Avast WEBforum

Other => Viruses and worms => Topic started by: MudPuddles on December 11, 2009, 09:06:30 PM

Title: siszyd32.exe
Post by: MudPuddles on December 11, 2009, 09:06:30 PM
Hello everyone,

I have a file siszyd32.exe on my laptop.

My computer had started running extremely slowly, 100% CPU taken up by a few svchost and hkcmd processes. I noticed the siszyd32.exe file in the list of Start Up programs when I was using CCleaner. A Google search for this tells me that it is a dangerous trojan file. CCleaner puts its location at  C:\...AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe

Unfortunately, I can't actually see it in the location where CCleaner says it is, nor can I delete it via CCleaner. Apparently this is one of the problems with this file (it being a bugger to remove). Avast Home Edition and and Avast Virus Cleaner both fail to find it, as do SuperAntiSpyware and MalwareBytes.  I have managed to disable it from running at Startup (via CCleaner), but its still there on the CCleaner list of Start Up programs.

Any suggestions for what I could / should do would be greatly appreciated.

Many thanks,
MP

(p.s. I am using Windows Vista Home Premium 2007, Service Pack 2)
Title: Re: siszyd32.exe
Post by: Lisandro on December 11, 2009, 09:19:06 PM
Does the file exist? I mean, it could be a hidden virus (a rootkit).
Did you try running avast at boot time?
Title: Re: siszyd32.exe
Post by: MudPuddles on December 11, 2009, 09:24:29 PM
Thank you Tech, I have not tried that but will do a boot scan and see how that goes...
Title: Re: siszyd32.exe
Post by: Lisandro on December 11, 2009, 09:39:36 PM
Quote from: MudPuddles on December 11, 2009, 09:24:29 PM
Thank you Tech, I have not tried that but will do a boot scan and see how that goes...
Post back if the problem persists.
Title: Re: siszyd32.exe
Post by: polonus on December 11, 2009, 10:11:04 PM
Hi MudPuddles,

Let us delve into that a bit further now.
Download RSIT by random/random from here:  http://images.malwareremoval.com/random/RSIT.exe
but before saving, in the Save dialog, rename rsit.exe to explorer.exe and save it to your desktop.
* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)

polonus
Title: Re: siszyd32.exe
Post by: wvos on December 12, 2009, 03:01:01 AM
The same happened to me today.

It all started with AVAST trowing these warnings. I was browsing with Firefox 3.5+

    11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.

I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:

    11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
    11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.

Then I looked at the running processes.

A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.

Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. It was still there, in the windows temp directory.

The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )


In the meantime a CMD (command prompt) process was VERY active running a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):

    @echo off
    :try
    @del /F /Q "C:\Program Files\Mozilla Firefox\firefox.exe"
    if exist "C:\Program Files\Mozilla Firefox\firefox.exe" goto try

The BAT file was dropped on my system at 11 december 23:08, right before the ~temp file.

Another file called siszyd32.exe was dropped in the StartUp folder.

I still don’t know what it was and why Avast isn’t detecting it.

What I did:

    * I ran process explorer: ( http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx )
    * I killed all CMDs, siszyd32.exe and CsimPlayer.exe (including the child processes)
    * I removeD all instances of siszyd32.exe and CsimPlayer.exe on my C:\drive and I deleted both the infected atapi.sys files.
    * I removed it from the registry
    * And I ran Malwarebyte's anti-malware

I checked the site where I thought it originated from, but it's not there... :-/  Can be a root-kit that resides, who knows how long, on my system. There's no way to check for root-kits when the OS is running. It's only noticeable when the root-kit installs or downloads files that inadvertently trigger avast.

So if someone knows a good OFFLINE (boot-cd) rootkit scanner, please let me know.

Thanks.
Title: Re: siszyd32.exe
Post by: pinnacle on December 12, 2009, 03:16:04 AM
You can give Vipre Rescue a try it is effective against rootkits here, this explains it and the download link is there also, http://live.sunbeltsoftware.com/
Title: Re: siszyd32.exe
Post by: MudPuddles on December 12, 2009, 11:30:17 AM
Hello all and thanks for the replies.

Here is an update.

I restarted and ran avast again, it found 4 infected files but could not move them to the virus chest.
I ran malwarebytes again and it found a file (C:\...\AppData\Local\Temp\0.27193285186218485.exe (Trojan.Dropper) and removed it.

Another scan of avast cleaner and SAS found nothing. I ran avast boot scan, seemed to find nothing. CCleaner still finds siszyd32.exe in the StartUp list.

Polonus - I have attached the RSIT files for info. I'm afraid I don't have the tech knowledge to understand these.

pinnacle - I have downloaded Vipre Rescue but will wait to use it until I here more on the RSIT outputs.

Thanks again folks,
MP
Title: Re: siszyd32.exe
Post by: YoKenny on December 12, 2009, 12:30:56 PM
The Sun Java jre1.6.0_02 and Adobe Acrobat 8.0 are way downlevel and very vulnerable to attack.

Go to Add/Remove Programs ad remove all Sun Java and Adobe installs.

The current Sun Java is Version 6 Update 17:
http://www.java.com/en/download/manual.jsp

Adobe Acrobat 9:
http://www.adobe.com/products/acrobat/segments/individual

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
Title: Re: siszyd32.exe
Post by: MudPuddles on December 12, 2009, 03:11:37 PM
Thanks YoKenny.

I've updated Sun Java to the latest version. Adobe Acrobat Standard 8 is a licensed product and I shouldn't have to purchase the latest edition (Acrobat Standard 9) - I have however downloaded all current updates (I now have updated to 8.1.7).

Thanks for pointing out that Secunia tool, its very useful. I also needed to update Flash Player and related Active X controls.

After that, it seems I still have an infection with siszyd32.exe that I can't shift....

MP
Title: Re: siszyd32.exe
Post by: essexboy on December 12, 2009, 03:26:27 PM
Hi there is an infection hooked to your C:\WINDOWS\system32\drivers\atapi.sys file what we need to do is replace that with a legitimate version and kill the spawner.  Normally I ask for an analysis scan first - but as you have posted the data I need we can go straight for an automatic repair/replace

Note : As you have Vista you will not see the RC prompt 

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

 
Title: Re: siszyd32.exe
Post by: MudPuddles on December 12, 2009, 04:29:11 PM
Many thanks essexboy.

I've gone through that, and the ComboFix.txt file is attached here.

MP
Title: Re: siszyd32.exe
Post by: essexboy on December 12, 2009, 05:12:10 PM
There is no indication of the hook now.  A few to remove and then let me know how it is running

 1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
c:\users\Conor \AppData\Roaming\fvgqad.dat
c:\users\Conor \AppData\Roaming\avdrn.dat

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: siszyd32.exe
Post by: MudPuddles on December 12, 2009, 05:44:52 PM
Thanks again essexboy.
I've gone through that procedure, here is the new ComboFix.txt file.
How do I get an OTListit log? Sorry for my ignorance.
MP

EDIT: I've now also attached a new RSIT log file in case that's what you need.
Title: Re: siszyd32.exe
Post by: essexboy on December 12, 2009, 06:55:45 PM
My apologies I used my standard canned from my malware forum  :-[

Checking the logs now - what problems do you have at the moment
Title: Re: siszyd32.exe
Post by: essexboy on December 12, 2009, 07:01:52 PM
Lets kill the bad boy now

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
C:\Users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: siszyd32.exe
Post by: MudPuddles on December 12, 2009, 10:15:42 PM
Now....!

Thanks again essexboy, this help is greatly appreciated.

Here's an update:
After following your instructions, I rebooted (see my note on that point below...). Up until now, I could see the siszyd32.exe file in both CCleaner and in the Startup list via Windows Defender, and I could disable it, but not delete it. This time, I could still see it, but was able to delete it easily. Whether I have just deleted it from the startup list and its still there somewhere or its completely dead I'm not sure. I have attached the Combofix.txt and log.txt files for your info.

Anyway, CPU usage seems to have significantly improved (between 5% and 20% when I'm using the same programs where previously it was generally between 50% and 100%).

On the reboot, just one thing to note - the previous 2 times I ran ComboFix, it didn't ask / suggest / require a reboot, but this third time I couldn't open either Firefox or IE after the process had finished (a message popped up saying I had selected a registry item that was marked for deletion). A reboot seems to have gotten over that, but anyway, there you go... just for future reference in case its of interest.

MP
Title: Re: siszyd32.exe
Post by: essexboy on December 12, 2009, 10:37:31 PM
OK it has a backup hidden that is now revealed so lets kill that as well

Again let me know how it runs on completion as this should be the end

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
c:\windows\pss\siszyd32.exe
c:\users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe

Registry::
[-HKLM\~\startupfolder\C:^Users^Conor ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^siszyd32.exe]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: siszyd32.exe
Post by: MudPuddles on December 13, 2009, 08:44:15 PM
Ok, after doing that performance is pretty good, CPU usage bouncing around below 20%, of which svchost processes running about half.

.txt files attached.

MP
Title: Re: siszyd32.exe
Post by: essexboy on December 13, 2009, 09:27:11 PM
The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall
Title: Re: siszyd32.exe
Post by: MudPuddles on December 13, 2009, 10:22:52 PM
All done. Thank you sir!

Two quick questions, for my own information -
Since the startup program listings in CCleaner and in Windows Defender could see it, but I couldn't find it on the hard drive, and CCleaner couldn't delete it, I am guessing that siszyd32.exe was not actually the root of the problem... is that correct? i.e. was the infection really another file hiding on my hard drive that created the siszyd32.exe file?

Second, I'm normally pretty good with antivirus security, running avast, MBAM, SAS pretty regularly. Apart from keeping software up to date, is there something I can do to better prevent this kind of problem?

Many thanks,
MP
Title: Re: siszyd32.exe
Post by: essexboy on December 13, 2009, 11:22:18 PM
It was actually being protected by the second copy - which neither of the other programmes saw.  As it was being run from the registry under the appints

Unfortunately this is one of those nasties that could come from anywhere

Your security regime looks sound - I use Avast and MBAM, so in a way it is the luck of the draw if you visit an infected website 
Title: Re: siszyd32.exe
Post by: MudPuddles on December 13, 2009, 11:41:23 PM
Thanks for your help with this essexboy and the others who posted advice, I really appreciate you taking the time out to go through everything with me and sort this out.
Best,
MP
Title: Re: siszyd32.exe
Post by: ghosty85 on December 14, 2009, 04:21:21 PM
I've got the exact same problem with siszyd32.exe. It's really annoying me!!! grrrrrrrrr.

I've got combofix and ccleaner but have no idea what to do. Any guidance EssexBoy?

Thanks in advance.
Title: Re: siszyd32.exe
Post by: essexboy on December 14, 2009, 09:52:06 PM
Yes - first do not run combofix as it has been pulled for the moment due to a rootkit causing mayhem when CF tries to remove it. 

So lets see what you have on your system with my other tools and see if I can kill it manually

To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]
Title: Re: siszyd32.exe
Post by: ghosty85 on December 14, 2009, 11:24:23 PM
Much appreciated for your time essexboy  :)

Here's the mediafire link:

http://www.mediafire.com/?mqn0jjimjdd
Title: Re: siszyd32.exe
Post by: rankfast on December 15, 2009, 12:26:50 AM
Hi EssexBoy,

I have the same problem with siszyd32.exe and csimplayer.exe file. I have windows XP pro and I cant even boot into regular mode. I have run the OTS.exe in SAFE MODE and uploaded the file to http://www.mediafire.com/?yjyh5mjtrhn .
I have also attached the RSIT log files with this post.

Please help.

Let me know if any other logs are needed.

Thanks.
Title: Re: siszyd32.exe
Post by: brunobruck on December 15, 2009, 01:24:49 AM
Hi everyone, I was with the same problem and figured out with the following program http://www.superantispyware.com/ (http://www.superantispyware.com/).
I hope this can be helpful for you.

Title: Re: siszyd32.exe
Post by: essexboy on December 15, 2009, 09:59:21 PM
@rankfast  could you start your own thread and PM me the link as I cannot run two infections in one thread Ta

@ghosty85

Ok first the bad news you have the latest version of a rootkit.  It has infected both copies of a file on your computer.  Do you have access to another computer where you can get a copy of this file  C:\WINDOWS\system32\DRIVERS\atapi.sys if you can I will need you to copy it to your root C: drive.  Let me know on this

Quote
One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Lets clear some of the garbage now

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Modules - Safe List]
YY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
[Win32 Services - Safe List]
YN -> (gupdate) Google Update Service (gupdate) [Auto | Stopped] ->
YY -> (MyWebSearchService) My Web Search Service [Auto | Stopped] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\] > ->
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultName" -> My Web Search
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultUrl" -> http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm768YYGB&fl=0&ptb=hFaIfhRKCbQmyZGSCaRTFg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
< FireFox Extensions [User Folders] > ->
YY -> No name found   -> C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\osrbx5ud.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{07B18EA9-A523-4961-B6BB-170DE4475CCA}" [HKLM] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL [My Web Search]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fnafidi" -> C:\WINDOWS\ucevenupehukuh.DLL [rundll32.exe "C:\WINDOWS\ucevenupehukuh.dll",Startup]
YN -> "Regedit32" -> C:\WINDOWS\System32\regedit.exe [C:\WINDOWS\system32\regedit.exe]
< Lee Startup Folder > -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup\siszyd32.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\sdra64.exe -> C:\WINDOWS\system32\sdra64.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Modified Within 30 Days]
NY ->  fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY ->  Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY ->  Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY ->  av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY ->  avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
[Files - No Company Name]
NY ->  fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY ->  av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY ->  fvgqad.dat -> C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat
NY ->  Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY ->  Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY ->  fvgqad.dat -> C:\Documents and Settings\LocalService\Application Data\fvgqad.dat
NY ->  avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
NY ->  ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
NY ->  pn.ini -> C:\WINDOWS\pn.ini
NY ->  pr.ini -> C:\WINDOWS\pr.ini
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.


Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Title: Re: siszyd32.exe
Post by: DavidR on December 15, 2009, 11:01:17 PM
@ essexboy

rankfast can't PM you as the PM function is unavailable to those without 20 posts.
Title: Re: siszyd32.exe
Post by: essexboy on December 15, 2009, 11:06:12 PM
OOpps  :-[
Title: Re: siszyd32.exe
Post by: ghosty85 on December 16, 2009, 01:04:47 AM
Essexboy, the siszyd32.exe file is no longer on my system i believe. It doesn't show up in my automatic start ups which it always used to do, so thank you for that.

However, i've tried copying the atapi.sys file from my housemates computer but it won't let me copy it to a storage device as it's 'in use' on his system. Any ideas on what to do there?

Also, sometimes my laptop decides to display an error message and a 1 minute countdown till a system restart. It mentions there's an error with system32's 'services.exe' or something like that. Probably because my atapi.sys is messed up (or deleted now).

You've been a star so far and i really appreciate you killing the little bastard (by far the worst virus i've had). So again thank you.

Here is the second OTS.txt as per your request: http://www.mediafire.com/?ihljgenytjz
Title: Re: siszyd32.exe
Post by: mjolnirthor on December 16, 2009, 10:37:48 AM
Hello,

I've got the same problem. Can I use the fix you made for ghosty85?
Title: Re: siszyd32.exe
Post by: sebster on December 16, 2009, 12:45:04 PM
Hello Essexboy,

I have the same problem with siszyd32.exe.

When I started my computer, Windows Defender warned me and I could easily delete this Trojan, but I'm still not sure if it is deleted entirely :s. Can I use your fixes you have made for the others?

Thanks in advance
Title: Re: siszyd32.exe
Post by: spg SCOTT on December 16, 2009, 12:58:01 PM
To all asking to use the fixes...

I would say no. They were created specifically for that user, and could cause more problems for you in the long term...

I would create a new thread, to save essexboy getting confused, like he asked:

Quote from: essexboy on December 15, 2009, 09:59:21 PM
...could you start your own thread <snip> as I cannot run two infections in one thread Ta
It will just be too confusing for him...

I'm sure he will notice your posts, as he will be able to help you better.

He is not online at the moment, so I don't know how long it will be before he is here...
Thanks,

-Scott-
Title: Re: siszyd32.exe
Post by: DavidR on December 16, 2009, 03:38:45 PM
Quote from: mjolnirthor on December 16, 2009, 10:37:48 AM
Hello,

I've got the same problem. Can I use the fix you made for ghosty85?

I would say the short answer is no. Any specific fix is crafted from the logs submitted by the person the fix is for. So as has been said it would have to be in a topic of its own, so as not to confuse/complicate this one.
Title: Re: siszyd32.exe
Post by: Frank! on December 16, 2009, 07:07:46 PM
I had the same virus (siszyd32.exe) in my startup this morning.
It made svchost.exe (wmiprvse.exe to be more specific) use all of the CPU power.

It was removed by Malwarebytes' Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button) without problems.
Title: Re: siszyd32.exe
Post by: essexboy on December 16, 2009, 08:48:10 PM
@ghosty85

Look in the following locations on the other system for the atapi.sys file
Quote
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

Or run the following small programme on the computer and it will show you all the locations to copy from.  Use the backup caches to copy from

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Code: [Select]
:filefind
atapi.sysNote: The log can also be found on your Desktop entitled SystemLook.txt

Any file not in use can be copied

EACH FIX IS INDIVIDUAL TO THAT COMPUTER AND MAY BREAK ANOTHER SYSTEM
Title: Re: siszyd32.exe
Post by: essexboy on December 16, 2009, 09:43:49 PM
@ghosty85 there is a new programme by Kaspersky that has had good results so far and is now out of Beta

Title: Re: siszyd32.exe
Post by: chickensandducks on December 19, 2009, 10:27:52 PM
Ok I am having this same siszyd32.exe problem pop up on my computer, and I'm not extremely good with computers. I have done some stuff with combo fix before but am not exactly sure how to use it.

can anyone assist me in removing the pesky thing? help would be super appreciated.
Title: Re: siszyd32.exe
Post by: essexboy on December 19, 2009, 11:53:07 PM
Unfortunately no two attacks are the same so first I will need to see what you have.  But could you start a new thread and put the following in it.  Post the link to the new thread here and I will receive notification 

To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]
Title: Re: siszyd32.exe
Post by: ghosty85 on December 23, 2009, 10:59:34 PM
Right, now this is really (beep) me off now. The (beep) virus has well an truely (beep) up my system. Although the virus is destroyed, the damage it has left has (beep) everything up.

I use a little Eee pc laptop (this is the opne that had the siszyd32.exe virus on it). Now the laptop doesn't even start up. The part when it's booting up where the 'windows' logo apears (with the loading up progress bar) the laptop freezes and just maintains a blank black screen. That's about as far as i get.

The (beep) virus has well and truely (beep) up the operating system.

The (beep) laptop hasn't even got a cd drive so i can't even reformat. How the (beep) do you reformat without a (beep) CD drive?!!

Grrrrrrrrrrrrrrrrr.... (beep) (beep).

As you can tell, the little (beep) has (beep) me off.
Title: Re: siszyd32.exe
Post by: DavidR on December 23, 2009, 11:40:00 PM
I appreciate that this is very frustrating, but this forum is open to all and that includes the young, so please modify the language in your post..
Title: Re: siszyd32.exe
Post by: randle on December 27, 2009, 12:02:30 AM
get up your statup programs or a program that disables startup programs (like avg antispyware) and identify the file. you wont be able to delete it. it just denies you everytime. next go in to your taskmanager, keeping the other window open. go in to processes and find the svchost that is running really high cpu (around 90 - 99) and end the process. your computer will now say its shutting down in 1 minute. quickly disable or delete the malicious file or startup program. now let the pc restart and do a virus scan. itll now find the file and delete it if you havent already done so. i only know this because i just did it myself. youll also want to do a registry scan with a program like ccleaner and fix all the issues becaus it messes your registry up like a bastard.
DONE DONE DONE DONE DONE!
no one seems to have been able to do it, and this virus has been fooled by a 17 year old boy. amatuer programmers.
Title: Re: siszyd32.exe
Post by: Tarq57 on December 27, 2009, 12:13:57 AM
Quote from: randle on December 27, 2009, 12:02:30 AM
get up your statup programs or a program that disables startup programs (like avg antispyware) and identify the file. you wont be able to delete it. it just denies you everytime. next go in to your taskmanager, keeping the other window open. go in to processes and find the svchost that is running really high cpu (around 90 - 99) and end the process. your computer will now say its shutting down in 1 minute. quickly disable or delete the malicious file or startup program. now let the pc restart and do a virus scan. itll now find the file and delete it if you havent already done so. i only know this because i just did it myself. youll also want to do a registry scan with a program like ccleaner and fix all the issues becaus it messes your registry up like a bastard.
DONE DONE DONE DONE DONE!
no one seems to have been able to do it, and this virus has been fooled by a 17 year old boy. amatuer programmers.
Perhaps in your youthful exuberance you may have failed to take account of the possibility that the infection and its related garbage might have a different manifestation on different systems, and what worked for you may not work for others.
AVG Antispyware was discontinued as a stand-alone program some time ago.
Title: Re: siszyd32.exe
Post by: slovene59 on January 01, 2010, 08:21:02 PM
I have the same situation and solved today very easy. Just install freefixer from net, install it, and whwn finished, check the syszyd32 at startup column. Tis syzyd32 is a somekind of virus and produce 100% usage CPU on svchost.exe .
It works at me ! ;D
Title: Re: siszyd32.exe
Post by: gitarslinger on January 04, 2010, 11:33:44 PM
Add me to the list of people needing to get rid of this.  This, and sr882388, and powerreg scheduler, and a likely problem with a bad services.exe file.  I've posted the details at http://forum.avast.com/index.php?topic=53063.0

Yep, I posted it in the general forum by mistake.  Chalk it up to newbie exuberance.

Can anyone help me get this junk off my computer?  I'd be well and truly grateful.

Regards,
Jim
Title: Re: siszyd32.exe
Post by: gitarslinger on January 05, 2010, 10:02:28 PM
Essexboy,

Might I appeal to you directly to have a look at my issues with siszyd32 and sr882388?  Some folks are having a go, and I've taken most of the suggested steps, but I have noticed myself and another has mentioned that you seem to have a knack with this particular set of nasties.  I would be grateful for any help you could offer.

The thread is http://forum.avast.com/index.php?topic=53063.0

Thanks much in advance.

Jim
Title: Re: siszyd32.exe
Post by: essexboy on January 05, 2010, 10:48:44 PM
Got it and replied in the original thread  ;D
Title: Re: siszyd32.exe
Post by: digitalxni on January 06, 2010, 12:52:48 PM
@Essexboy: If you could take a look at my thread on siszyd32, I'd be most grateful!

http://forum.avast.com/index.php?topic=52978

Thanks!
Title: Re: siszyd32.exe
Post by: shawnywind on January 08, 2010, 05:31:01 AM
Essexboy, I'd also appreciate it if you could help me out with my siszyd32 issue.

I've got a separate thread here:

http://forum.avast.com/index.php?topic=53190.0

I'd really appreciate your help since I'm completely in dark on this matter.
Title: Re: siszyd32.exe
Post by: essexboy on January 08, 2010, 08:09:01 PM
Answered
Title: Re: siszyd32.exe
Post by: Fraster on January 10, 2010, 10:25:06 PM
Hi there.
This is the first virus I've not been able to get rid of myself, and so is the first time I have used a forum for support on such an issue.
if you could help me out here Essexboy, I would be eternally grateful. Im not sure if I need this combofix.exe? But Ive downloaded OTS and scanned as you required previously. I have attached the result here.

As regards to the virus, It is exactly the same as everyone else here it seems. SVChost hogging all the resorces, siszyd32 runs at startup and cant be disabled.

http://www.mediafire.com/?ytmyocammne

Hope this works..  Thanks a bunch!
Title: Re: siszyd32.exe
Post by: essexboy on January 11, 2010, 09:18:53 PM
Part of the problem may be this    ophcrack-vista-livecd-2.3.1.iso a good vehicle for viruses and malware.  Also I find Avast better than AVG  ;D

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Modules - Safe List]
YY -> urixugesavadebib.dll -> C:\Users\Fraser\AppData\Local\urixugesavadebib.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {8504a8af-5a60-90ff-aaae-5e26ef0a86c6} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Qrofejogumajapi" -> C:\Users\Fraser\AppData\Local\urixugesavadebib.DLL [rundll32.exe "C:\Users\Fraser\AppData\Local\urixugesavadebib.dll",Startup]
[Files/Folders - Created Within 30 Days]
NY ->  HotbarSA -> C:\ProgramData\HotbarSA
NY ->  2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY ->  2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  Rcusokarade.dat -> C:\Users\Fraser\AppData\Local\Rcusokarade.dat
NY ->  Jgudiqusoletu.bin -> C:\Users\Fraser\AppData\Local\Jgudiqusoletu.bin
NY ->  fvgqad.dat -> C:\Users\Fraser\AppData\Roaming\fvgqad.dat
NY ->  avdrn.dat -> C:\Users\Fraser\AppData\Roaming\avdrn.dat
NY ->  zm-w_WijtWsa.exe -> C:\Windows\System32\zm-w_WijtWsa.exe
NY ->  MWC-1D6zKsNM.dll -> C:\Windows\System32\MWC-1D6zKsNM.dll
NY ->  2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY ->  2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Files - No Company Name]
NY ->  siszyd32.exe -> C:\Users\Fraser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe
NY ->  Rcusokarade.dat -> C:\Users\Fraser\AppData\Local\Rcusokarade.dat
NY ->  Jgudiqusoletu.bin -> C:\Users\Fraser\AppData\Local\Jgudiqusoletu.bin
NY ->  fvgqad.dat -> C:\Users\Fraser\AppData\Roaming\fvgqad.dat
NY ->  avdrn.dat -> C:\Users\Fraser\AppData\Roaming\avdrn.dat
NY ->  sysfolderazipcnt.dll -> C:\Windows\System32\sysfolderazipcnt.dll
NY ->  azipcontmn.dll -> C:\Windows\System32\azipcontmn.dll
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Title: Re: siszyd32.exe
Post by: Fraster on January 11, 2010, 10:40:30 PM
Thank you my good man. You sir, are a genius!
You deserve a knighthood or something ;) 
Its a rare person who gives up his valuable time to help others.

This fix has stopped the siszyd32 running at start up, which is great.
Here is the log you requested. If anything comes up again, il post back here, but its looks good!
I think I'll give this boy a couple more months, back up my data and reinstall windows anyway, Its got a lot of junk on it.

Anyway. thanks again.

Fraster
Title: Re: siszyd32.exe
Post by: essexboy on January 11, 2010, 11:34:27 PM
OK I would now recommend that you run MBAM to see if I missed anything

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Title: Re: siszyd32.exe
Post by: Fraster on January 11, 2010, 11:52:28 PM
Did that, ta.
Seemed to remove a bunch of adware, but nothing too serious.

Heres the log.

Thanks again
Title: Re: siszyd32.exe
Post by: markvonneumann on January 12, 2010, 05:25:17 AM
Hi essexboy

here goes my siszyd32 thread :
http://forum.avast.com/index.php?topic=53322.0 (http://forum.avast.com/index.php?topic=53322.0)

Thanks for the help.
Mark
Title: Re: siszyd32.exe
Post by: essexboy on January 12, 2010, 08:33:00 PM
 @Fraster  If you could now run OTS and hit the cleanup button my tools will disappear

@markvonneumann looking
Title: Re: siszyd32.exe
Post by: deki79ns on January 16, 2010, 12:18:27 PM
Hi essexboy.

Just like many others I have this annoying siszyd32 problem. I did the Malwarebytes' Anti-Malware scan since I heard it now is able to fix this proble. But since I'm not sure it actually is able to help me deal with this issue I also did OTS scan and I'm posting the scan log here as well as on the separate thread and I beg for your help.

Separate thread is here:
http://forum.avast.com/index.php?topic=53483.0

Thanks!
Title: Re: siszyd32.exe
Post by: jan.vanderborght on February 03, 2010, 06:52:08 PM
Hello Essexboy,

I started my own thread over here: http://forum.avast.com/index.php?topic=55036.0
Could you have a look at it?

Thanks in advance!

Jan
Title: Re: siszyd32.exe
Post by: essexboy on February 03, 2010, 10:30:22 PM
Replied
Title: Re: siszyd32.exe
Post by: robertmo on March 04, 2010, 04:33:24 AM
Hi essexboy,

Could you please check out my thread here?
http://forum.avast.com/index.php?topic=56533.0

Thanks in advance!
Robert