Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

SYSU.EXE a new Trojan/Virus?

Nov 29, 2003 10:30AM PST

Hi all,

Windows '98SE Gateway 300, with 128MB ram 8GB HD
My system just became infected with something new. The symptom seems to be, I got a message about a "Its Time! Project1." popup and I cancelled it, didn't click OK. The message was in a loop, never stopped, kept coming up. So I rebooted and when the drivers start loading the screen locks up and all you can do is get to your task manager. So I did a CTRL-ALT-DELETE and I see a SYSU running(no clue what it is), so I highlight it & do an end-task, it never seems to end & actually sometimes I see a 2nd occurance pop onto the task list, I never get my desktop or ICONS. I got around it by coming up command prompt & deleting SYSU.EXE. That was the easy part 2 days later, it was back(when it returns it spons about 10 ADAWARE's onto my system also(MSBB, INTERNET Optimizer, n-case, DyFuca, just to name a few, all of which clean up easily with my tools when run). I have Noton A/V 2004 with 11-26 virus def's, I run Ad-Aware daily with the latest 01R235 file & spybot 1.3 beta 4 with the newest files. I also did an MSCOFIG when I got this "CRAP" I saw two entries in my start-up, both of which were in my windows system folder 4249209.EXE & 663350954.EXE, I of course removed both of these because they both looked suspicious & moved the files to recycle bin, as I had no clue what they were. Anyone know more or how to eliminate this "THING"? Bob P., I did the 5 paracites which you reccomend always, I run them nearly constantly now.

Thanks,

Steve

Discussion is locked

- Collapse -
If it really is something new..
Nov 29, 2003 10:42AM PST

your best bet would be to rename it to *.txt (or .dat or something not normally executable) instead of deleting it. Compress the file and then send it off to Adaware, Spybot and Symantec (with an explanation of the symptoms). Let the experts look at it.

The next thing is to find out how it keeps getting onto your PC. Email attachment, web page or network? Windows exploit?

- Collapse -
Re:If it really is something new..
Nov 29, 2003 11:21AM PST

Hi Keith,

I have sent info to SPY BOT(of course no answer yet), how can I relay this info to symantec as you suggest, I haven't found a way to inform them, it's like they will tell ME about problems, they don't want to be informed of possible problems, IF I'm wrong please let me know how to contact them.

Steve

- Collapse -
Re:Re:If it really is something new..
Nov 29, 2003 11:28AM PST
- Collapse -
Re:SYSU.EXE a new Trojan/Virus?
Nov 29, 2003 10:55AM PST
- Collapse -
Re:Re:SYSU.EXE a new Trojan/Virus?
Nov 29, 2003 11:33AM PST

Hi Marianna,

1. Ending the process SYSU.EXE is not easy to do, at least with my system, windows '98SE, when the system reboots & desktop NEVER loads, I can bring up the task manager & i see sysu running but when i click on it & click end task, it doesn't go away & sometimes a 2nd copy starts, no matter how long i wait for it to end. I actually delete it by comming up in DOS command and deleting it, IS there something else I should do??

2. Keith also said find out what is allowing it to start. Wow if I could do that wouldn't I be the wizard, I was hoping someone here knows something about this & can help me, I have nothing special running, I use IE6 SP1, what can I look for to stop this???

Thanks,

Steve

- Collapse -
Re:Re:Re:SYSU.EXE a new Trojan/Virus?
Nov 29, 2003 3:13PM PST

Well, I found a bit more:

go to START > RUN > type : REGEDIT > OK

then search for these files and delete...

HKEY_CLASSES_ROOT\CLSID\{2BC43670-C0BD-4794-BB11-F60F3E001DC5}

HKEY_CLASSES_ROOT\TypeLib\{B4525F3B-718D-49F1-833D-A9974F67AB97}


then reboot and remove the folder in C:Progran Files/dmp

that will solve it Wink

But - do NOT forget to BACKUP your registry first !!

Did you run Ad aware?? Ad aware should find it !!

http://tinyurl.com/x2cb

- Collapse -
Download latest NAV virus defs..
Nov 30, 2003 5:17AM PST
- Collapse -
using...
Nov 30, 2003 5:21AM PST

Intelligent Updater. LiveUpdate won't have the update until Wednesday.

http://securityresponse.symantec.com/avcenter/venc/data/adware.dynamicupdater.html

Removal Instructions

The following instructions pertain to all Symantec antivirus products that support Expanded Threat detection.

1. Update the virus definitions.
2. Delete the key that was added to the registry.
3. Run a full system scan and delete all the files detected as Adware.DynamicUpdater.

- Collapse -
According to your link...
Nov 30, 2003 5:24AM PST

the source of the adware appears to be a Kazaa download and/or a crack. One of the perils of sharing files or downloading from questionable sources.

- Collapse -
(NT) Yup !
Nov 30, 2003 6:31AM PST

.