MystBlade
Premium
join:2002-10-21
Lacey, WA
clubs:
| sysupd.exe
I cant get rid of this for the life of me.
hijackthis log file
________________________________________
Logfile of HijackThis v1.97.7
Scan saved at 8:26:24 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
G:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sysupd.exe
\Print\Storage (F)\demos\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BOCleanautostart] g:\PROGRA~1\NSClean\BOClean\BOClean.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/···0_41.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - »www.napster.com/client/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - »darth/tsweb/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···34027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···-3-0.cab
___________________________________________
1) I did a updated virus scan
2) I ran BOSClean and it keeps wanted to delete _updt
3) I ran spybot search and destroy
4) I ran hijackthis and checked fix this and it did nothing also.
5) I have deleted registry keys involving sysupd.exe
They just come back
6) I stopped the service of sysupd.exe but it just restarts
7) I also ran the uninstaller for pepper
Pulling my hair out on what to do next.
--
Unix/WebSphere Systems Administrator-----count down-------EPIII---- 500 days left----- |
|
Gavin_TH
join:2003-04-03
Australia
| Hi,
Could be a new one, please submit it to the malware archive so we can all get a look at it -
»Malware archive
Then try deleting it from Safe Mode while you wait. If it reappears, its probably a new nasty
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
|
|
lskohn
join:2000-08-17
Chicago, IL
| reply to MystBlade
I just discovered this one also, and I have not gotten any viruses, worms, trojans or malware in years...I found info on it at »www.spywareinfo.com/forums/index···ic=42217 and will try their suggestions to remove it. |
|
QuietFusion
join:2003-09-25
Sandy, UT
| Hi,
sysupd.exe is InternetAntispy foistware. First make sure you can see hidden files use this link for help.
»www.xtra.co.nz/help/0,,4155-1916458,00.html
Close ALL browsers and chat programs (e.g. Yahoo, MSN, ICQ)run hijackthis and place a check next to the following:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/FPDC_1..
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - »www.napster.com/client/setup.exe
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - »darth/tsweb/msrdp.cab
and click fix. Reboot into safe mode (press f8 during reboot); find and delete the following
File:
C:\WINDOWS\sysupd.exe
That should take care of that, it's wise to do a scan with Ad-aware and Spybot after clean up with Hijackthis.
--
He who hesitates, always loses |
|
MystBlade
Premium
join:2002-10-21
Lacey, WA
clubs:
| reply to MystBlade
I think its gone. It does not show up anymore in any place.
What I did was and I know this is not a good habbit. I ended the sysupd.exe task 2 times then it give you like a 5 second grace period. In that time you must delete the sysupd.exe file under c:/windows. It took me a few times but it worked. Then after that is gone I went into the regestry and got rid of all other sysupd.exe
Then for the _update.dat file that I could not get rid of. I acutally found a virus program that it works with.
Iam on a 30 day trail of it. I forgot the name I will repost when I get home. But Norton 2004 could not pick it up nor the online house call. All with updated files. BOClean now works great at my motion detector.
--
Unix/WebSphere Systems Administrator-----count down-------EPIII---- 500 days left----- |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to MystBlade
do you know what this is?
C:\WINDOWS\SM1BG.EXE |
|
DSL_Steve
Premium
join:2003-11-28
Woodbury, CT
| said by pcdebb  :
do you know what this is?
C:\WINDOWS\SM1BG.EXE
»www.kephyr.com/filedb/index.php?···ic=SM1BG |
|
MystBlade
Premium
join:2002-10-21
Lacey, WA
clubs:
| sm1bg is a USB mass storage system. You must of connected an external mass storage device or soemthing. If funny though has the server never goes away even if you dont have one connected.
--
Unix/WebSphere Systems Administrator-----count down-------EPIII---- 500 days left----- |
|
anony-mouse
@speakeasy.n
| reply to MystBlade
Don't make me laugh. sysupd.exe doesn't give up that easily. If you haven't invested two straight hours of sniffing around for the other versions of it then it will likely come back, if it hasn't already.
1) It will reinstall itself on reboot from one of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run items. But it will reinstall it if it's not there if the program is running.
2) It will reload itself if you try to cancel it from the Task Manager. You can right-mouse click and lower its priority to the lowest setting, though.
3) If you rename it in place (in the Windows folder, for example) it will make another copy of itself. It then appears to try to prevent you from deleting either and without any trickery in the file attributes.
4) There's usually four or five copies of it lying around the hard drive, one in Temporary Internet Files, one in the user's default area, one in Windows and one or two as Prefetch versions (look for *.pf).
What I do is lower its priority, remove all copies but the one running in the Windows folder and then update the registry setting, leaving that Run item in place but renaming it to something like sysupd.exe.CantFindMe. (If you delete the entry, it will just try to heal itself.) Quickly reboot in Safe DOS mode with the F8 thing on restart. In the DOS mode, navigate to the Windows folder, delete the program and then create a c:\windows\sysupd.exe folder and create a file in it. Exit DOS and restart the system. It may try to do that Run but it will just harmlessly display your folder that you've created. Look again across the hard drive and in Task Manager for any other copies, deleting the file if it's there. Reboot again and you should be clean. |
|
CMD-Scripter
| Here is a script to fix/get rid of it. Copy and paste into notepad. Save as RemoveSysUpd.cmd. Runs on Windows NT/2000/XP. Don't have Windows 9x or ME to test it. Note on those DOS based OSs you will need to make it .BAT not .CMD.
You will need DELTREE.EXE and PSKILL.EXE.
Good Luck.
@echo off
if (%1) == () goto usage
Start cmd /c "FOR /L %%v IN (1,1,1000) DO deltree /y sysupd.exe"
Start cmd /c "FOR /L %%p IN (1,1,1000) DO pskill %1"
goto end
:usage
echo.
echo.
echo Usage: RemoveSysUpd 35
echo.
echo Where 35 is the process ID of sysupd.exe. Open task manager and look
echo for the ID number and then restart this script.
echo.
echo Script requires DELTREE.EXE and PSKILL.EXE.
echo.
echo Copy this script, DELTREE.EXE and PSKILL.EXE into WINNT or WINDOWS
echo run the script from a command prompt. When it is done you should look in
echo task manager and see that sysupd.exe is not running. You may now delete
echo its entry from RUN in the registry.
echo.
echo HKLM\Software\Microsoft\Windows\CurrentVersion\Run
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Run
echo.
echo DELTREE is part of MS-DOS 6 or Windows 9x. PSKILL is part of the PSTOOL
echo kit from www.sysinternals.com.
echo.
echo.
:end |
|
MystBlade
Premium
join:2002-10-21
Lacey, WA
clubs:
| reply to anony-mouse
Its been about 5 days now and it has not come back, I killed it, its not coming back and never will. And I did spend about 2-3 hours trying to get rid of it, but only took me a few minutes once I found all the places it was hiding.
I got BOClean and a nice AV protecting me now.
I have to admit its a nasty one. But a nasty Dead one.
SO I guess I am the one whos laughing
--
Unix/WebSphere Systems Administrator-----count down-------EPIII---- 500 days left----- |
|
bvb09
@verizon.net
| I think I managed to kill sysupd.exe by reading this thread and following the instructions given by the Gurus here. I booted safe, fixed sysupd with hijackthis and deleted the file from c:/windows.
p.s. Yes, it took me a couple of hours despite all these instructions. |
|
Die Spyware
@ubmofwa.com
| reply to MystBlade
I was able to get rid of it rather quickly.
You can't delete a running process. You can't end this process because it restarts itself. You can't hack it out of the registry to prevent it from loading because it will put itself back in.
What you can do is to modify permissions on that file. Since it runs under your username (not as "SYSTEM"), simply deny yourself permission to Write/Execute and reboot. You no longer have permission to run the file, thus it won't run, and it can now be deleted. Delete it, and THEN hack it out of the registry.
Here's the step-by-step on modifying this permission. Perform this procedure at your own risk, and make darned sure what file you're modifying permissions on! If you screw up your system, it's your fault, not mine. That said...
- Start > Run > C:\WINDOWS (or, in Win 2000, C:\WINNT) [enter]
- Locate sysupd.exe and right-click. Select properties.
- Click the "Security" tab. Click the "Advanced..." button.
- This file is probably inheriting its permissions from those established for the C:\WINDOWS folder. Uncheck the "Inherit permissions" box.
- A dialog box will pop up. Click the "Remove" button. The permissions field should now be blank.
- Click the "Add" button and type in your user name in the appropriate field. Press OK.
- Click on your username that now appears in the permissions list and click "Edit".
- Check the "Full Control" box. Then scroll down and un-check "Traverse Folder / Excecute File". This should be the second checkbox down from the top, or so. "OK" out of everything now, and reboot. |
|
pooploser
join:2004-05-03
Madison, WI
| reply to MystBlade
Yeah, I just had a run-in with the evil sysupd.exe
I read all of the above fixes, and none of them are a global fix for this. My reccomendation to anyone who also runs into this worm is this:
Reboot in safe mode, then run a whole bunch of spyware removal tools. Also, do a basic search of your computer and registry for anything with "sysupd.exe" in the name. For whatever reason, none of the spyware tools I used even noticed C:\Windows\sysupd.exe nor many other files related to it. To be honest, I'm not even sure if anything that the spyware tools found was directly related to the sysupd problem, but it never hurts 
In any case, safe mode doesn't let sysupd run itself, so you shouldn't have any problem deleting everything related to it in safe mode. Just make sure you get it all. Good luck! |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:
| reply to MystBlade
ugh! I have this file on a friend's computer that I've tried to fix with hjt for the last hour. Not only that, this computer has been owned by a few Nachi variants as well as lovesan, plus there are a few other files that wont die, such as ms.exe, and a few scvhost.exe files.
this is going to be a long nite  |
|
bobr_66062
@65.66.x.x
| reply to MystBlade
I am not a regular member of this forum. However, I just got rid of the sysupd.exe file relatively quickly, so I thought I would share my experiences.
1. Go into RegEdit and search for sysupd.exe. I found several occurrences, mostly in the ...\Microsoft\Windows\CurrentVersion\Run tree. I deleted all occurrences of the file in the registry.
2. I went to C:\ and did a file search for *sysupd* and found the C:\WINDOWS\sysupd.exe as well as C:\WINDOWS\PreFetch\SYSUPD.EXE-########.pf (where "########" is some string of digits ... your actual numbers will probably be different).
3. Once you delete the SYSUPD.EXE-########.pf file, then you can kill the sysupd.exe task via the Task Manager, and it won't come back.
I rebooted and everything seems fine. At least, that was my experience.
-- bobr -- |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to MystBlade
you were lucky, my first thought was to head to the registry, but the window would close on me (apparently some other nasties on the system did that). I finally got it cleaned off tho |
|
thorster8
join:2004-05-05
Oroville, CA
| reply to MystBlade
I got the sysupd.exe n the dpussy file and i need help to remove them. I use the HiJackthis and i got all this......
Logfile of HijackThis v1.97.7
Scan saved at 2:26:23 AM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\sysupd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\NetZero\exec.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfConsole.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe
C:\Program Files\NetZero\exec.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »search.windowenhancer.com/nph-WE···arch&kw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.windowenhancer.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »my.netzero.net/s/search?r=minisearch
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\winex\v2\winex.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\wincd\wincd.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\wincd\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\wincd\msiesh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - »webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Exploder - »download.games.yahoo.com/games/c···tk_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···wdir.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - »akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - »akamai.downloadv3.com/binaries/D···k_XP.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - »a19.g.akamai.net/7/19/7125/4018/···kpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···17939815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - »dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »zone.msn.com/bingame/zuma/defaul···r_v5.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - »download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB7D766E-CABC-4D7E-9335-63F118507FDB}: NameServer = 64.136.28.120 64.136.28.133
i just want to make sure which one to remove, cause i dont see some of the log that some other user n here have on mine my log. can u take a look at it before i do anything.....
thank you, |
|
SpywareRemovalHelper
@army.mil
| reply to pcdebb
Solution to Remove sysupd.exe and dpusys.ini
1. Boot into Safe Mode (f8 whilst booting up)
2. Edit registry and search for sysupd*.* and dpusys*.* Search in lower and uppercase. Delete any keys that you find.
3. Use Explorer to search your hard drive for sysupd*.*, SYSUPD*.*, dpusys*.*, & DPUSYS*.*. Delete any files that the searches find. You'll usually find about 4 or 5 dpusys.ini scattered through your harddrive(this is the nasty script that continues to spawn the sysupd.exe file).
4. Reboot and that little nasty should be gone. As far as I know, other then sucking up virtual memory resources and sometimes affecting shutdown, it will go out to web and download more pop-up ads and advertisements. Malware/Spyware in my opinion is WORSE than spam!
Good luck to you all!! |
|
GerhardS
@bellsouth.net |  reply to MystBlade
Re: sysupd.exe
Having the same problem as you. Searched entire system and files for references to sysupd.exe and found nothing. It appeared after the Sasser virus.
This process cannot be deleted. |
|
