Work Around for BKUQCAQEJYUN Service running MSUPD5.exe

[Rich K]

I have a suspicious service under
controlpanel/administrative tools/services named
BKUQCAQEJYUN which could only be disabled when I booted
up in SAFEBOOT mode, which fixed the problem. However I
want to completely remove this from my system and I
cannot find the registry entry. When the Service was
running, I saw a large SVCHOST job and MSUPD5.EXE
running. MSUPD5 Service BKUQCAQEJYUN under SVCHOST

 

[Bill Sanderson]

Did you scan with Microsoft Antispyware while running in Safe mode?

Some bugs are only cleanable when such services are not running, such as in
safe mode.

You need to find the startup vector for this critter. Can you find
MSUPD5.exe on your system? Use the System Explorers to check out the
various startup items on your system.

If this item is not easy to find, you may have a genuine root kit trojan in
place, some of which hide very effectively. I don't have experience with
how well Microsoft Antispyware's System explorer deals with such bugs, nor
have I seen such posted here.

 

[Guest]

-----Original Message-----
I have a suspicious service under
controlpanel/administrative tools/services named
BKUQCAQEJYUN which could only be disabled when I booted
up in SAFEBOOT mode, which fixed the problem. However I
want to completely remove this from my system and I
cannot find the registry entry. When the Service was
running, I saw a large SVCHOST job and MSUPD5.EXE
running. MSUPD5 Service BKUQCAQEJYUN under SVCHOST
.
This is a trojan,

; This file is generated by AppHunter
;
[Summary]
Discovered=01/19/2005 03:01:00
ID=AFA085FE71308BA002E2C94C34C16A7E
ID2=61440,6FA95E9AE7582374C2A18235A6BCED87
ID3=52876,522CA540D62F133F0712E00FB79416EE
MD5=61B21AF4B890E857DEE43D2534105A03
Size=61440
Filename=msupd5.exe
Company=N/A
Risk=1.4

[Risk Analyzer]
AutoRun=4
NonBrand=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
ImagePath=%SystemRoot%\System32\svchost.exe -k netsvcs

[DirectoryCreated]
c:\windows\softwaredistribution\download\s-1-5-18=1
c:\windows\softwaredistribution\download\s-1-5-
18\39bc3d62f028dc98d0bdfbfd9f3106fd=1
c:\windows\softwaredistribution\download\s-1-5-
18\981593429475ef0704f5014344a18469=1

[ThreadCreated]
Count=1

 

[Bill Sanderson]

-----Original Message-----
I have a suspicious service under
controlpanel/administrative tools/services named
BKUQCAQEJYUN which could only be disabled when I booted
up in SAFEBOOT mode, which fixed the problem. However I
want to completely remove this from my system and I
cannot find the registry entry. When the Service was
running, I saw a large SVCHOST job and MSUPD5.EXE
running. MSUPD5 Service BKUQCAQEJYUN under SVCHOST
.
This is a trojan,

; This file is generated by AppHunter
;
[Summary]
Discovered=01/19/2005 03:01:00
ID=AFA085FE71308BA002E2C94C34C16A7E
ID2=61440,6FA95E9AE7582374C2A18235A6BCED87
ID3=52876,522CA540D62F133F0712E00FB79416EE
MD5=61B21AF4B890E857DEE43D2534105A03
Size=61440
Filename=msupd5.exe
Company=N/A
Risk=1.4

[Risk Analyzer]
AutoRun=4
NonBrand=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
ImagePath=%SystemRoot%\System32\svchost.exe -k netsvcs

[DirectoryCreated]
c:\windows\softwaredistribution\download\s-1-5-18=1
c:\windows\softwaredistribution\download\s-1-5-
18\39bc3d62f028dc98d0bdfbfd9f3106fd=1
c:\windows\softwaredistribution\download\s-1-5-
18\981593429475ef0704f5014344a18469=1

[ThreadCreated]
Count=1

Help me out--I don't understand this report. I see details about the
MSUPD5.exe file, but I also see details that appear to relate to the BITS
service which is a normal part of a Windows XP SP2 system.

 

[Guest]

MSUPD5.EXE IS THE FILE YOU ARE AFTER IT WILL BE IN THE
SYSTEM 32 AND MAYBE SYSTEM FOLDERS,STOP IT LOADING,THEN YOU
CAN DELETE IT,ALSO LOOK IN PREFETCH FOLDER FOR ANY THING
POINTING TOWARDS THIS FILE,DO IT ALL IN SAFE MODE IF YOU
HAVE TO.REMOVE THIS FILE FIRST,THIS IS GENERATING THE EXTRA
SERVICE YOU SEE IN SERVICES,THEN STOP THE SERVICE RUNNING.

-----Original Message-----

-----Original Message-----
I have a suspicious service under
controlpanel/administrative tools/services named
BKUQCAQEJYUN which could only be disabled when I booted
up in SAFEBOOT mode, which fixed the problem. However I
want to completely remove this from my system and I
cannot find the registry entry. When the Service was
running, I saw a large SVCHOST job and MSUPD5.EXE
running. MSUPD5 Service BKUQCAQEJYUN under SVCHOST
.
This is a trojan,

; This file is generated by AppHunter
;
[Summary]
Discovered=01/19/2005 03:01:00
ID=AFA085FE71308BA002E2C94C34C16A7E
ID2=61440,6FA95E9AE7582374C2A18235A6BCED87
ID3=52876,522CA540D62F133F0712E00FB79416EE
MD5=61B21AF4B890E857DEE43D2534105A03
Size=61440
Filename=msupd5.exe
Company=N/A
Risk=1.4

[Risk Analyzer]
AutoRun=4
NonBrand=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
ImagePath=%SystemRoot%\System32\svchost.exe -k netsvcs

[DirectoryCreated]
c:\windows\softwaredistribution\download\s-1-5-18=1
c:\windows\softwaredistribution\download\s-1-5-
18\39bc3d62f028dc98d0bdfbfd9f3106fd=1
c:\windows\softwaredistribution\download\s-1-5-
18\981593429475ef0704f5014344a18469=1

[ThreadCreated]
Count=1

Help me out--I don't understand this report. I see details about the
MSUPD5.exe file, but I also see details that appear to relate to the BITS
service which is a normal part of a Windows XP SP2 system.


.

 

[Bill Sanderson]

Got it.
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

MSUPD5.EXE IS THE FILE YOU ARE AFTER IT WILL BE IN THE
SYSTEM 32 AND MAYBE SYSTEM FOLDERS,STOP IT LOADING,THEN YOU
CAN DELETE IT,ALSO LOOK IN PREFETCH FOLDER FOR ANY THING
POINTING TOWARDS THIS FILE,DO IT ALL IN SAFE MODE IF YOU
HAVE TO.REMOVE THIS FILE FIRST,THIS IS GENERATING THE EXTRA
SERVICE YOU SEE IN SERVICES,THEN STOP THE SERVICE RUNNING.

-----Original Message-----

-----Original Message-----
I have a suspicious service under
controlpanel/administrative tools/services named
BKUQCAQEJYUN which could only be disabled when I booted
up in SAFEBOOT mode, which fixed the problem. However I
want to completely remove this from my system and I
cannot find the registry entry. When the Service was
running, I saw a large SVCHOST job and MSUPD5.EXE
running. MSUPD5 Service BKUQCAQEJYUN under SVCHOST
.
This is a trojan,

; This file is generated by AppHunter
;
[Summary]
Discovered=01/19/2005 03:01:00
ID=AFA085FE71308BA002E2C94C34C16A7E
ID2=61440,6FA95E9AE7582374C2A18235A6BCED87
ID3=52876,522CA540D62F133F0712E00FB79416EE
MD5=61B21AF4B890E857DEE43D2534105A03
Size=61440
Filename=msupd5.exe
Company=N/A
Risk=1.4

[Risk Analyzer]
AutoRun=4
NonBrand=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
ImagePath=%SystemRoot%\System32\svchost.exe -k netsvcs

[DirectoryCreated]
c:\windows\softwaredistribution\download\s-1-5-18=1
c:\windows\softwaredistribution\download\s-1-5-
18\39bc3d62f028dc98d0bdfbfd9f3106fd=1
c:\windows\softwaredistribution\download\s-1-5-
18\981593429475ef0704f5014344a18469=1

[ThreadCreated]
Count=1

Help me out--I don't understand this report. I see details about the
MSUPD5.exe file, but I also see details that appear to relate to the BITS
service which is a normal part of a Windows XP SP2 system.


.

 

[Bill Sanderson]

Rich--are you following this? Do the clues anonymous is providing help you
out?