gpupdatea.exe - a System Process - Spyware

Hi everyone,

When I was on-line & browsing web (I use Firefox as main browser) suddenly a pop-up IE window appeared showing an Ad; And cause it was unusual, I looked at process list in Task Manager and i saw a “System”! process called “gpupdatea.exe” running.

Avast antivirus couldn’t detect that malware (though its definition was up to date and it was running properly)

I found the location of process and it was in Temp folder of current user,so i again scanned it manually by Avast but it still wasn’t able to detect it.

On properties windows of this process,i saw some Chinese words (in English) as its description.

Finally i ended the process & deleted that file,which needed reboot to complete deletion process.

Perhaps that spyware may have left other tracks on my PC and i can’t be aware of it as long as it has not been triggered to operate itself.

I created this topic only as a report and i hope it soon be fixed in future definition updates of antivirus.


I’m running Avast 4.8 Free version on Win. XP SP3. (the latest Free version 5 can’t be installed on my system)

Can you submit the file to avast team for analysis? Or it’s gone?
Maybe submit also to www.virustotal.com to check.

Found this http://www.processlibrary.com/directory/files/gpupdate/
quote:
gpupdate.exe is a process associated with Microsoft® Windows® Operating System from Microsoft Corporation.\r

edit: not the same name " gpupdate.exe " gpupdatea.exe "

and also one infection removed by MBAM http://www.pchelpforum.com/fixed-hijackthis-logs/90402-infected-win32-olmarik.html

C:\Documents and Settings\Mar\Local Settings\Temp\gpupdatea.exe (Virus.Agent) → Quarantined and deleted successfully.

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

avast 5.0 has been out for over 4 months now and XP is supported, is there any reason you haven’t updated to avast5 ?

Sorry,
But as i stated before,i was so confused that i deleted the spyware file immediately after i was aware of it.:slight_smile:

And currently there is no sample file.

OK, something to consider for the future should it happen again to help improve avast detections.