sysfucker
@tisdip.tis
| reply to Michae K CCNP CCDP M
Re: sysupd.exe
thank you folks.
i killed the file using Safe Mode/regedit/HighJackThis
so far it worked for me and my antivir no longer
displays the "small/tr.gs.2" trojan warning in the
atpartners.dll located at system32 folder under win2k.
jesus, fuck sysupd.exe ! |
|
jd0601
@66.28.x.x
| reply to voevod365
Hi! I experienced the same problem yesterday. It appeared that this program installed VX2.BetterInternet and other spy & adware (keenvalue, favoriteman, Euniverse,etc.) on my computer. Ad-aware 6 deleted the related files, but they kept coming back. It was really frustrating. I tried to stop the process in taskmanager, but sysupd.exe kept running again. This prevented me from deleting sysupd.exe in my c:/winnt directory.
To fix the problem, I created an empty sysupd.txt file in another directory and then renamed it to sysupd.exe. Then, I ended the sysupd.exe process in task manager and moved my new dummy sysupd.exe file into the c:/winnt directory (you need to see where this program is on your computer). I had to do this quickly, because my computer somehow kept starting sysupd.exe back up.
Once I made sure that sysupd.exe was no longer running, I also found that I had to delete this program from my startup programs. Since I am using winnt, I was able to download a freeware program called autoruns.exe that showed me what programs run on my computer at startup. I deleted sysupd.exe from this list. I found that it was necessary to stop the sysupd.exe process before removing it from my startup list; otherwise, it kept reappearing in my list of startup programs.
Maybe someone can suggest a better solution, but this one worked for me. Once you've solved this problem, run your spy/adware remover again for any applications that VX2 may have installed.
Good luck! There should be something illegal about this sort of thing. |
|
voevod365
@compaq.com
| reply to GerhardS
That previous batch file almost worked for me but after copying pskill to winnt directory I modified the batch file a littlebit.. run this a few times from cmd prompt and it will kill the process and then remove the file.
@echo off
pskill sysupd.exe
del sysupd.exe
echo.
echo.
echo Usage: RemoveSysUpd 35
echo.
echo Where 35 is the process ID of sysupd.exe. Open task manager and look
echo for the ID number and then restart this script.
echo.
echo Script requires DELTREE.EXE and PSKILL.EXE.
echo.
echo Copy this script, DELTREE.EXE and PSKILL.EXE into WINNT or WINDOWS
echo run the script from a command prompt. When it is done you should look in
echo task manager and see that sysupd.exe is not running. You may now delete
echo its entry from RUN in the registry.
echo.
echo HKLM\Software\Microsoft\Windows\CurrentVersion\Run
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Run
echo.
echo DELTREE is part of MS-DOS 6 or Windows 9x. PSKILL is part of the PSTOOL
echo kit from www.sysinternals.com.
echo.
echo.
:end |
|
Wonko The Sane
@suscom.net
| reply to Michae K CCNP CCDP M
Ok, here's how I had to do it to remove this wretched piece of *#$%&, I'm running windows 2000 on these machines:
1)install spybot
2)reboot into safemode (press f8 at that little bar that goes across the window before the splash screen)
3)edit the registry, do a search for "sysupd", it'll likely be in /Hkey_local_machine/software/microsoft/windows/current_version/run/ Delete it.
4) close regedit, and press the restart key on the computer, to to a cold reboot. (if you don't have a reboot key, then hold down the power button for 10 seconds)
5) restart in safe mode again, and delete the file c:/winnt/sysupd.exe
6) run spybot/adaware again, and it'll remove some remaining parts of it.
7) restart normally.
Hope this helps!
~Wonko The Sane
ebeaar09@email.pct.edu |
|
scarabaeus7
join:2004-05-25
Tallahassee, FL
|  reply to MystBlade
Re: sysupd.exe - Possible cause?
Well, this may be a stab in the dark, but Michael said to present ideas even if they are "guesses". I first noticed I was infected when 1) McAfee kept screaming at me while visitng some sites and 2) ad-aware came across the "FavoriteMan" hijacker app. I was trying to get rid of "FavoriteMan" (deleting it's dlls and supporting files) and it just kept coming back again and again.
I noticed that it's .dll (ATpartners.dll located in my system32 dir) was being modified once per minute. At that point, it lead me to believe that a service might be running in the bg. I started ending unknown processes with Task Manager. Once I killed "sysupd.exe", the .dll's modify date stopped changing. I went through and unregistered sysupd.exe, then deleted it from my WINNT directory and system registry along with another entry that kept appearing with it "lysbsu.exe".
I believe, the way that I got infected with FavoriteMan was from loose security permissions in my IE settings. I learned from a few web sites that "FavoriteMan" is an ActiveX "Helper" app that installs wile using IE (without prompting) while visitng some unscrupulous sites. The helper app installs in the background and is a Pain to get rid of. It also allows for the installation of other pests, possibly sysupd.exe. I have changed my security permissions to "prompt" before running ActiveX objects. Hopefully this will do the trick and keep this pest away. It might be a loose connection between the two, but since I've removed both parasites, I haven't had this problem since. Also, since there are MANY different versions of FavoriteMan removal varies.
Let me know if I'm even on the map with this, and if so, when you write your whitepaper for MS or Symantc please use the correct spelling. Thats 'AEUS' in scarabaeus... 
-s |
|
PonyFiveO
@pacbell.n
| reply to Michael K CCNP CCDP
Re: sysupd.exe
I have tried for several hours to rid this thing but to no avail. Finally, I ran an un-updated older version of Spybot S&D. Sure enough, it found it and deleted it without any problems. Its been 2 days and it has not came back. For some reason the new updated version often comes back "CONGRATULATIONS NO SPYWARE FOUND" where as the old version will WILL find spyware even being run right after the new version. Wierd... |
|
Michael K CCNP CCDP
@speakeasy.n
| reply to JosephStalin
"JosephStalin" the user that made the post about Media Player was absolutely right. I have Media Player 6.4 and 7.1, 6.4 the default one that comes with Win2000 was unaffected, the 7.1 would not launch, but instead it executed sysupd.exe and made a copy of it in %systemroot%.
So follow my previous instructions, then reinstall Media Player. I did it, tested, and it works!
I don't know about WinXP and Media Player 9, someone please comment on that.
For the people that have XP or 2000 with FAT32 you can convert your file system to NTFS. This will allow you to have files larger then 4GB, give you file security, and it is overall a better file system. You will not however be able to read your hard drive from DOS/Win9X if you have multiple operating systems installed (most people don't)
To do this go to Start/Run type cmd and click OK
You should get a Command Prompt (Black window, DOS like)
Type "convert c: /fs:ntfs" without the quotes and hit enter, it might ask you to type volume label (I don't remember) if you don't know what it is click enter as it might be blank. It will fail if volume label is not correct, to find out you volume label type dir in the same window and hit enter you should get something like this
C:\>dir
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX
Directory of C:\
As you can see my drive has no label. After you type correct vloume label (if required) you'll get confirmation box answer yes and the system will start converting your file system. This might take some time, after this follow my previus instructions for removal and don't forget about Media Player.
I'd still like to find out how I got this thing, any comment are welcome. Thanks!
Michael K. (CCNP, CCDP, MCSE) |
|
CalamityKen
join:2004-01-16
Pickering, ON | reply to MrMaster
Even in Safe Mode this thing keeps restarting according to the person I am helping. |
|
MrMaster
What If
Premium
join:2000-12-16
Austin, TX
clubs: | reply to CalamityKen
Go into safemode. |
|
CalamityKen
join:2004-01-16
Pickering, ON |  reply to Michae K CCNP CCDP M
In WinXP Home the option to set file permissions is not present so how can this nasty be removed?
Other than booting the XP CD and using the Recovery Console is there an easier method to remove it? |
|
JosephStalin
join:2002-08-08
Springfield, MA | reply to MystBlade
Also, if you are a Windows Media Player user, you will have to re-install it after you get rid of this nasty trojan. |
|
Michae K CCNP CCDP M
@speakeasy.n
|  reply to bigisle
This solution will allow you to remove it if you follow my steps! I'd like to know how this thing spreads or how did you get it???
When you try to kill the process it just comes back and all the registry entries you deleted get recreated when it restarts, it can not be deleted because there is a file lock.
This is what you do, find the executable (search for sysupd) it may return many entries but only one is in use, in your %systemroot% folder (c:\winnt or c:\windows). Delete all but the one in %systemroot% cause your system won't let you. (This will work on NT based systems, like 2000 or XP that have NTFS as the file system because it implements file security, other operating systems or 2000 and XP with FAT32 will have to look for other options) Then right click on the remaining sysupd and choose properties, then select security tab and uncheck the box "Allow inheritable permission from parent to propagate to this object" on Win200, on XP there will be something similar, you might have to click advanced to see this option. After you uncheck it you get a box asking you to copy existing permissions, remove them or cancel. Choose remove, then add "everyone" group, and add "system" for both you will select the checkbox to deny "full control", then click apply/ok you might get a confirmation box because you're locking everyone out from accessing this file so the automatic restart of sysupd.exe will not work and get "access denied". Click OK on the confirmation box, at this time even you should get "access denied" when trying to run this file, you can give it a try... After you did that everyone and the system will be denied access, at this time launch task manager (taskmgr.exe) and kill the sysupd.exe process, if you did everything right it will not come back. Optional, at this time you can clean out the registry entry under LOCALMACHINE/software/microsoft/windows/run but if there is no sysupd.exe to execute it won't matter. Now that the process has been successfully killed (verify in Task Manager process list) you can right click on the sysupd file again and select properties, again on security tab and for everyone group select Allow Full control checkbox, leave the system account as is, and click apply/ok . Now delete the last sysupd file and because it is not in use anymore the system will allow you to delete it.
And now you're done. Reboot is not required.
As careful as I'm with things like this, it somehow got on my computer too, that's why I'm writing removal instructions. If some one has any idea, even a guess please reply with your comments. I will try to look for your comments for the next month, Thanks! MK |
|
bigisle
join:2004-05-16
Pahoa, HI
| reply to Spydrsoft
HOW do I FIND what you are referring to here?
"Anyways, I tried bobr_66062's resolution, "
What was his solution to getting rid of this TROJ.AGENT.L
I need an answer to fix it and get rid of it!
Thank you
Antoinette (bigisle) |
|
bigisle
join:2004-05-16
Pahoa, HI
2 edits | reply to JosephStalin
How do you know WHAT FILES to DELETE??? You refer to the sysupd.ini "stuff" and the dpusy. "stuff" what exactly is the stuff. I need to know WHAT files to delete. I can't even FIND the sysupd.exe in my registry or in safe mode registry. So I need to know what other file names to look for. Where are you finding this out?
Thank you,
Antoinette |
|
bigisle
join:2004-05-16
Pahoa, HI
| reply to JosephStalin
I've got this too. Only Trend Micro House Calls named it:
TROJ.AGENT.L but then it says: C:\WINDOWS\sysupd.exe
I can't find it in my registry not even in safe mode. I have been trying to follow all the posts people put here.
But don't understand a lot of it. I read the previous post and that one is NOT the same virus his is TSCASH.
Also that Pest Patrol did not show any TROJ.AGENT.L
one to find out a fix for.
If you come up with any solutions will you tell me please or post it here. I have gone to Major Geeks who sent me here and also to SpyWare Info. All to no avail thus far. I still have it.
Thank you,
Antoinette (bigisle) |
|
JosephStalin
join:2002-08-08
Springfield, MA
1 edit | reply to JosephStalin
Alright, was able to use this guy's solution to delete the sysupd.exe file in my WINNT folder, but I was unable to delete the sysupd.exe files in my other directories which contain spaces.
How do you make it so that the command prompt recognizes spaces?
»computercops.biz/postt36896.html |
|
JosephStalin
join:2002-08-08
Springfield, MA | reply to John2g
No, it's not the same thing. Same filename of sysupd.exe, but not the same file.
Also, no tstime.exe, so definitely the link you posted is for some other, older malware. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to MystBlade
There are removal instructions here:
»pestpatrol.com/PestInfo/t/tscash.asp |
|
JosephStalin
join:2002-08-08
Springfield, MA
| reply to MystBlade
I got rid of it yesterday (though I was unable to delete the actual Sysupd.exe files) , but it is now back on and I can't seem to disable the process even though I'm following the same steps I did yesterday.
It disabled my Windows Media Player, so I had to reinstall it yet again.
This thing is getting pretty annoying... |
|
bigisle
join:2004-05-16
Pahoa, HI
| reply to MystBlade
I've got it to! All the way here on The Big Island of Hawai'i.
I was referred here by Computer Geeks thank goodness as it is the MOST I have been able to find on this topic.
I need to get it off my computer too. Norton did not find it, nor did Ad Aware prevent it. Trend Micro found it on my computer and yet it can't delete it or clean it. I tried my registry, it does not show up there. Am going to go try to find it and delete it in SAFE MODE but after reading how someone had no success there either, I am perplexed as I don't understand ALL and EVERYTHING that people are writing in this thread. I am printing out ALL of these posts and am going to try it ALL HOPING that something works! Who ever made this virus trojan/worm is a real jerk, on my blank Internet Explorer extra screen that comes up everytime I open up one I get a noise of laughter too from this virus. Yeah they sure got me. I HOPE I can be like some of the few success posts here and get rid of it.
I AM going to TRY!!!
Thank you for all your posts everyone as I had no idea where to go or what to do. I hope something in here works!
WISH ME LUCK!
Aloha
Antoinette
islandantoinette@earthlink.net |
|
