siszyd32.exe Problems

[fxp]

Add me to the list of those hit with siszyd32.exe last week. I saw it happen when my java console popped open and shortly later Process Explorer that I keep in the tray went to 100% CPU. I use Avast and when I ran Spybot it found three attacks: Virtumonde.prx, PWS.small.bs and Nurech. I shut down the net and was able to clean up all the garbage  -- I thought. Repeated runs of Avast in boot mode and Spybot found nothing and my CPU useage had returned to normal with no strange processors running.  When I turned on the network I got banged with another attack and CPU useage shot up to 100% again.  I asked around and was told to load Malwearbyte and it found VUNDO.H.  I've since run Spybot, Avast and Malewearbyte again and something I found, freefixer.  Freefixer was able to remove siszyd32.exe but I looked at the Registry to check for any left over entries.  When I searched the Registry at key:

                         HKCU/software/microsoft/Search Assistant/ACMru/5603

I found values: 9129837.exe, sys05020.dll, srpcss.dll, gdipro.dll and before clearing siszyd32.exe.

When I delete them they returned again.  Something else is going on here.  I should add I also deleted Csimplayer.exe and fjhdyfhsn.

My machine up to this point had been clean.  I run Avast, Spybot, ad-aware and my OS is patched XP SP3 and up to date with a firewall.  I am hesitant to turn on the network and have this all happen again.  Thank you for any help or suggestions you can provide.   :'(    

 

[CharleyO]

***

I suggest that you download FreeFixer from the below link.

How to remove siszyd32.exe with Freefixer:

1. Download and install FreeFixer: http://www.freefixer.com/download.html
Freefixer is freeware, so it will not cost you anything.

2. Start FreeFixer and click "Scan". The will scan finish in approximately 5 minutes.

3. In the Scan result, scroll down to "Autostart shortcuts". Locate the siszyd32.exe item and check its "Delete" checkbox. DO NOT check anything else for removal, unless you 100% it's malware.

4. Click "Fix".

5. Restart your machine.

6. Start FreeFixer and scan your computer again.

7. Verify that siszyd32.exe no longer appear anywhere in the scan result.
 

Did that completely remove siszyd32.exe from your machine?

siszyd32.exe is part of Troj/Agent-LVN as documented over at Sophos:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlvn.html

Please let us know the results.


***

[fxp]

Hi CharleyO thanks for reading my post.  I ran FreeFixer and it found and I deleted the siszyd32.exe file.  The problem is I'm not sure if I got it all.  After running FreeFixer someone told me about Viper Rescue and I ran it and found more which Viper cleared.  I am hesitant to turn on the Internet because the last time stuff seemed to come pouring in.  I was told siszyd32.exe comes from a rootkit and I don't know if I got it.  Can someone look at an HJT report or other one since this isn't what I'm good at.  Thanks again.

[CharleyO]

***

If you will post a HJT log, someone will look at it and offer help. This probably will not show a rootkit but it may give other clues that can help.


***

[fxp]

Hi CharleyO, I'm new at posting logs publicly, but I think I've got it figured out.  MY HJT log can be found at:



http://cid-c96b5052195124ca.skydrive.live.com/self.aspx/.Documents/Public/hijackthis.log



I'd appreciate anyone looking at this thing and letting me know if I got this problem licked.  I'm willing to run anything else, too.  Thanks again for your help.

[CharleyO]

***

An analysis of your HJT log shows the following :

We couldn't detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s firewall.

Possible problems :

(Note - If the Symantec entries are related only to Norton Ghost, they should be ok provided you are using Ghost. Entries not related to Ghost should be removed. There is also at least one McAfee entry and at least one Authentium entry.)

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Update related

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Symantec Update related

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
Norton Software

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O9 - Extra button: (no name) - AutorunsDisabled - (no file)
To be fixed if the entry is unknown. Unnecessary (deactivated) entry that can be fixed.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

As I stated above, if you are using Norton Ghost, some of the Symantec/Norton entries should be OK to keep. You will have to research the entries to be sure.

The McAfee and Authentium entries should be fixed as you seem to have a full install of avast. Having more than one av service is not recommend as this will cause many problems.


***

[CharleyO]

***

From the below, it appears that you may also be using more than just Norton Ghost as their virus scan and firewall appear as running tasks.

An Overview of running tasks when your HJT log was produced :

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

ccSvcHst.exe   
Firewall   
Symantec Service Framework Executable

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe   
Backgroundtask   
Apple Mobile Device Service

aswUpdSv.exe   
Virusscan   
Avast Anti-Virus Component

ALUSchedulerSvc.exe   
Virusscan   
Symantec LiveUpdate Scheduler

ashServ.exe   
Virusscan   
Avast

mDNSResponder.exe   
Backgroundtask   
Bonjour for Windows Component

CDAC11BA.EXE   
Backgroundtask   
cdac11ba

CTsvcCDA.exe   
Backgroundtask   
Creative CD-ROM Services

Explorer.EXE   
System task   
Microsoft Windows Explorer

dvpapi.exe   
Virusscan   
Authentium Antivirus

inetinfo.exe   
System task   
IIS Admin Service Helper

InCDsrv.exe   
Backgroundtask   
Ahead Nero InCD Service

IntuitUpdateService.exe   
Backgroundtask   
IntuitUpdateService.exe

LSSrvc.exe   
Backgroundtask   
NERO Light Scribe Module

mdm.exe   
Application   
Machine Debug Manager

sqlservr.exe   
System task   
Microsoft SQL Server Suite

DSentry.exe   
Backgroundtask   
Dell DVD Sentry

JupitCo.exe   
Unknown task   ( USB SECURITY DEVICE CoInstaller )
Unknown task    http://www.bleepingcomputer.com/startups/JupitCo.exe-6000.html

TPPALDR.EXE   
Backgroundtask   
TPP Auto Loader Application

WrtMon.exe   
Driver   
WrtMon.exe

SiteAdv.exe   
Security software   
SiteAdvisor Browser Plugin

WrtProc.exe   
Driver   
WrtProc.exe

em_exec.exe   
Application   
Logitech MouseWare.

ccApp.exe   
Virusscan   
Symantec Common Client CC App

ccApp.exe   
Virusscan   
ccApp.exe

CTCheck.exe   
Backgroundtask   
ZEN Media Explorer

ashDisp.exe   
Virusscan   
Avast AntiVirus

RUNDLL32.EXE   
System task   
Microsoft Rundll32

msmdsrv.exe   
Backgroundtask   
Microsoft SQL Server Analysis Services

wcescomm.exe   
System task   
Microsoft ActiveSync Connection Manager

HDD Thermometer.exe   
Backgroundtask   
HDD Dynamic Link Library

IEPrivacyKeeper.exe   
Backgroundtask   
IEPrivacyKeeper.exe

TeaTimer.exe   
Application   
Spybot S&D Realtime Scanner

rapimgr.exe   
Backgroundtask   
Microsoft ActiveSync Module

ctfmon.exe   
System task   
Alternative User Input Services

NPROTECT.EXE   
Backgroundtask   
Nprotect

GammaTray.exe   
Suspicious task   
MagicTune Traybar Assistant

tbnote.exe   
Backgroundtask   
TurboNote v6.4

WindowsSearch.exe   
Backgroundtask   
Windows Desktop Search Tray

nvsvc32.exe   
Application   
NVIDIA Driver Helper Service

w3dbsmgr.exe   
Backgroundtask   
Database Service Manager

procexp.exe   
Backgroundtask   
Sysinternals Process Explorer

NOPDB.EXE   
Backgroundtask   
Nopdb

sqlwriter.exe   
Backgroundtask   
Microsoft SQL Server

svchost.exe   
System task   
Microsoft Service Host Process

symlcsvc.exe   
Firewall   
Norton Internet Security Suite

svchost.exe   
System task   
Microsoft Service Host Process

fxssvc.exe   
Application   
Microsoft Fax

ashMaiSv.exe   
Virusscan   
Avast Anti-Virus Component

wuauclt.exe   
System task   
AutoUpdate Client

ashWebSv.exe   
Virusscan   
avast! Web Scanner

HijackThis.exe   
Application   
Merijn Hijackthis


***

[fxp]

Hi CharleyO, thanks for looking at the logs.  My Windows Control Panel shows the MS Firewall turned on.  I am using a NAT Router which I understand works as a firewall, too.  I'm using Ghost for backup and am running an old version of Symantec Systemworks.  I've had all sorts of anti-virus apps running at one time, but have uninstalled everything except Avast for the last two years.  It looks like these apps left a lot of garbage on my machine.  I'm surprised about the Authentium entry because I don't recall having used anything by that name. VerizonServicepoint.exe point could be becasue I'm on Verizon DSL.  I'm going to go back and knock out some of this garbage, but nothing obvious stands out from your viewpoint?  Thanks again.

[CharleyO]

***

I did a little research on why you might have the Authentium entry and found this ...

This dvpapi.exe program is part of the Authentium anti-virus and anti-malware software. It may have been distributed with your ISP or cable/dsl service, as this file is included in some security packages.

... at http://www.what-is-exe.com/filenames/dvpapi-exe.html
So, you should check with your ISP as to whether or not they supplied this. But, it would be my guess that they did.

Yes, MS firewall will not show up in a HJT log analysis which is explained in #1 of the firewall reasons of the HJT log analysis.

The VerizonServicepoint entry should be Ok since that is your ISP and I just listed it since the program  and the executable are the same name which can appear suspicious.

If you have anymore problems, please let us know.


***

[fxp]

I thought I had it all cleaned up and I turned on the Internet.  In the time it took to download database updates for Avast and Malwearbyte I got hit with four viruses.  This is definitely a rootkit that  the canned software can't find.  I feel it is part of the original siszyd32.exe problem.  Any thoughts or suggestions?

[fxp]

After throwing out a lot of garbage I think I fixed the problem.  MalWearBytes found the Adware.AdRotator which I guess was brought in by siszyd32.exe before it was cleared. MalWearBytes didn't clear everything on AdRotator I found by researching on ThreatExpert.com.  They listed a program "AU .exe" which was still on my machine. They also listed a URL for the attack which I blocked in the Hosts file just to be safe. I hope this is the end of it so far all clear scans.  Thanks for your help CharleyO.

[CharleyO]

***

You are welcome for the help given.

I am happy that you have solved your problem.


***