I am infected with the Trojan PSW.Agent.H virus and my AVG anti-virus cannot remove it. I have located the infected file but cannot delete it. Looking for any help!

If it is located in the restore file then you must turn off system restore , reboot and scan again then you can turn restore back on .

I have turned off system restore and tried to delete it, but it doesn't help. It is located in the _update.dat file. Any help?

Hello

Last night, I discovered that my PC has been infected by the Trojan horse, PSW.Agent.H.

I've tried everything -- scanning with AVG and Trojan Remover, and scanning with AVG's virus remover program in safe mode, and deleting, moving, and renaming the infected file in safe mode. But, the file and the virus are just like one weed; they come back after every computer reboot! Can you tell me what I can do, please? Much appreciated!

apacheman2k - I finally got rid of it last night. I run AVG anti-virus and I downloaded an update on 28 April 04 and it must have had a "fix" in this update because I ran a complete test after downloading the update and AVG "healed" the file and the virus was eliminated. You might continue checking and installing AVG updates on a daily basis if they are available.

will AVG 6.0 Free Edition work? i just tried downloading an update, but it's specs are up to date.

This is what you need to do! It worked for me. This is the forum that helped me. And the instructions followed. I never found the update.dat file...after removing the sysupd.exe file in task manager (right click on toolbar in empty spot to open task manager) I reran my AVG and it finally healed it. I am clean! Good luck, let us know if it worked for you too.
I had the same Trojan on my computer, booting the OS in safe mode, and disabling system restore did not work for me. I also tried almost every Anti-Virus, Ad-ware, and Trojan software out there but nothing did it. The way to remove this PSW.Agent.H is simple, the only catch is there is a process running called sysupd.exe running witch protects the Trojan source file in Documents and Settings (_UPDATE.DAT ) from being removed. So here is what you do.

Read all the steps below before you start.

1. Run a search on the computer for a file called sysupd.exe .

2. Open My Computer, and browse to the folder that contains the file.

3. Press Ctrl+Alt+Del, and click on Task Manager.

4. Look on the bottom of the Task Manager window to see how many process are running, ex (Process:15)

5. Find sysupd.exe and stop it. most likely it will keep starting it self over.

4. Keep looking for it and stopping it, until the number of process' go down by one. Once you reach this point you only have a few second until it restarts, so be quick.

5. Switch to the window where sysupd.exe is located and quickly remove it.

6. Once sysupd.exe have been removed, then you can remove the main file _UPDATE.DAT which will be found somewhere in Documents and Settings. (If you cannot find it run a search for it)

7. Run AVG again to make sure the Trojan is gone.

I do not use this web site at all, i only found it while I was searching on Google for what people are saying about this Trojan.

This virus is found in your temp files and is not removable by the AVG free removal software. The easiest way to find this is in the temp folder in your local settings, i will be titled "_update.dat", move this file to another place such as on your C drive. Run AVG and it will remove it.

I found these directions for removal on another site. They worked for me I hope they work for you as well.

Subject: Re: viruses
From: virus_psw_agent_h-ga on 28 Apr 2004 06:21 PDT
Please read everthing before you take my steps

hey i think it is about time i found a forum on this virus i am having
the same troubles with this virus as everyone else!
after reading this forum i learnt that sysupd.exe is the cause of the
problem every time i tried deleting _update.dat it said it was being
used by another program therefore not deleting so i ran my comp in
safe mode and delete and when i reboot it comes up again so i kept
searching the web and low and behold this forum answers my question i
run processes and force shutdown (shutdown process tree by right mouse
clicking) and _update.dat deletes without safe mode. now dont be
stupid and try to reboot and expect it not to come back because you
have done that before you have to go to the source of the problem wich
we have learnt is sysupd.exe
so follow these steps to delete the virus psw.agent.h fully! i am
running winXP proffesional and i am using avg but if you are running
another OS then steps should be quite similar it is all the same
theory!
{if you dont understand what i just wrote
(it would probably be a good idea to unistall msxml... if you want at
this point i am not sure if it did any good everything seems to be
working fine)
1.) press: ctrl + alt + del
2.) go to processes
3.) find sysupd.exe and right mouse click
4.) click end process tree and select YES
5.) run start, search and select select all files and folders
6.) by the all part of file name bar type in SYSUPD
7.) by 'look in' make sure it is going to search all hard drives (this
shouldn't matter as long as it is searching your main drive eg: c:\
but just let it search all drives just in case)
8.) once search is complete you should ahve 2 files show up one is sysupd.exe
in c:\windows (or if not c:\ it should be in d:\ etc) and the other
file should be sysupd.exe-3b2af10b.pf
9.) delete these files by highlighting them and then right mouse
clicking and clicking delete or hit the del key
10.)if the files or one of the files dont delete go to step 1 until 4
(try work quickly otherwise sysupd.exe will run again)
11.) next we want to empty recycle bin go to your desktop and find the
recycle bin right mouse click on it and click empty recycle bin
12.) reboot your computer (it is always best to reboot your comp after
doing changes to your computer)
13.)run your virus scan and see for your self it has worked!

if it comes back that the virus is still on your comp it is because
_update.dat or other virus files have not yet been deleted on your
profile or from another users files avg should be able to delete it
without a hastle reboot and run avg again

after doing all this i had another problem virus psw.agent.I was found
on my comp i dont how it happened to me but i let avg remove the files
but only one file deleted and that was the virus psw.agent.h
_update.dat it was the there because of the reason explained above the
other file was psw.agent.i virus file in c:\system volume information

so i just rebooted my comp ran in safe mode networking b/c i am on a
network and ran avg.exe this is the dos avg b/c the windows one
couldnt open and after letting it run it didnt find the other file i
presume this is so becaus it was on the system volume information
folder and a restore file so when i restarted my comp and ran in safe
mode it deleted automatically i then rebooted and ran avg in windows
just to be sure but after doing this psw.agent.i came up again in
c:\system volume information and it managed to delete it this time
(weird) so again i rebooted and ran avg again and this time it didn't
find the virus

i had a program called msxml i am not sure what it is so i just
uninstalled it (i hope it didnt screw up any of my computer files i
have

i recommend if you booted your comp to floppy disk run it ill tell you
the truth i didnt boot my comp to floppy but i have done it before and
i would have no idea how to run it this could help get rid of
psw.agent.i if it didnt go away before but i dont know

the only reason i wrote everything explicitly is because i dont know
how computer litterate some of you are

i also recommend you download a program called ADAWARE go to
downloads.com and search for adaware download it and run it if you are
unable to figure out how to work it let me know and ill help you make
sure you go thru the settings before hand so it doesnt just do a
registry search rather a full system scan

this is actually quite funny all these steps and writing i did while
doing the steps myself i wrote in notepad and then copied it all to
the forum lol so you can probably imagine how much time it took yes, 3
- 3 and a half hours and there was a lot of deleting and putting
everything i order so you will be able to refer to it and not have to
hastle with putting everything in order

I would like to clarify myself on my previous post, after moving this file to the C drive, the AVG free software will then remove it. It is once it is moved out of the temp files that this is removable.

Responses #6 & #8 are very useful. However, it's hard to remove sysupd.exe because it's a self-starting running process in the Normal mode. In the Safe mode, sysupd.exe is not running. It's therefore easy and straight forward to delete both sysupd files and _update.dat file. To get to the Safe mode, hold F8 key while the computer is starting, and choose Safe mode among the selections.

I would like to thank the following people for their contributions in the removal of the virus PSW.Agent.H:

Response #6: fourlocos
Response #8: Elizabeth
Response #10: Yongli Gao

You guys are fantastic! I really appreciate your good work.

IT FINALLY GOT REMOVED FROM MY COMPUTER!

Are there any suggestions on how to delay the restart of sysupd.exe? On my computer, it restarts in a second or less, not enough time to allow me to delete or move _update.dat.

Are there any alternative methods?

I found my pc infested today with the PSW.Agent.H. and this is the easiest and fasted way to get rid of it. I'm using Windows Me but I think that is applicable to any OS.

For those infested files in _RESTORE\TEMP - right click on My Computer icon, Properties, Performance tab, in Advanced settings click on File System..., Troubleshooting tab, check the last option "Disable System Restore". Click Apply and Restart your computer. This should be enough to clean those files. You would be able to uncheck the "Disable System Restore" once you clean all your disk from virus.

In order to heal the file C:\WINDOWS\TEMP\_UPDATE.DAT - you have first to create a StartUp disk - go to Control Panel, Add/Remove Program,last tab StartUp Disk, Create Disk. You will need a floppy disk... no s...! LOL

You also need to run a Search for a file named sysupd.exe and take note of its localization (it should be C:\WINDOWS) if you don't get rid of this file you wont be able to eliminate de _update.dat.

With this to things (startup disk & path to the sysupd.exe) insert the StartUp disk on its drive and Restart your computer. As soon as the DOS prompt appears click "Shift + F5"
in seconds you will see A:\>_

Follow this one by one, between " " explanations, not to be typed:

C:\ "will change dir from A to C, hit Enter"

DEL C:\WINDOWS\SYSUPD.EXE /P "Enter"
Y "confirm your disires to delete it"

"with this you got rid of sysupd, but is not enough"

DEL C:\WINDOWS\TEMP\_UPDATE.DAT /P "Enter"
Y

"that will be more than enough, take your floppy disk from its drive and hitting "Ctrl + Alt + Del" should restart your computer in normal mode and you should rerun the antivirus just to be sure.

Good luck!!

it works! Simply start in the safe mode, find the file, cut and paste it on C.
Then restart and run AVG.

Ok I have gotten as far as 1-13 on number reply 8 and I have tried reply 6 however Number 6 & 8 & 10 to you I can't find the _udate.dat anywhere in the doc/settings, I even did a comp sear, for it, and the comp didn't find it either any I am basicly pulling my hair out now, I finally go the sysupd.exe off my comp and hasn't come back on to my comp since, however the psw.agent.h virus is also still on my comp and avg will not remove it and I have updated avg .... So PLEASE SOMEONE HELP ME !

Hey ya all I did it it is gone thank you thank you thank you, I realized after writing that last and first post of mine that when I deleted the sysupd.exe and then having to reboot right after it deleted itself the update dat file thing lol I ran avg right after I rebooted after the deletion of the sysupd.exe, and the avg caught it again then deleted it I was so happy thank you thank you thank you your all so very awesome.....

I am running Windows 98 SE so I can't use the "processes" method suggested since sysupd doesn't show up in my task manager.

I tried the other suggested method of going into Safe Mode and moving the sysupd.exe and _update.dat files to C: but I couldn't move the files. Said files were in use by Windows.

I also noticed I can't delete sysupd.exe from the registry.

Any other advice?

Thanks.

boot from a floppy in dos and delete the files via the Del command after writting down their path

Thanks for the help. I did what Elizabeth said to do in response # 8. At first it wouldn't work but I decided to keep trying & it finally did. I suggest that when u go into the task manager & try to end sysupd.exe just keep doing it. After the cannot remove message comes up just click ok & go back to the task manager & keep ending it. Eventually it will disappear from the list. Then when it does dissapear quickly go to your search results & delete the file. Do the main one first cause this is the one your most worried about. Then delete it from the recycle bin. Then you can go back & delete the other one. If it won't delete don't worry about it cause AVG will. Hope this helps a little better.

hi its me agai, I noticed you saidyou had trouble with the soundvolume_restore viruses to I thought I got it all but I guess I did, I can't figure out how to get those virus off I followed number 8 Eliz but you really didn't specfi as well as you did on removing those virus as you did on the umm Agent virus, I still can't find the update.dat file that needs to be erased and comp can't find it under search can you email me when and if you get this to help me out maybe even msn me I left my messager name and contact info in profile thanks,bye.

I just wanted to say when it comes to to all this stuff I go into panic attacks. I don't know much about all this. I found this trojan on my computer and thought I was going to have to hire someone. After reading #6 and #8 I started dialing. Until I got to #10. I'm running windows 98. All I did was restart while holding f8 I deleted sysupd then deleted the whole temp file where the _update.dat was located then emptied the recycle bin. I restarted my computer and ran avg. Gone!!! Then I ran it again just to make sure. Still gone. Thanx sooooo much!

I got it fixed in xp home.
- go to safe mode
- delete the _update.dat file (AVG will tell you where it is) You have to be logged in with the rights to see and delete it. The user that got it usually can do this.
- edit the sysupd from the run in the registry. I just search for all the run and runservices that are there. While there, you might also clean out any other garbage things that are starting up.
- update AVG and run it.
- you may have to go thru this a number of times till you get the sequence that works.

The latest Spybot Search & Destroy will also find it. It showed me that the sysupd.exe is in the windows directory.
Now it "WAS" in the windows directory.

I followed instructions given by Israel in #13. I neglected, however, to disable System Restore. I removed the file SYSUPD in DOS mode, and the file was removed from WINDOWS, and so was the virus. Do I need SYSUPD for any reason?

Cannot find sysupd.exe or _update.dat in XP. Do they have another name?

I first deleted the 'Iw.exe' process in the taskmanager. Then I deleted the 'Sysupd.exe' process and the 'Sysupd.exe' process then did not restart. So I think this 'Iw.exe' must be responsible for the restart of 'Sysupd.exe'.
To #15, finding '_udate.dat' requires to enable the 'search hidden files and folder' option when searching.