MrMaster
What If
Premium
join:2000-12-16
Austin, TX
clubs:
 ·RoadRunner Cable
| reply to MystBlade
Re: sysupd.exe
Can someone tell me if this is new? Also, can someone tell me how one gets this? I have a friend with this on his computer now, he wasn't using a router but I would like to know do you need a hardware or software firewall to stop this?
--
Sometimes you just have to do it. |
|
chachazz
Premium
join:2003-12-14 | Here is a reference from computer cops; it may help you.
»computercops.biz/postt36896.html
--
...A journey of a thousand miles starts under one's feet...Lao Tsu |
|
MrMaster
What If
Premium
join:2000-12-16
Austin, TX
clubs:
·RoadRunner Cable
| said by chachazz  :
Here is a reference from computer cops; it may help you.
»computercops.biz/postt36896.html
I've read that one and a few other ones. Just curious as to where this started or if it has a real name.
It is very hard helping someone over the phone who hasn't used the registry before.
--
Sometimes you just have to do it. |
|
beamstalk
join:2004-05-07
Mcalester, OK
| reply to MystBlade
Just had this same worm on a coworkers computer. What I did was first ran find to find sysupd. This found the .pf file and sysupd.exe. Deleted the .pf file then opened task manager stopped sysupd.exe then deleted it.
After that I went through the registry searching for sysupd and deleted everything with that, it was like 2 files and 1 folder.
That seemed to have fixed it all, only took about 15 minutes.
My question is does anyone know how this worm affects the computer itself? |
|
MrMaster
What If
Premium
join:2000-12-16
Austin, TX
clubs:
·RoadRunner Cable
| said by beamstalk :
Just had this same worm on a coworkers computer. What I did was first ran find to find sysupd. This found the .pf file and sysupd.exe. Deleted the .pf file then opened task manager stopped sysupd.exe then deleted it.
After that I went through the registry searching for sysupd and deleted everything with that, it was like 2 files and 1 folder.
That seemed to have fixed it all, only took about 15 minutes.
My question is does anyone know how this worm affects the computer itself?
It displays popups and slows the computer down dramatically.
I got my friend's computer fixed but the problem was I had to have him go into safe-mode in order to delete the sucker.
--
Sometimes you just have to do it. |
|
Semiwahtsit
@comcast.net
| reply to MystBlade
This program is relentless. I got rid of it over a week ago and it just now came back. Does anyone know how it originally gets on their machine? If I can figure out what site I visited to get it in the first place I can simply stay away from that site. |
|
fractalspher
join:2001-07-17
Chicago, IL
clubs:
| reply to MystBlade
Reboot into SAFE mode, delete the file, remove it from registry, reboot.
After running Ad-aware, spybot, and hijack this. I went through the same thing with about 10 people at work who all had that bastage file. 
--
FractalSphere - "Maybe it's in the basement, I'll go upstairs and check" - M.C. Escher |
|
namsu2430
@livi.blu
|  reply to GerhardS
what i did to stop sysupd.exe form eating memory is i removed it from the running processes when it gives u about 5 seconds u open the file in advance using notepad and start typing in anything so its not the same and when u get the chance save the changes to the file it will no longer stay up for long but when u restart the system it will pop up as a command file. but will disappear. |
|
Spydrsoft
|  reply to bobr_66062
I was just curious as to what this process was that was in my MSCONFIG startup, so I stumbled across this thread and I am very surprised! I had no idea that this file does what it does. I was so sure of myself that AdAware and Norton would keep me safe, but no!
Anyways, I tried bobr_66062's resolution, and it worked. I didn't even have to do the last step, because after i deleted it the one occurence out of the reg, and i only found the prefetch within windows directory, it seemed to disapear altogether. Thanks everybody. |
|
JosephStalin
join:2002-08-08
Springfield, MA
1 edit | reply to MystBlade
I noticed this thing about an hour ago, and am trying all these numerous fixes for it, and have so far been unable to get rid of it. Going to reboot and see if SpywareRemovalHelper's fix fixes my problem.
Edit: It worked, thanks. I was unable to delete the Sysupd.exe files (4 of them) even in Safemode, but I was able to remove the dpusy stuff and the sysupd.ini stuff. After reboot, I had to reinstall Windows Media Player, but so far no problems and I can finally hear music again. |
|
gmillikan
join:2001-11-28
Westlake Village, CA | reply to MystBlade
So does anyone know how this is spreading? I was quite surprised when I got it last week since I'm behind a SPI firewall with XP Pro, NAV2002,v8 and with IE6,SP2 set on 'medium' security. I just don't want to be surprised again. |
|
bigisle
join:2004-05-16
Pahoa, HI
| reply to MystBlade
I've got it to! All the way here on The Big Island of Hawai'i.
I was referred here by Computer Geeks thank goodness as it is the MOST I have been able to find on this topic.
I need to get it off my computer too. Norton did not find it, nor did Ad Aware prevent it. Trend Micro found it on my computer and yet it can't delete it or clean it. I tried my registry, it does not show up there. Am going to go try to find it and delete it in SAFE MODE but after reading how someone had no success there either, I am perplexed as I don't understand ALL and EVERYTHING that people are writing in this thread. I am printing out ALL of these posts and am going to try it ALL HOPING that something works! Who ever made this virus trojan/worm is a real jerk, on my blank Internet Explorer extra screen that comes up everytime I open up one I get a noise of laughter too from this virus. Yeah they sure got me. I HOPE I can be like some of the few success posts here and get rid of it.
I AM going to TRY!!!
Thank you for all your posts everyone as I had no idea where to go or what to do. I hope something in here works!
WISH ME LUCK!
Aloha
Antoinette
islandantoinette@earthlink.net |
|
JosephStalin
join:2002-08-08
Springfield, MA
| reply to MystBlade
I got rid of it yesterday (though I was unable to delete the actual Sysupd.exe files) , but it is now back on and I can't seem to disable the process even though I'm following the same steps I did yesterday.
It disabled my Windows Media Player, so I had to reinstall it yet again.
This thing is getting pretty annoying... |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to MystBlade
There are removal instructions here:
»pestpatrol.com/PestInfo/t/tscash.asp |
|
JosephStalin
join:2002-08-08
Springfield, MA | No, it's not the same thing. Same filename of sysupd.exe, but not the same file.
Also, no tstime.exe, so definitely the link you posted is for some other, older malware. |
|
JosephStalin
join:2002-08-08
Springfield, MA
1 edit | Alright, was able to use this guy's solution to delete the sysupd.exe file in my WINNT folder, but I was unable to delete the sysupd.exe files in my other directories which contain spaces.
How do you make it so that the command prompt recognizes spaces?
»computercops.biz/postt36896.html |
|
bigisle
join:2004-05-16
Pahoa, HI
| I've got this too. Only Trend Micro House Calls named it:
TROJ.AGENT.L but then it says: C:\WINDOWS\sysupd.exe
I can't find it in my registry not even in safe mode. I have been trying to follow all the posts people put here.
But don't understand a lot of it. I read the previous post and that one is NOT the same virus his is TSCASH.
Also that Pest Patrol did not show any TROJ.AGENT.L
one to find out a fix for.
If you come up with any solutions will you tell me please or post it here. I have gone to Major Geeks who sent me here and also to SpyWare Info. All to no avail thus far. I still have it.
Thank you,
Antoinette (bigisle) |
|
bigisle
join:2004-05-16
Pahoa, HI
2 edits | reply to JosephStalin
How do you know WHAT FILES to DELETE??? You refer to the sysupd.ini "stuff" and the dpusy. "stuff" what exactly is the stuff. I need to know WHAT files to delete. I can't even FIND the sysupd.exe in my registry or in safe mode registry. So I need to know what other file names to look for. Where are you finding this out?
Thank you,
Antoinette |
|
bigisle
join:2004-05-16
Pahoa, HI
| reply to Spydrsoft
HOW do I FIND what you are referring to here?
"Anyways, I tried bobr_66062's resolution, "
What was his solution to getting rid of this TROJ.AGENT.L
I need an answer to fix it and get rid of it!
Thank you
Antoinette (bigisle) |
|
Michae K CCNP CCDP M
@speakeasy.n
| This solution will allow you to remove it if you follow my steps! I'd like to know how this thing spreads or how did you get it???
When you try to kill the process it just comes back and all the registry entries you deleted get recreated when it restarts, it can not be deleted because there is a file lock.
This is what you do, find the executable (search for sysupd) it may return many entries but only one is in use, in your %systemroot% folder (c:\winnt or c:\windows). Delete all but the one in %systemroot% cause your system won't let you. (This will work on NT based systems, like 2000 or XP that have NTFS as the file system because it implements file security, other operating systems or 2000 and XP with FAT32 will have to look for other options) Then right click on the remaining sysupd and choose properties, then select security tab and uncheck the box "Allow inheritable permission from parent to propagate to this object" on Win200, on XP there will be something similar, you might have to click advanced to see this option. After you uncheck it you get a box asking you to copy existing permissions, remove them or cancel. Choose remove, then add "everyone" group, and add "system" for both you will select the checkbox to deny "full control", then click apply/ok you might get a confirmation box because you're locking everyone out from accessing this file so the automatic restart of sysupd.exe will not work and get "access denied". Click OK on the confirmation box, at this time even you should get "access denied" when trying to run this file, you can give it a try... After you did that everyone and the system will be denied access, at this time launch task manager (taskmgr.exe) and kill the sysupd.exe process, if you did everything right it will not come back. Optional, at this time you can clean out the registry entry under LOCALMACHINE/software/microsoft/windows/run but if there is no sysupd.exe to execute it won't matter. Now that the process has been successfully killed (verify in Task Manager process list) you can right click on the sysupd file again and select properties, again on security tab and for everyone group select Allow Full control checkbox, leave the system account as is, and click apply/ok . Now delete the last sysupd file and because it is not in use anymore the system will allow you to delete it.
And now you're done. Reboot is not required.
As careful as I'm with things like this, it somehow got on my computer too, that's why I'm writing removal instructions. If some one has any idea, even a guess please reply with your comments. I will try to look for your comments for the next month, Thanks! MK |
|
