Hidden program running(?) prevents scandisk and defrag from completing

Adaware

First I will admit to not having used adaware a lot. I installed it on a system a few weeks ago (first time I used it - downloaded same day). I removed everything I found and the system became unstable. Saying that, the system was poorly anyway. I am willing to reassess my judgement on Adaware. My current judgement was that it was removing registry keys, rather than removing the source applications. Perhaps the vital step I missed out was running a registry clean up utility afterwards.

Personally, marketing bots are annoying but I'm not too inclined to get hugely upset about them. The main issue is the malicious stuff that may come in under cover of the marketing stuff.

No the message isn't a service mesage. We have a firewall that would block that soft of message (in coming traffic on the NetBIOS service port). I am sure the message is being driven from an IE capture/redirect.

Thanks for your comments.

 

Another Tack

The popup is back. So I'm trying something new:

Following a post on a different thread, I followed the instructions at this site:

http://www.geekgirls.com/net_hijacked.htm

While I was at it, I deleted some spurious apps in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hotbar "= "C:\\Program Files\\Hotbar\\bin\\4.4.6.0\\HbInst.exe /Upgrade "

"Belt "= "C:\\WINDOWS\\Belt.exe "

And I changed:

"RunDLL "= "rundll32.exe \ "C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\ ",Load "

to

"RunDLL "= "rundll32.exe "

I'll see how that fairs.

 

Definately spyware/malware. I would run both Spybot and Ad-aware on that machine and get rid of everything they find. Then post a HijackThis log. In lieu of doing that, you should be able to uninstall Hotbar from add/remove programs, dump Bridge.dll from IE>tools>Internet Options>TIF settings button>view objects, and make sure belt.exe is not running in task manager then delete the file.

Look through the archives and you will see that the above recommendations for Spybot, Ad-aware and HJT have been made and executed many times, rarely with any unwanted results.

 

Hi everyone. I am new here and found this site attempting to find a solution to the problem where immediately upon starting IE, a window pops up saying:

Virus Warning!!!
Sasser_d Worm Detected
Click OK
to Scan and Disinfect

I read this thread but have not seen a clear cut solution presented. 'Adaware' and 'Spybot Search and Destroy' do not solve this problem. I run both religiously and run both today and I am still getting the pop-up.

Anyone got the final answer on this yet?

Regards,
Jonathan

 

Sasser_d worm detected popup

This is likely a nasty little trojan from a German company called TSCash.

Start Task Manager and look in the Processes list. If you see a task running called sysupd.exe, that's your boy. The most current version of Ad-aware will not spot it, but Spybot S-D will. Unfortunately, it can't fix it automatically.

To remove the trojan, first download Hijack This! - you can get it from lost of places - check Google.

Then:

- Reboot in Safe mode.

- Use Hijack This! to fix the autorun line of sysupd.exe

- Delete sysupd.exe, sysupd.pf, and dpusys.ini (all in /Windows folder, I think)

That should fix it.

 

jonnyglobal - do you have the latest version of Spybot? 1.3 and very recent.

 

Belt X Belt.exe Abetterinternet adware related

and particularly hard to get rid of, because it upgrades itself to prevent us and anti spyware/anti virus, programs from doing so.
meaning there are added steps to take rather then just simple fixing a run item, sometimes.

the run belt item doesn't necessarily mean you are infected with the latest variant, one simple way to check is take a look at your user agent
copy and past this into IE's address-bar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please



while I respect your attempt to fix your problems, I fail to see why you have not posted a log yet, without one we are all just guessing.

 

ReggieB

Your firewall will not stop a Messenger Pop up ad. From Shoot the Messenger: Even if your Windows 2000 or XP machine is safe
behind a personal firewall or NAT router, shutting
down the Messenger Service is a good idea.

But, hey, that may or not be part of your problem. Am only posting this for others reading this thread.

Johanna

 

johnnyglobal, before we get too far with your problem, could you start you own thread? There is less confusion this way.

 

Argee = star

Argee, I think I owe you a beer.

Yes, sysupd.exe was certainly running on the machine in question. In safe mode I used regedit to remove the autorun line (only hit for a search of the registry for "sysupd.exe "). Then deleted the sysupd.exe and dpusys.ini. I could not find a sysupd.pf (searched hidden files too).

sysupd.exe is no longer running on the PC

Before deleting the dpusys.ini I had a look at it. It was full of references to AV software. It seem to be information for key word searches of various antivirus related topics.

 

I was the OP and am following up...

This is spyware and it's not picked up by Ad-aware or SpyBot. The above poster is correct about sysupd.exe, but this can only be removed in safe mode (otherwise you get the message that it can't be removed because it is running).

HOWEVER, you must also deleted instances of dpusys.exe as this is the part of the program that re-generates sysupd.exe if it doesn't exist.

I followed the instruactions in THIS THREAD and haven't had a problem for nearly a week.

Good Luck to everyone else experiencing this issue.