Avast WEBforum

Other => Viruses and worms => Topic started by: digitalxni on January 02, 2010, 11:30:43 PM

Title: siszyd32.exe - am I free?
Post by: digitalxni on January 02, 2010, 11:30:43 PM
Evening all!

I noticed this afternoon that a couple of new processes had appeared in the task manager and they, as well as an instance of svchosts.exe, were using up large amounts of cpu. Also there was an instance of firefox running at startup which after I killed, seemed to disappear from the firefox folder (odd?). After a quick google I stumbled upon multiple results about siszyd32 and a lot of threads on this forum. I've just spent the evening running scans. I've run adaware, mbam, sas and freefixer. I've removed everything the first 3 scans picked up and I'm not sure what to make of the results from freefixer. A lot of it seems normal but there is the oddly named dll file which is making me wonder if I am free of this virus/trojan/rootkit. Please see the attached log file.

If anyone can help I'd be extremely grateful!

/digitalxni
Title: Re: siszy32d.exe - am I free?
Post by: cakedoer2 on January 02, 2010, 11:43:21 PM
Hey Digitalxni.

I'm not really advanced in this kind of thing but siszy32d.exe is not a vital Windows process, and it looks like it's not a good one either. Find a way to remove it. I'll take a look at that log file later.

I'm not here to advertise but you might want to try this:

http://www.kaspersky.co.uk/virusscanner

I haven't actually tried it but it might find something.

--

By the way, make sure you update everything that is not up-to-date. Go to Windows update, search for newer versions of programs, whatever. You might also want to tell us your configuration. Schedule a boot-time scan with avast!. If you don't have it yet, get the home edition on the avast! website.
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 03, 2010, 01:02:10 AM
Ok so I've reinstalled firefox (although I've still got the wireless disabled) and rerun mbam which came back completely negative. After rebooting I've noticed that I have no odd looking processes and nothing is taking up mega amounts of cpu. So I think I may well be rid it but those odd looking results in freefixer worry me slightly.
Title: Re: siszyd32.exe - am I free?
Post by: micky77 on January 03, 2010, 02:31:24 AM
Send  erivujepopepacu.dll from C:\WINDOWS\erivujepopepacu.dll to virus total and post the results
http://www.virustotal.com/ (http://www.virustotal.com/)
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 03, 2010, 08:12:08 PM
Here are the virus total results. Looks like win32.hiloti.
Title: Re: siszyd32.exe - am I free?
Post by: micky77 on January 03, 2010, 08:43:39 PM
Sorry i am not really convinced. Not many are picking it up, F secure says generic, Sophos, suspicious, both are not definite. I don't count the other findings.None of the big ones are finding this. I may be wrong but at this moment, I don't think its virus related. Then again I doubt its anything important, no hits on google

Could it be from security tool you have run ?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 03, 2010, 08:57:57 PM
It says it was created in 2004 so surely not? I just noticed a file next to this dll called Lgelimuwesebeb.bin which appeared yesterday afternoon which is when the problems began but none of my scans have said it is a threat. (I will upload to virustotal shortly). All scans keep coming back negative but I'm still rather worried about connecting the computer back to the internet where it may download more bad things. Is this possible? How can I be sure that I am indeed clean?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 03, 2010, 11:29:12 PM
One thing I am rather worried about at the moment is that if I were to reconnect to the network, my pc would go on a download rampage of lots more trojans and viruses etc. Is this something I should worry about doing and should I stay disconnected until this matter is resolved?
Title: Re: siszyd32.exe - am I free?
Post by: DavidR on January 04, 2010, 12:17:24 AM
Of course you should be worried, as it makes cleaning harder, but any downloader has to gain access to the internet.

What is your firewall ?
- It should be capable of blocking unauthorised outbound Internet Connections.

I too am not familiar with freefixer, but the one thing I do see is that you are using XP SP2 and SP3 has been out for about 18 months, this leaves you more vulnerable to attack in the first place. Unfortunately you can't begine to install SP3 until your system is clean and this particular siszyd32.exe has in other topics proven difficult to irradiate.

Also JAVA is also out of date leaving another vulnerability (you need to uninstall the old version using add remove programs before installing the latest version).
- I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 04, 2010, 06:28:55 PM
I'll be downloading and running OTS soon in the way that essexboy has said in many other threads. I will upload the results later tonight and hopefully someone can make some sense out of them!
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 05, 2010, 12:01:32 AM
Here is s a link to the OTS log:

http://www.mediafire.com/?jzbwikktngn

Just to add few things I've noticed lately. Once the pc has booted into windows I get a message saying that there is no internet connection etc. This is probably due to some software trying to update on boot though. I also connected to the internet briefly the other day to upload some logs and as soon as I did, an instance of svchosts.exe started hogging lots of cpu again. :(
Title: Re: siszyd32.exe - am I free?
Post by: CharleyO on January 06, 2010, 07:14:58 PM
***

Hopefully, essexboy will be in sometime soon and see this thread.


***
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 06, 2010, 09:38:47 PM
Here I be - there is a rootkit/hidden driver that I will need to kill

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Modules - Safe List]
YY -> erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> http [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
YN -> https [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
[Files/Folders - Created Within 30 Days]
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  daleg.sys -> C:\WINDOWS\System32\drivers\daleg.sys
NY ->  Lgelimuwesebeb.bin -> C:\WINDOWS\Lgelimuwesebeb.bin
NY ->  Yhenij.dat -> C:\WINDOWS\Yhenij.dat
NY ->  49 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
[Files - No Company Name]
NY ->  erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Custom Scans]
NY ->  2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.


THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 04:30:47 PM
Just ran the OTS fix. After reboot I got a RUNDLL error saying that the module could not be loaded for the file C:\WINDOWS\erivujepopepacu.dll

Please find attached the OTS log file. I will run combofix once you've had a gander at this log file :)

EDIT: Just to add I noticed that this fix has only moved the oddly named files (ddls, bins etc.) Will combo fix remove these completely?
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 07, 2010, 09:57:01 PM
Yep run CF now and that should tidy up the registry entries and kill the other files I missed  ;D

The files have been moved to quarantine now and are harmless
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 10:36:44 PM
Meh think I might have buggered it up! I wasn't actually connected to the internet when I ran combofix and it carried on scanning regardless. On the final reboot, I still got a rundll error about the missing dll file which OTS moved. Here is the log anyway. Should I run it again so that I can download the recovery console?

Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 07, 2010, 10:41:36 PM
Yes you will need the recovery console for Combofix to replace your infected Atapi file

So re-run whilst connected to the net and allow it to download the recovery console

On completion of that could you re-run OTS again but without the custom scan elements
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 11:21:44 PM
Hmmm it doesn't seem to be doing a lot... Ran it again and it's downloaded the recovery console.. It's said it's currently scanning or files but I've not seen anything pop up to show what it's scanning and it's been going for 30mins now. Just seems odd :P
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 07, 2010, 11:22:59 PM
Does ot show the stages it is going through ?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 11:25:26 PM
No, all it says is that is scanning for infected files. Last time I ran the scan it had finished and started rebooting after a few mins.
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 07, 2010, 11:30:14 PM
Leave it for a further 10 minutes then close via task manager. Reboot and then run again 

It will take a bit longer as it will need to replace files via the recovery console
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 11:34:03 PM
just tried to load up the task manager to see if combofix was doing anything and the systray icon appears but not the task manager window. Is it safe to just hit close on combofix?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 07, 2010, 11:37:50 PM
Now I just got a BSOD :s

KERNEL_DATA_INPAGE_ERROR

STOPL 0x0000007A (0xE1688E4C, 0xC000026E, 0xBF965788, 0x1E68D860)
win32k.sys
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 08, 2010, 07:34:53 PM
Could you reboot and run a new OTS for me please, plus let me know what your problems are now
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 08, 2010, 10:25:34 PM
Managed to run combofix without errors about the BSOD. I then ran a OTS scan without any other options. Here are the logs:
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 08, 2010, 10:33:14 PM
There is a possible MBR infection present - so lets clear that

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
MBR::


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 08, 2010, 10:56:03 PM
Here we go :)
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 08, 2010, 11:01:20 PM
How is it running now ?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 08, 2010, 11:04:42 PM
The computer? I don't see any dodgy processes running and when I connect to the network the cpu usage doesn't jump up to 50+% so I guess things are back to normal?
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 08, 2010, 11:06:37 PM
Just to add, is it safe to delete the combofix and ots folders created:
C:\_OTS and C:\Qoobox ?
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 08, 2010, 11:10:21 PM
Easier way - run OTS and hit the cleanup button - all gone  ;D

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
You now have a clean restore point, to get rid of the bad ones:
Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 08, 2010, 11:20:17 PM
Ok so just created a new restore point and then ran the OTS clean up and upon reboot explorer crashed and now an instance of svchosts is taking up 50% cpu. erk!
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 09, 2010, 01:54:36 PM
here (http://z-oleg.com/avz4.zip)
[list=1] 
Note: If you recieve an error message, chose a different source, then click Start again


[list=1]   
(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)
When restarted

[list=1]   
(http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png)
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post or upload to mediafire

Title: Re: siszyd32.exe - am I free?
Post by: digitalxni on January 19, 2010, 10:50:14 PM
I have finally returned after a brief excursion and I'm determined to fix this. I've run process explorer and noticed that the svchosts.exe that is taking up 50% at startup is running a windows update process and after a few minutes it stops running and the CPU usage drops back to 0. What I am rather concerned about is the disappearence of some of my hard drive space on C:\. After running all these scans trying to remove the rootkit, the space had dropped by several hundred mb and continues to drop slightly more each day. Even after removing temp files I can't seem to restore it back to what is previously was. Could I still be infected?
Title: Re: siszyd32.exe - am I free?
Post by: essexboy on January 19, 2010, 11:54:05 PM
OK run OTS and hit the cleanup button - that will remove the tools

Then

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
THEN

Download and run Auslogics Disc Defragmenter (http://www.auslogics.com/en/software/disk-defrag/download)

If you still have a space problem we will investigate that