreports.com/forum/remark,10253762 Sun, 16 May 2004 03:26:10 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10246720 JosephStalin : I noticed this thing about an hour ago, and am trying all these numerous fixes for it, and have so far been unable to get rid of it. Going to reboot and see if SpywareRemovalHelper's fix fixes my problem.

Edit: It worked, thanks. I was unable to delete the Sysupd.exe files (4 of them) even in Safemode, but I was able to remove the dpusy stuff and the sysupd.ini stuff. After reboot, I had to reinstall Windows Media Player, but so far no problems and I can finally hear music again. ]]> http://www.dslreports.com/forum/remark,10246720 Sat, 15 May 2004 04:08:18 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10203664 anon : I was just curious as to what this process was that was in my MSCONFIG startup, so I stumbled across this thread and I am very surprised! I had no idea that this file does what it does. I was so sure of myself that AdAware and Norton would keep me safe, but no!
Anyways, I tried bobr_66062's resolution, and it worked. I didn't even have to do the last step, because after i deleted it the one occurence out of the reg, and i only found the prefetch within windows directory, it seemed to disapear altogether. Thanks everybody.]]> http://www.dslreports.com/forum/remark,10203664 Mon, 10 May 2004 14:42:07 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10196476 anon : what i did to stop sysupd.exe form eating memory is i removed it from the running processes when it gives u about 5 seconds u open the file in advance using notepad and start typing in anything so its not the same and when u get the chance save the changes to the file it will no longer stay up for long but when u restart the system it will pop up as a command file. but will disappear.]]> http://www.dslreports.com/forum/remark,10196476 Sun, 09 May 2004 16:42:33 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10180603 fractalspher : Reboot into SAFE mode, delete the file, remove it from registry, reboot.

After running Ad-aware, spybot, and hijack this. I went through the same thing with about 10 people at work who all had that bastage file. :mad::mad:
--
FractalSphere - "Maybe it's in the basement, I'll go upstairs and check" - M.C. Escher]]> http://www.dslreports.com/forum/remark,10180603 Fri, 07 May 2004 16:33:52 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10179144 anon : This program is relentless. I got rid of it over a week ago and it just now came back. Does anyone know how it originally gets on their machine? If I can figure out what site I visited to get it in the first place I can simply stay away from that site.]]> http://www.dslreports.com/forum/remark,10179144 Fri, 07 May 2004 13:27:07 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10178083 MrMaster :
said by beamstalk See Profile:
Just had this same worm on a coworkers computer. What I did was first ran find to find sysupd. This found the .pf file and sysupd.exe. Deleted the .pf file then opened task manager stopped sysupd.exe then deleted it.
After that I went through the registry searching for sysupd and deleted everything with that, it was like 2 files and 1 folder.
That seemed to have fixed it all, only took about 15 minutes.
My question is does anyone know how this worm affects the computer itself?


It displays popups and slows the computer down dramatically.

I got my friend's computer fixed but the problem was I had to have him go into safe-mode in order to delete the sucker.
--
Sometimes you just have to do it.]]> http://www.dslreports.com/forum/remark,10178083 Fri, 07 May 2004 11:05:47 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10177849 beamstalk : Just had this same worm on a coworkers computer. What I did was first ran find to find sysupd. This found the .pf file and sysupd.exe. Deleted the .pf file then opened task manager stopped sysupd.exe then deleted it.
After that I went through the registry searching for sysupd and deleted everything with that, it was like 2 files and 1 folder.
That seemed to have fixed it all, only took about 15 minutes.
My question is does anyone know how this worm affects the computer itself?]]> http://www.dslreports.com/forum/remark,10177849 Fri, 07 May 2004 10:36:07 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10169804 MrMaster :
said by chachazz See Profile:
Here is a reference from computer cops; it may help you.
»computercops.biz/postt36896.html


I've read that one and a few other ones. Just curious as to where this started or if it has a real name.

It is very hard helping someone over the phone who hasn't used the registry before.
--
Sometimes you just have to do it.]]> http://www.dslreports.com/forum/remark,10169804 Thu, 06 May 2004 13:44:50 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10169759 chachazz : Here is a reference from computer cops; it may help you.
»computercops.biz/postt36896.html
--
...A journey of a thousand miles starts under one's feet...Lao Tsu]]> http://www.dslreports.com/forum/remark,10169759 Thu, 06 May 2004 13:38:42 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10169576 MrMaster : Can someone tell me if this is new? Also, can someone tell me how one gets this? I have a friend with this on his computer now, he wasn't using a router but I would like to know do you need a hardware or software firewall to stop this?
--
Sometimes you just have to do it.]]> http://www.dslreports.com/forum/remark,10169576 Thu, 06 May 2004 13:16:28 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10161656 anon : Having the same problem as you. Searched entire system and files for references to sysupd.exe and found nothing. It appeared after the Sasser virus.

This process cannot be deleted.]]> http://www.dslreports.com/forum/remark,10161656 Wed, 05 May 2004 17:31:32 EDT Solution to Remove sysupd.exe and dpusys.ini http://www.dslreports.com/forum/remark,10159429 anon : 1. Boot into Safe Mode (f8 whilst booting up)
2. Edit registry and search for sysupd*.* and dpusys*.* Search in lower and uppercase. Delete any keys that you find.
3. Use Explorer to search your hard drive for sysupd*.*, SYSUPD*.*, dpusys*.*, & DPUSYS*.*. Delete any files that the searches find. You'll usually find about 4 or 5 dpusys.ini scattered through your harddrive(this is the nasty script that continues to spawn the sysupd.exe file).
4. Reboot and that little nasty should be gone. As far as I know, other then sucking up virtual memory resources and sometimes affecting shutdown, it will go out to web and download more pop-up ads and advertisements. Malware/Spyware in my opinion is WORSE than spam!

Good luck to you all!!]]> http://www.dslreports.com/forum/remark,10159429 Wed, 05 May 2004 13:08:08 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10157109 thorster8 : I got the sysupd.exe n the dpussy file and i need help to remove them. I use the HiJackthis and i got all this......

Logfile of HijackThis v1.97.7
Scan saved at 2:26:23 AM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\sysupd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\NetZero\exec.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfConsole.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe
C:\Program Files\NetZero\exec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »search.windowenhancer.com/nph-WE···arch&kw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.windowenhancer.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »my.netzero.net/s/search?r=minisearch
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\winex\v2\winex.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\wincd\wincd.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\wincd\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\wincd\msiesh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - »webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Exploder - »download.games.yahoo.com/games/c···tk_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···wdir.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - »akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - »akamai.downloadv3.com/binaries/D···k_XP.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - »a19.g.akamai.net/7/19/7125/4018/···kpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···17939815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - »dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »zone.msn.com/bingame/zuma/defaul···r_v5.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - »download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB7D766E-CABC-4D7E-9335-63F118507FDB}: NameServer = 64.136.28.120 64.136.28.133

i just want to make sure which one to remove, cause i dont see some of the log that some other user n here have on mine my log. can u take a look at it before i do anything.....

thank you,]]> http://www.dslreports.com/forum/remark,10157109 Wed, 05 May 2004 05:55:34 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10148434 pcdebb : you were lucky, my first thought was to head to the registry, but the window would close on me (apparently some other nasties on the system did that). I finally got it cleaned off tho]]> http://www.dslreports.com/forum/remark,10148434 Tue, 04 May 2004 11:22:45 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10148417 anon : I am not a regular member of this forum. However, I just got rid of the sysupd.exe file relatively quickly, so I thought I would share my experiences.

1. Go into RegEdit and search for sysupd.exe. I found several occurrences, mostly in the ...\Microsoft\Windows\CurrentVersion\Run tree. I deleted all occurrences of the file in the registry.

2. I went to C:\ and did a file search for *sysupd* and found the C:\WINDOWS\sysupd.exe as well as C:\WINDOWS\PreFetch\SYSUPD.EXE-########.pf (where "########" is some string of digits ... your actual numbers will probably be different).

3. Once you delete the SYSUPD.EXE-########.pf file, then you can kill the sysupd.exe task via the Task Manager, and it won't come back.

I rebooted and everything seems fine. At least, that was my experience.

-- bobr --]]> http://www.dslreports.com/forum/remark,10148417 Tue, 04 May 2004 11:20:44 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10146096 pcdebb : ugh! I have this file on a friend's computer that I've tried to fix with hjt for the last hour. Not only that, this computer has been owned by a few Nachi variants as well as lovesan, plus there are a few other files that wont die, such as ms.exe, and a few scvhost.exe files.

this is going to be a long nite :huh:]]> http://www.dslreports.com/forum/remark,10146096 Tue, 04 May 2004 01:06:31 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10144271 pooploser : Yeah, I just had a run-in with the evil sysupd.exe

I read all of the above fixes, and none of them are a global fix for this. My reccomendation to anyone who also runs into this worm is this:

Reboot in safe mode, then run a whole bunch of spyware removal tools. Also, do a basic search of your computer and registry for anything with "sysupd.exe" in the name. For whatever reason, none of the spyware tools I used even noticed C:\Windows\sysupd.exe nor many other files related to it. To be honest, I'm not even sure if anything that the spyware tools found was directly related to the sysupd problem, but it never hurts :)

In any case, safe mode doesn't let sysupd run itself, so you shouldn't have any problem deleting everything related to it in safe mode. Just make sure you get it all. Good luck!]]> http://www.dslreports.com/forum/remark,10144271 Mon, 03 May 2004 21:43:11 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10140485 anon : I was able to get rid of it rather quickly.

You can't delete a running process. You can't end this process because it restarts itself. You can't hack it out of the registry to prevent it from loading because it will put itself back in.

What you can do is to modify permissions on that file. Since it runs under your username (not as "SYSTEM"), simply deny yourself permission to Write/Execute and reboot. You no longer have permission to run the file, thus it won't run, and it can now be deleted. Delete it, and THEN hack it out of the registry.

Here's the step-by-step on modifying this permission. Perform this procedure at your own risk, and make darned sure what file you're modifying permissions on! If you screw up your system, it's your fault, not mine. That said...

- Start > Run > C:\WINDOWS (or, in Win 2000, C:\WINNT) [enter]
- Locate sysupd.exe and right-click. Select properties.
- Click the "Security" tab. Click the "Advanced..." button.

- This file is probably inheriting its permissions from those established for the C:\WINDOWS folder. Uncheck the "Inherit permissions" box.

- A dialog box will pop up. Click the "Remove" button. The permissions field should now be blank.

- Click the "Add" button and type in your user name in the appropriate field. Press OK.

- Click on your username that now appears in the permissions list and click "Edit".

- Check the "Full Control" box. Then scroll down and un-check "Traverse Folder / Excecute File". This should be the second checkbox down from the top, or so. "OK" out of everything now, and reboot. ]]> http://www.dslreports.com/forum/remark,10140485 Mon, 03 May 2004 14:58:45 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10128377 anon : I think I managed to kill sysupd.exe by reading this thread and following the instructions given by the Gurus here. I booted safe, fixed sysupd with hijackthis and deleted the file from c:/windows.
p.s. Yes, it took me a couple of hours despite all these instructions.]]> http://www.dslreports.com/forum/remark,10128377 Sun, 02 May 2004 01:16:29 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10120475 MystBlade : Its been about 5 days now and it has not come back, I killed it, its not coming back and never will. And I did spend about 2-3 hours trying to get rid of it, but only took me a few minutes once I found all the places it was hiding.

I got BOClean and a nice AV protecting me now.

I have to admit its a nasty one. But a nasty Dead one.

SO I guess I am the one whos laughing
--
Unix/WebSphere Systems Administrator -----count down------- EPIII---- 500 days left-----]]> http://www.dslreports.com/forum/remark,10120475 Sat, 01 May 2004 02:16:19 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10119609 anon : Here is a script to fix/get rid of it. Copy and paste into notepad. Save as RemoveSysUpd.cmd. Runs on Windows NT/2000/XP. Don't have Windows 9x or ME to test it. Note on those DOS based OSs you will need to make it .BAT not .CMD.

You will need DELTREE.EXE and PSKILL.EXE.

Good Luck.

@echo off
if (%1) == () goto usage
Start cmd /c "FOR /L %%v IN (1,1,1000) DO deltree /y sysupd.exe"
Start cmd /c "FOR /L %%p IN (1,1,1000) DO pskill %1"
goto end
:usage
echo.
echo.
echo Usage: RemoveSysUpd 35
echo.
echo Where 35 is the process ID of sysupd.exe. Open task manager and look
echo for the ID number and then restart this script.
echo.
echo Script requires DELTREE.EXE and PSKILL.EXE.
echo.
echo Copy this script, DELTREE.EXE and PSKILL.EXE into WINNT or WINDOWS
echo run the script from a command prompt. When it is done you should look in
echo task manager and see that sysupd.exe is not running. You may now delete
echo its entry from RUN in the registry.
echo.
echo HKLM\Software\Microsoft\Windows\CurrentVersion\Run
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Run
echo.
echo DELTREE is part of MS-DOS 6 or Windows 9x. PSKILL is part of the PSTOOL
echo kit from www.sysinternals.com.
echo.
echo.
:end]]> http://www.dslreports.com/forum/remark,10119609 Sat, 01 May 2004 00:04:55 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10118853 anon : Don't make me laugh. sysupd.exe doesn't give up that easily. If you haven't invested two straight hours of sniffing around for the other versions of it then it will likely come back, if it hasn't already.

1) It will reinstall itself on reboot from one of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run items. But it will reinstall it if it's not there if the program is running.
2) It will reload itself if you try to cancel it from the Task Manager. You can right-mouse click and lower its priority to the lowest setting, though.
3) If you rename it in place (in the Windows folder, for example) it will make another copy of itself. It then appears to try to prevent you from deleting either and without any trickery in the file attributes.
4) There's usually four or five copies of it lying around the hard drive, one in Temporary Internet Files, one in the user's default area, one in Windows and one or two as Prefetch versions (look for *.pf).

What I do is lower its priority, remove all copies but the one running in the Windows folder and then update the registry setting, leaving that Run item in place but renaming it to something like sysupd.exe.CantFindMe. (If you delete the entry, it will just try to heal itself.) Quickly reboot in Safe DOS mode with the F8 thing on restart. In the DOS mode, navigate to the Windows folder, delete the program and then create a c:\windows\sysupd.exe folder and create a file in it. Exit DOS and restart the system. It may try to do that Run but it will just harmlessly display your folder that you've created. Look again across the hard drive and in Task Manager for any other copies, deleting the file if it's there. Reboot again and you should be clean.]]> http://www.dslreports.com/forum/remark,10118853 Fri, 30 Apr 2004 22:15:45 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10095324 MystBlade : sm1bg is a USB mass storage system. You must of connected an external mass storage device or soemthing. If funny though has the server never goes away even if you dont have one connected.
--
Unix/WebSphere Systems Administrator -----count down------- EPIII---- 500 days left-----]]> http://www.dslreports.com/forum/remark,10095324 Wed, 28 Apr 2004 12:36:46 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10095135 DSL_Steve :
said by pcdebb See Profile:
do you know what this is?

C:\WINDOWS\SM1BG.EXE


»www.kephyr.com/filedb/index.php?···ic=SM1BG]]> http://www.dslreports.com/forum/remark,10095135 Wed, 28 Apr 2004 12:12:29 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10094965 pcdebb : do you know what this is?

C:\WINDOWS\SM1BG.EXE]]> http://www.dslreports.com/forum/remark,10094965 Wed, 28 Apr 2004 11:51:45 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10094507 MystBlade : I think its gone. It does not show up anymore in any place.

What I did was and I know this is not a good habbit. I ended the sysupd.exe task 2 times then it give you like a 5 second grace period. In that time you must delete the sysupd.exe file under c:/windows. It took me a few times but it worked. Then after that is gone I went into the regestry and got rid of all other sysupd.exe

Then for the _update.dat file that I could not get rid of. I acutally found a virus program that it works with.
Iam on a 30 day trail of it. I forgot the name I will repost when I get home. But Norton 2004 could not pick it up nor the online house call. All with updated files. BOClean now works great at my motion detector.
--
Unix/WebSphere Systems Administrator -----count down------- EPIII---- 500 days left-----]]> http://www.dslreports.com/forum/remark,10094507 Wed, 28 Apr 2004 10:51:09 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10092981 QuietFusion : Hi,

sysupd.exe is InternetAntispy foistware. First make sure you can see hidden files use this link for help.
»www.xtra.co.nz/help/0,,4155-1916458,00.html

Close ALL browsers and chat programs (e.g. Yahoo, MSN, ICQ)run hijackthis and place a check next to the following:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/FPDC_1..
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - »www.napster.com/client/setup.exe
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - »darth/tsweb/msrdp.cab

and click fix. Reboot into safe mode (press f8 during reboot); find and delete the following

File:
C:\WINDOWS\sysupd.exe

That should take care of that, it's wise to do a scan with Ad-aware and Spybot after clean up with Hijackthis.
--
He who hesitates, always loses]]> http://www.dslreports.com/forum/remark,10092981 Wed, 28 Apr 2004 04:23:00 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10092311 lskohn : I just discovered this one also, and I have not gotten any viruses, worms, trojans or malware in years...I found info on it at »www.spywareinfo.com/forums/index···ic=42217 and will try their suggestions to remove it.]]> http://www.dslreports.com/forum/remark,10092311 Wed, 28 Apr 2004 01:00:27 EDT Re: sysupd.exe http://www.dslreports.com/forum/remark,10091910 Gavin_TH : Hi,

Could be a new one, please submit it to the malware archive so we can all get a look at it -

»Malware archive

Then try deleting it from Safe Mode while you wait. If it reappears, its probably a new nasty
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
]]> http://www.dslreports.com/forum/remark,10091910 Wed, 28 Apr 2004 00:04:48 EDT sysupd.exe http://www.dslreports.com/forum/remark,10091594 MystBlade : I cant get rid of this for the life of me.
hijackthis log file
________________________________________
Logfile of HijackThis v1.97.7
Scan saved at 8:26:24 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
G:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sysupd.exe
\Print\Storage (F)\demos\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BOCleanautostart] g:\PROGRA~1\NSClean\BOClean\BOClean.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/···0_41.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - »www.napster.com/client/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - »darth/tsweb/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···34027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···-3-0.cab

___________________________________________

1) I did a updated virus scan
2) I ran BOSClean and it keeps wanted to delete _updt
3) I ran spybot search and destroy
4) I ran hijackthis and checked fix this and it did nothing also.
5) I have deleted registry keys involving sysupd.exe
They just come back
6) I stopped the service of sysupd.exe but it just restarts
7) I also ran the uninstaller for pepper

Pulling my hair out on what to do next.
--
Unix/WebSphere Systems Administrator -----count down------- EPIII---- 500 days left-----]]> http://www.dslreports.com/forum/remark,10091594 Tue, 27 Apr 2004 23:30:38 EDT