Real-World Example: Detecting and Removing sysupd.exe Spyware using EndTask

This article explains a real-world example for removing a spyware using EndTask. The spyware detected and removed in this example is called sysupd.exe. It is a difficult-to-remove spyware that even some antivirus programs couldn't remove. Read more about it here. 

Detection

1. First, using EndTask Internet Monitor, we noticed that the Internet connection is active (sending/receiving bytes) even if we are not using it.

2. By searching in the EndTask processes list we found a mysterious program called sysupd.exe. We found it mysterious because of the following:

• The file doesn't contain any File Version information such as Owner Company and description, yet it's located in the system directory of Windows.

• The program doesn't have any visible windows related to it.

• The program is configured to automatically run when we start Windows.

• By investigating the process memory, we found paths to the Internet Explorer history directory. Normally, programs don't need system-related paths like this one. Spywares use these paths to steal users' private information.

   

• By installing a real-time hook, many other harmful properties were revealed such as installing a keyboard hook.

 

Normal Removal

1. We tried to remove it from start-up, but unfortunately it failed. That's because it adds itself to the Windows start-up list once it's removed. This can be easily noticed in the detailed Risk Monitor log (Activity Log tab in the above screen). In the log, the program accesses the Run key in the Registry periodically (this key contains the programs that run at Windows start-up).

2. We tried to terminate it using Windows Task Manager but that failed too. That's because it runs itself again once it's terminated. On Windows 98, the ALT+CTRL+DEL applet didn't even mention it!

3. We tried to delete it but this failed too since it's already running (in use).
This made us suspect it more.

Removal using EndTask

Using EndTask's Advanced Task Manager, we right-clicked it in the processes list and chose "Quarantine -> Move To Quarantine". EndTask instantly terminated the program and renamed it so fast that it didn't have a chance to run itself again. Now that the program wasn't running we were able to remove it from the Windows start-up list.
We noticed that the Internet connection is no longer active in idle times. The spyware was isolated successfully.