Should I block it?

98%
Yes, 98% block recommendation.
Possible reasons:
Multiple malware detections
Performance resource utilization

VersionsAdditional versions

10.2.1.2634 36.36%
10.2.1.2612 54.55%
1.0.0.2539 9.09%

Relationships

PE structurePE file structure
Show functions
Import table
advapi32.dll
RegOpenKeyExW, AdjustTokenPrivileges, DuplicateTokenEx, LookupPrivilegeValueW, ConvertStringSidToSidW, SetTokenInformation, CreateProcessAsUserW, GetTokenInformation, OpenProcessToken, RegQueryValueExW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, ControlService, ReportEventW, QueryServiceStatusEx, SetServiceStatus, ChangeServiceConfigW, StartServiceW, ChangeServiceConfig2W, DeregisterEventSource, RegisterServiceCtrlHandlerExW, RegCreateKeyW, EnumDependentServicesW, StartServiceCtrlDispatcherW, DeleteService, RegisterEventSourceW, CreateServiceW, RegSetValueExW, OpenServiceW, OpenSCManagerW, CloseServiceHandle, RegCloseKey, RegCreateKeyExW
kernel32.dll
GetSystemWindowsDirectoryW, GetCurrentThread, WideCharToMultiByte, LoadLibraryW, SetThreadPriority, LocalAlloc, GetShortPathNameW, LocalFree, GlobalAlloc, CreateFileW, DeviceIoControl, GetVolumeInformationW, GetSystemDefaultLangID, GetFileSize, SetFilePointer, SetEndOfFile, CreateDirectoryW, WriteFile, ReadFile, GetLocalTime, DeleteFileW, GetCurrentProcessId, SetFileAttributesW, InterlockedDecrement, FindFirstFileW, GetFileAttributesW, FlushFileBuffers, FindClose, FindNextFileW, lstrlenW, GetQueuedCompletionStatus, RaiseException, InterlockedExchange, ResetEvent, GetExitCodeThread, PostQueuedCompletionStatus, GetSystemInfo, WaitForMultipleObjects, CreateIoCompletionPort, GetLogicalDriveStringsW, OpenProcess, GetSystemDirectoryW, ProcessIdToSessionId, QueryDosDeviceW, EncodePointer, DecodePointer, GetEnvironmentVariableW, GetCurrentThreadId, GetProcessHeap, GetTickCount, OutputDebugStringW, FindResourceExW, HeapFree, HeapAlloc, GlobalFree, MultiByteToWideChar, CreateThread, CreateEventW, GetLastError, TerminateThread, SetEvent, SetPriorityClass, WaitForSingleObject, Sleep, MoveFileExW, CloseHandle, GetProcAddress, GetModuleFileNameW, GetModuleHandleW, GetCurrentProcess, DeleteCriticalSection, LockResource, EnterCriticalSection, LeaveCriticalSection, GetVersionExW, SizeofResource, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, LoadResource, FindResourceW, GetStringTypeW, HeapDestroy, lstrlenA, WriteConsoleW, SetStdHandle, ReadConsoleW, HeapReAlloc, GetConsoleMode, HeapSize, GetCommandLineW, GetSystemTimeAsFileTime, IsDebuggerPresent, GetConsoleCP, SetFilePointerEx, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetFileType, GetStdHandle, GetModuleHandleExW, ExitProcess, GetOEMCP, GetACP, IsValidCodePage, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCPInfo, RtlUnwind, LoadLibraryExW, ExitThread, IsProcessorFeaturePresent, InterlockedIncrement, GetModuleHandleA, LoadLibraryA, GetModuleFileNameA
ole32.dll
CoSetProxyBlanket, CoUninitialize, CoInitializeEx, CoInitialize, CoInitializeSecurity, CoCreateInstance
psapi.dll
EnumProcesses, EnumProcessModules, GetModuleFileNameExW
sensapi.dll
IsNetworkAlive
shell32.dll
SHGetFolderPathW, ShellExecuteExW, SHChangeNotify
shlwapi.dll
PathAppendW, SHDeleteKeyW, StrTrimW, StrChrW, StrCpyW, PathFindExtensionW, PathFindFileNameW, StrCmpIW, PathFileExistsW
user32.dll
wsprintfW
userenv.dll
DestroyEnvironmentBlock, CreateEnvironmentBlock
version.dll
VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
winhttp.dll
WinHttpQueryDataAvailable, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpConnect, WinHttpWriteData, WinHttpSendRequest, WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetOption, WinHttpSetTimeouts, WinHttpReceiveResponse, WinHttpGetProxyForUrl, WinHttpCrackUrl, WinHttpReadData, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpCloseHandle
wininet.dll
InternetCheckConnectionW, InternetOpenW, InternetOpenUrlW, HttpQueryInfoW, InternetCloseHandle, InternetCrackUrlW, InternetReadFile, InternetConnectW, HttpOpenRequestW, HttpAddRequestHeadersW, InternetSetOptionW, HttpSendRequestW

eGdpSvc.exe

Wsys Control by Banyan Tree Technology Limited (Signed)

Remove eGdpSvc.exe
Version:   10.2.1.2612
MD5:   6ff3cfb85b18c032af8f242498dfc8d9
SHA1:   e7cf4aeaad0373ad0c421f7767f428d78d826dd7
SHA256:   40cbe211d1058cbb5af43186ad83f8af9855314d6e4e2e71d5ceb8d490170844
Warning 26 antivirus scanners has detected malware.

Overview

egdpsvc.exe is malware that runs as a service under the name WsysSvc (WsysSvc) within the local user context. It is installed with a couple of know programs including Wsys Control 10.2.1.2609 published by Banyan Tree Technology Limited, Wsys Control 10.2.1.2612 from Banyan Tree Technology Limited and Wsys Control 10.2.1.2612 by Banyan Tree Technology Limited. The file is digitally signed by Banyan Tree Technology Limited which was issued by the GlobalSign nv-sa certificate authority (CA).

DetailsDetails

File name:egdpsvc.exe
Publisher:Wsys Co., Ltd.
Product name:Wsys Control
Description:Wsys Control 1.0.0.2539
Typical file path:C:\Documents and Settings\user\Application data\esafe\egdpsvc.exe
File version:10.2.1.2612
Size:296.56 KB (303,680 bytes)
Build date:8/22/2013 1:02 PM
Certificate
Issued to:Banyan Tree Technology Limited
Authority (CA):GlobalSign nv-sa
Digital DNA
PE subsystem:Windows GUI
File packed:No
.NET CLR:No
More details

ResourcesPrograms

The following programs will install this file
Wsys Control
 Banyan Tree Technology Limited
  82% remove
Wsys Control also known as Delta-homes.com is a potentially unwanted web browser extension and Browser helper Object (for Internet Explorer) that delivers contextual based advertising to the web browser. In addition it will modify the user's browser home and search pages as well as 'New Tab' pages to push advertising and search. It is typically defined as a unwanted application by various malware vendors.
DProtect
 DProtect Lab
  78% remove
DProtect is an adware web browser extension that will display various popup and banner ads as well as modify the user's web browser search and home page settings. In some cases, the program will monitor a user's behavior and will inject rival advertisements over existing one or just inject new ones all together. As part of the installation process the publisher may offer changes to your Internet Browser settings. These changes if app...

BehaviorsBehaviors

Services
Runs under 'SYSTEM\CurrentControlSet\Services' by the Service Controller (services.exe)
  • WsysSvc
  • 'WsysSvc' (Wsys Service)

MalwareMalware detections

Based on 40+ industry antivirus scanners, 26 of them detected the following malware.
Antivirus engineEngine versionDetection
AhnLab V3 Internet Security 2013.10.10 Trojan/Win32.Staser
Antiy Labs AVL 2.0.3.7 Trojan/Win32.Staser
AVG 13.0.0.3169 Startpage.A
Baidu Antivirus 3.5.1.41473 Trojan.Win32.StartPage.34
BitDefender 7.2 Application.ExqPage.F
CAT Quick Heal 10.13.12.00 Trojan.Agent.gen
Comodo Internet Security 17077 Heur.Suspicious
Dr.Web 8.13.10.10 Adware.Mutabaha.20
ESET NOD32 7.8896 a variant of Win32/ELEX.S
Fortinet 5.1.147.0 Adware/Agent
F-Secure 11.0.19100.45 Application.ExqPage.F
G Data 13.10.22 Application.ExqPage.F
Ikarus T3.1.5.4.0 Trojan.Win32.Staser
Jiangmin 16.0.100 Trojan/Staser.x
K7 AntiVirus 9.173.9818 Unwanted-Program
K7GW 12.7.0.14 Unwanted-Program
Kaspersky 9.0.0.837 Trojan.Win32.Staser.fv
Kingsoft 2013.4.9.267 Win32.Troj.Generic.a.(kcloud)
McAfee 5.600.1067 Adware-Bprotect
McAfee Gateway Anti-Malware v2013-dat Adware-Bprotect
eScan by MicroWorld 12.0.250.0 Application.ExqPage.F
Trend Micro 9.740.0.1012 TROJ_GEN.R0CBC0PIS13
Trend Micro HouseCall 9.700.0.1001 TROJ_GEN.R0CBH05IO13
Vba32 AntiVirus 3.12.24.3 Trojan.Staser
VIPRE Antivirus 22226 Elex Installer (fs)
ViRobot 2011.4.7.4223 Trojan.Win32.S.Staser.303680

ResourcesResource utilization

(Note: statistics below are averages based on a minimum sample size of 200 unique participants)
Averages
 
CPU
Total CPU:0.00288039%
0.028634%
Kernel CPU:0.00133404%
0.013761%
User CPU:0.00154636%
0.014873%
Kernel CPU time:625,496 ms/min
100,923,805ms/min
Memory
Private memory:6.47 MB
21.59 MB
Private (maximum):10.97 MB
Private (minimum):9.19 MB
Non-paged memory:6.47 MB
21.59 MB
Virtual memory:74.5 MB
140.96 MB
Virtual memory (peak):95.08 MB
169.69 MB
Working set:9.94 MB
18.61 MB
Working set (peak):11.5 MB
37.95 MB
Resource allocations
Threads:15
12
Handles:257
600

BehaviorsProcess properties

Integrety level:System
Platform:64-bit
Command line:C:\ProgramData\esafe\egdpsvc.exe
Owner:User
Windows Service
Service name:WsysSvc
Display name:WsysSvc
Description:“Wsys update service”
Type:Win32OwnProcess
Parent process:services.exe (Services and Controller app by Microsoft)

ResourcesThreads

Averages
 
eGdpSvc.exe (main module)
Total CPU:0.00438981%
0.272967%
Kernel CPU:0.00222028%
0.107585%
User CPU:0.00216953%
0.165382%
CPU cycles:71,234/sec
5,741,424/sec
Memory:768 KB
1.16 MB
sechost.dll
Total CPU:0.00060899%
Kernel CPU:0.00030450%
User CPU:0.00030450%
CPU cycles:6,993/sec
Memory:100 KB

Windows OS versionsDistribution by Windows OS

OS versiondistribution
Windows 7 Ultimate 27.27%
Microsoft Windows XP 27.27%
Windows 7 Professional 27.27%
Windows 8 Pro 9.09%
Windows 8 9.09%

Distribution by countryDistribution by country

Brazil installs about 18.18% of Wsys Control.

OEM distributionDistribution by PC manufacturer

PC Manufacturerdistribution
MSI 28.57%
American Megatrends 14.29%
Acer 14.29%
GIGABYTE 14.29%
Dell 14.29%
Hewlett-Packard 7.14%
Samsung 7.14%
Back to top
Should I remove It? Clean your PC of unwanted adware, toolbars and bloatware.

Download it for FREE