Is sysupd.exe a viable Windows XP file?

[Tufenuf]

I noticed this morning that in my Task Manager sysupd.exe is running under the Process tab. It is also showing and is checkmarked under the Startup tab in msconfig. I found the file in my C:\WINNT foleder and it was created on 5/16/2004 and is 150KB in size and shows no version tab or version number. I ran Ad-aware and also ran a NAV 2003 virus scan which is up to date and both came up clean. I then ran HijackThis and here's the log.

Logfile of HijackThis v1.97.7
Scan saved at 7:44:58 AM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\sysupd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP40\bin\BandObject.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP40\hta\station.sbrt
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...874.6221064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

Any help would be appreciated.

TIA,
Tufenuf

[AnnMarie]

Hi Tufenuf, close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/

O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD } - C:\Program Files\ISP40\bin\BandObject.dll (file missing) disabled anyway

O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts), make sure that you can view hidden files and folders and run a search for and delete the below folders/files in bold.

C:\WINNT\sysupd.exe

Reboot again and go here and run the online scanner (just to be sure). RAV generates a log file. Please copy the log and post it back in this thread.

[DuaneB]

SysUpd
Sysupd.exe
WindowsUpd1.exe
WindowsUpd2.EXE


PacsPortal calls it "foistware".


Foistware:
- Can be anything - but is usually Spy, Ad or Thief-ware
- Unwanted application programs
- Common examples are: AOL Instant Messenger, installed with Netscape; MSN Instant Messenger, installed with IE; CyDoor, SaveNow, CommonName, b3d, new.net with Kazaa.

[AnnMarie]

Yep, you are probably quite correct Duane. Strange I know but I would prefer that no stones are overturned while I am checking the thread.

[Tufenuf]

AnnMarie & Duane, Using HijackThis to Fix the entry:
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

wouldn't remove it so I did some searching around and finally found a fix. Here's what I had to do to get rid of it which I found out was the "Trojan PSW.Agent.H virus".

I started the computer in SAFE mode and deleted the "sysupd.exe" and also a file named "_update.exe" which I found out was part of this Trojan. I then edited the registry and deleted the reference to "sysupd.exe". Both of these files could not be deleted in Normal mode but I was able to delete them in SAFE mode. The "sysupd.exe" no longer shows up under the stsrtup tab in msconfig nor the running processes in Task Manager. All is well again and Thanks for the help.

Tufenuf