Avast WEBforum

Other => General Topics => Topic started by: gitarslinger on January 04, 2010, 11:27:50 PM

Title: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 04, 2010, 11:27:50 PM
I hit a bad link the other day, and Trendmicro Internet Security recognized but failed to quarantine the resulting trojan which it referred to as TROJ_BREDLAB.SME.  Within seconds, "Sandboxie Start" (sr882388.exe) was trying to access the internet.  I blocked it.  The trojan and Sandboxie Start were both running in task manager processes, as was an instance of cmd.exe, busy eating up cpu.

I ended the processes, removed the quarantined trojan, found and removed sr882388 and a prefetch file with the same name (manually; TM didn't find them).  I then looked at startup programs (msconfig) and found both this one and siszyd32.exe.  I unchecked both, restarted, and the second one was rechecked, and had in fact two iterations, one of which was checked, one which was not.  I searched for, but did not find, this file.  Nor did I find either of these names in searching the registry.

I remembered this point that a number of months ago, TM warned me that services.exe was trying to access the internet.  I blocked it.  It finally occurred to me to look at the firewall log.  Services.exe is making attempts every couple of seconds to reach a variety of external ip addresses through multiple ports.  I don't know enough to know whether or not this is one or services.exe's jobs, but it seems odd.

On advice from another web forum, I installed and ran ATF-Cleaner and the free version of Superantispyware.  Superantispyware found and removed siszyd32.exe, along with two other spyware apps.  The perma-checked iteration of siszyd32 in msconfig is gone.  I've attached log files from superantispyware and trendmicro internet security firewall.

Can anyone help me clean up this computer?  I know little and have no idea what to do next.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Avastfan1 on January 05, 2010, 12:23:29 AM
Hi,

I would recommend doing the following:

1. Download and update Avast (http://files.avast.com/files/latest/avast_home_setup.exe)
2. Download and update MBAM (http://www.malwarebytes.org/mbam-download.php)
3. Disconnect your computer from the internet (ie. pull the cable out or turn the router off)
4. Run a boot-time scan with Avast
5. Do a full scan with MBAM
6. Download CCleaner (http://www.ccleaner.com/download/builds/downloading-slim)
7. Run Ccleaner
8. Download HJT (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe)
9. Run HJT and click 'Do a scan and save a logfile)

Post the results from Avast, MBAM and HJT here. The friendly Avast Forum members will be able to help you further :-)

Good luck!

Avastfan1
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 12:31:30 AM
Quick question: will the existing running copies of superantispyware and trendmicro internet security interfere with running these processes?  Should I exit them before installing and/or before running the suggested apps?
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: DavidR on January 05, 2010, 01:53:03 AM
I suggest you do a forums search for this particular file siszyd32.exe as has in some cases been a pig to remove and currently requires specialist tools and knowledge to analyse them.

Unfortunately there aren't that many avast users that are also malware removal specialists on the forums.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 02:21:54 AM
Thanks, David.  I did that in fact before I posted.  The experts in question advised beginning a new thread for each specific case and posting a link to it in the original thread.  This is what I did.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: DavidR on January 05, 2010, 03:23:10 AM
Yes, that is correct because the tools may return different data such is the complexity of this little monster, that multiple threads within a topic would become very confusing for all concerned.

Were you not sandboxed when this all happened ?

Just seeing the "Sandboxie Start" in your first post, I wondered if you weren't using it, or perhaps this is it trying to sandbox itself to protect it from attack
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: mkis on January 05, 2010, 03:37:55 AM
Quote from: gitarslinger on January 05, 2010, 12:31:30 AM
Quick question: will the existing running copies of superantispyware and trendmicro internet security interfere with running these processes?  Should I exit them before installing and/or before running the suggested apps?


Trendmicro internet security may likely interfere with the smooth running of your avast antivirus. You may choose one or the other, but running the two - avast and trendmicro - at the same time can cause problems all round.

Otherwise the suggested apps are good. They can only be helpful. However as DavidR says specialist tools may be needed to remove this beastie. You will find an abundance of info on avast webforum to put you further in the picture.



Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 04:41:29 AM
David, no I don't use Sandboxie.  From what I've read elsewhere, this particular beastie identifies itself as "Sandboxie Start," even to the point of using the Sandboxie icon, but is in fact spyware and nothing to do with the real Sandboxie. 

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: DavidR on January 05, 2010, 04:20:28 PM
OK thanks for that, they are very sneaky like that trying to pass themselves off as security applications. Fortunately you realised it wasn't as you don't use that particular particular one.

In the meantime whilst we are waiting for one of the malware specialists, you could try running these programs and report the findings.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).

Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 06:49:02 PM
Thanks, David.  I'm in the process of doing that exactly.  I ran superantispyware before my initial post, and corrected three issues.  The log is attached to my first post.  I'm since following the protocol suggested by avastfan, in running an Avast boot-scan (no issues found, but a problem I'll go into later), Malwarebytes (two runs, found a number of issues on the first, one on the second), CCleaner (I'm on that step now, and have questions; see below), and finally HijackThis.  I'll post logs when I'm all done.

I have a question about CCleaner.  I ran the regular file removal tool, and took advantage of the startup program manager to remove known trojans from the list.  Now I'm looking at the registry cleaner, and I'm not sure what to do.  Lots of these issues:
missing shared dll
unused file extensions (what will it do if I ask it to "fix" an unused file extensions?  There are plenty of them that I do indeed use all the time, and I don't know what CCleaner means)
invalid default icons
open with application issues
activex/com issues
missing typelib references
application paths issues
helpfile issues
installer reference issues
uninstaller reference issues
obsolete software key
and old start menu keys.

Avastfan, should I be messing about with all that?  I've read that CCleaner has a registry backup utility, but I'm not finding it, either.  I'd like to do a backup prior to digging into the registry.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: YoKenny on January 05, 2010, 07:03:42 PM
Male sure you have Show prompt to select the backup enabled.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Pondus on January 05, 2010, 07:04:19 PM
Quote
Avastfan, should I be messing about with all that?  I've read that CCleaner has a registry backup utility, but I'm not finding it, either.  I'd like to do a backup prior to digging into the registry.
If you are using the deafult settings it will ask when you start fixing.
But you can look in options > advanced > X - show prompt tro backup registry issues



...nice picture kenny.... ;D
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 07:10:49 PM
Thanks for that.  I've run it, I've trusted it, and the computer has rebooted with no discernible problems.  There's a relief.  Should be ready to post log files requested by avastfan shortly.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: DavidR on January 05, 2010, 07:18:07 PM
Yes, looks like it removed the startup entry for isizyd32.exe and a couple of suspect files.

No powerreg scheduler v3.exe in my PSS folder and no REMOVED.EXE in my system32 folder on winXP Pro SP3.

Personally I only use ccleaner to clean up temp files, whilst it has a registry cleanup and all options are checked by default, first it runs a scan but doesn't remove unless you opt to Fix selected issues. Generally it shouldn't be a problem, but any editing of the registry caries a risk. It does ask to Do you want to backup changes to the registry, select yes, this creates a .reg file with all the changes so that they can be reversed. It will then ask again to fix.

It isn't a radical registry cleaner, doesn't go into too much depth certainly not near the depth my registry cleaner goes, but for me not an issue as you need to have a working knowledge of what something does before removing it.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 07:38:01 PM
Ok, here's the goods.  I've attached the Avast boot-scan log (it's empty, essentially, but there for completeness' sake), two Malwarebytes logs, and the HijackThis log.  I'm hoping we've made some real progress here.  Avastfan, what next?

David, I suppose I'm happy CCleaner's registry cleaner isn't all that robust, as I certainly lack that working knowledge you mentioned.  It did get rid of 1103 of those shallow issues it does address.

A question about the startup menu manager: I have a number of programs unchecked in msconfig that I did not uncheck myself.  How can I know what is needed and what is not?  Is it safe to use CCleaner to remove unchecked entries if I'm sure the program isn't needed or that I simply don't want it to run on startup?

I mentioned an issue I had with Avast.  I ran the setup, and it downloaded the program.  On first run, it performed a memory scan and warned of a hidden service named "buoraeym.sys."  It asked if I wanted to delete or ignore this service, and suggested "ignore."  I clicked ignore, and up popped a warning that there was a virus running in memory.  It asked me if I wanted to perform a boot-scan, I clicked yes, and the system froze.  I wound up doing a hard restart, and the boot-scan started.  I had trouble with freezes on restarts, as Avast and TM were fighting with one another, and was eventually able to stop the apps as they were loading, boot fully, and uninstall Avast.  Hence:
I don't know if the buoraeym.sys service is a problem, or if it has been solved, and
I don't know if Avast was up to date when it ran the boot-scan.

It has been stated elsewhere in the forum that Avast fails to identify these particular issues.  Do you suggest mucking abot with it again, or leave it for now?
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: YoKenny on January 05, 2010, 07:47:46 PM
I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and a half that contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Update to IE8:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 07:51:32 PM
I wanted to ask again about the services.exe problem.  Is this perhaps a problem app, or a good app driven to do bad things by another app? 

I'm attaching the most recent log of firewall activity.  It was original a comma-separated value file, but I renamed it as a text file as this forum doesn't allow .csv attachements.  I don't know if the activity is suspicious or legitimate.  Any ideas?
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Chris Thomas on January 05, 2010, 08:19:13 PM
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

Author:Microsoft Corp.

Part of:Microsoft Windows Operating System

Common Path(s):%system%\services.exe
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Chris Thomas on January 05, 2010, 08:33:59 PM
You should be only be worried if it is SERVICES.EXE instead of services.exe

Read here

http://www.prevx.com/filenames/476339565022733292-X1/SERVICES.EXE.html

Virus with same name:

W32/Leave.B (service.exe) - Symantec Corporation
W32.Randex.R (service.exe) - Symantec Corporation
W32.HLLW.Kazping (service.exe) - Symantec Corporation
W32.XTC.Worm (service.exe) - Symantec Corporation

You should also be worried if services.exe is in C:\WINDOWS\services.exe instead of C:\Windows\system32.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: DavidR on January 05, 2010, 08:42:30 PM
Quote from: gitarslinger on January 05, 2010, 07:51:32 PM
I wanted to ask again about the services.exe problem.  Is this perhaps a problem app, or a good app driven to do bad things by another app? 

I'm attaching the most recent log of firewall activity.  It was original a comma-separated value file, but I renamed it as a text file as this forum doesn't allow .csv attachements.  I don't know if the activity is suspicious or legitimate.  Any ideas?

I have no idea about the services.exe it is strange as I son't see this being used on my logs, but you can do a whois on the IP addresses it is trying to connect and strangely they are the likes of Yahoo, Hotmail, Mozilla and Facebook were some of the ones I checked.

HiJackThis in cases of this type is almost useless all it is likely to do is reveal weaknesses in your software like not having SP3 as mentioned, acrobat 7 (old and vulnerable), etc. etc. - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).

What it also shows is that you no longer have avast installed, but Trend Micro Internet security ???
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 08:59:40 PM
YoKenny,

Is it a good idea to install SP3 at this point while all this is going on, or better to wait 'til this is resolved?  I run all the critical updates on a regular basis, but haven't installed SP3 as I had heard horror stories about this particular release mucking up people's computers.  What say you?

Also, I once had IE 8 but had to roll back to 7 as 8 had a problem where every time I closed a browser, it started a second iteration of rundll32, and this second iteration would max out cpu.  Is it because I was running it under SP2, do you think?  It was terribly annoying.

secunia found three vulnerable apps, two adobe, one yahoo messenger.  I'm updating them as I'm writing this.  Thanks for that tip.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 09:07:45 PM
David,

I uninstalled Avast in favor of TM because the TM firewall has particular services on its block list.  I don't want to stop the TM firewall until all this is fixed. 

Eventually, I'd like to find an antivirus/spyware combo that works.  As already noted, Avast was no better at finding these nasties than TM.  The Avast boot-scan showed nothing, after which Malwarebytes found a number of problems, and folks on other threads have related similar experiences.  That's all a bit off-topic for this thread, of course, but I would like to know what folks are using and if anything has successfully stopped siszyd32 and sr882388 from installing in the first place.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: YoKenny on January 05, 2010, 09:31:12 PM
It would help if you showed your system specifications as to CPU type and speed plus amount of RAM installed.

The best combo is avast! and Malwarbytes' Anti-Malware (MBAM).

The infection siszyd32 is a bit of a nasty one right now and may take the likes of essexboy or oldman to help remove but SP3 should be installed eventually.


Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 09:54:43 PM
YoKenny,

The system's on the older side.  Processor is an AMD Athlon "XP Processer" running at 3200 (2.2GHz).  512 MB RAM.  WinXP SP2, as you know.  Anything else you need?

I posted on a thread where essexboy was deeply involved, and had hoped to attract his attention to this thread by posting a link to it.  Perhaps a direct appeal is in order.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 05, 2010, 10:33:00 PM
In case essexboy stops in, I've gone ahead and run OTS according to his specs as posted in another forum.  The resulting log file is posted here:  http://www.mediafire.com/?jzkmjjywojo

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 05, 2010, 10:43:30 PM
Here you go lets try this, I will attempt to remove the hidden spawner first time around - if that fails then CF should get it

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command ->
YY -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command\\"" -> K:\Start.exe [K:\Start.exe]
[Files/Folders - Created Within 30 Days]
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 06, 2010, 12:57:46 AM
I've run the fix, and the new OTS scan per your original specs.  The fix hit an exception error "no disk" almost immediately with the K: drive reference.  This is one of those HP MediaCenter computers, and the K: drive is one of a handful of drive-bays in the front of the computer intended for memory cards.  I'm not sure I've ever used it, hence I'm a bit confused about the reference to K:\startup.exe!

I wasn't sure if you wanted the new logs posted here or on mediafire, so I did both.  Mediafire links are http://www.mediafire.com/?olm2yxkmkyt for the fix log and http://www.mediafire.com/?dfuzwzomwgo for the new scan log.

Off to download Combofix.  Thanks very much for digging into this.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 06, 2010, 01:35:05 AM
Combofix ran *almost* without problems.  On reboot, trendmicro, although supposedly disabled by combofix, managed to block PV.cfxxe.  When it became apparent Combifix was going to keep trying, I exited TM, after which the process concluded successfully.  I noticed, watching CF work, that it managed to delete buoraeym.sys and a couple of other things, although I don't see that in the log.

The log was too long to include in the message.  It is attached.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 06, 2010, 09:31:02 PM
That file still appears to be there So I will use a different tool to try and kill it

Download avz4.zip from here (http://z-oleg.com/avz4.zip)
Note: If you recieve an error message, chose a different source, then click Start again


(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)
When restarted

(http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png)
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post or upload to mediafire

Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 12:34:54 AM
Watching it run, it doesn't seem to have found anything.  Please have a look.  Meanwhile, I ran it with trendmicro running, and perhaps shouldn't have.  I'll run it again with tm disabled while I'm waiting to hear from you.  If anything comes out differently, I'll post new logs.

Files are on mediafire at http://www.mediafire.com/?m2qmjmmyimh and http://www.mediafire.com/?jnkky2gunnz

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 12:46:23 AM
It's also saying the extended monitoring driver AVZPM is not installed, so that check wasn't performed.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 01:50:30 AM
New files at mediafire: re-run.  http://www.mediafire.com/?jnkky2gunnz and http://www.mediafire.com/?qzkem4ytown    Don't think the result is any different.

I discovered that one of my email accounts had been hacked.  It was being used by a Nigerian-style scammer.  Oddly enough, the thief didn't change the password, hence the address was recovered.  "Captain Raymond Pierce."  I've canceled all the credit cards, changed all the passwords.  Wonderful way to spend a day.

Which file were we going after?

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: mkis on January 07, 2010, 11:49:05 AM
What was TM doing when you got hacked?
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 05:39:00 PM
Quote from: mkis on January 07, 2010, 11:49:05 AM
What was TM doing when you got hacked?

Ostensibly, its job.  It detected the initial trojan and claimed to have quarantined it, but I found it running as a process immediately thereafter along with sr882388.exe.  It asked me if I wanted to allow sr882388.exe to access the internet, and I of course blocked it, but that didn't stop it running.  Nor, apparently, was it able to stop it or something else from accessing the internet, considering my email account was successfully stolen.   

It was also updating daily and scanning twice weekly.  It found nothing on a scan immediately after the incident, of course. I found siszyd32.exe myself in msconfig when I was trying to figure out what all had gone wrong.  I'm assuming it hit a few months ago when TM "quarantined" another trojan.  In that case, I failed to look further.  I'm not sure what siszyd32 accomplished, but it's apparent both left TM scratching its *** in midfield.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 08:26:01 PM
Mediafire is down for maintainence at the moment it should be up in about an hour when I will download your logs
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 09:17:19 PM
Let's bypass mediafire in case its updates take longer than advertised.  I've changed the file extensions to .log so they can be attached here.  Please change them back to .zip when you download them.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 09:38:55 PM
Ta, ok that shows that the file is no longer present  so mayhap OTS was the older version

What problems are you experiencing now - are you still getting alerts ?
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 09:47:03 PM
Not receiving any alerts, just flipping fearful bad things are going to happen if I start using the computer online again.  Which file were we looking for?  I'm guessing AVZ doesn't find it now, but did it do so in the first place?  Should we run something else to be certain it's gone?

I have another question relating to the start menu for when this mess is finally behind me: is it ok or advisable to use CCleaner to delete start menu entries that are not checked and/or are unchecked second iterations of items that are checked?

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 10:03:23 PM
Lets do a final check with MBAM and do this using the current computer - I.e. go online with it. 
Quote
I have another question relating to the start menu for when this mess is finally behind me: is it ok or advisable to use CCleaner to delete start menu entries that are not checked and/or are unchecked second iterations of items that are checked?
Should be no problem with that

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 10:27:11 PM
The MBAM quick-scan was clean.  I should point out, though, that a MBAM full system scan was also clean just prior to your entering this particular fray.  Which particular utility found the item you're after?  Should we run that again?

I very much appreciate your help with these issues.  I don't mean to be a pest.  Especially after having an email account hijacked, I'm thrice shy about all of this.

Jim

Malwarebytes' Anti-Malware 1.43
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/7/2010 3:15:16 PM
mbam-log-2010-01-07 (15-15-16).txt

Scan type: Quick Scan
Objects scanned: 122704
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 10:44:00 PM
OTS found the initial files for me and CF then killed what was left

You can re-run OTS again with no problem if you wish - and I will then check it out
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 10:45:00 PM
will do.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 10:58:56 PM
And here it is.  And here's hoping it's clean.

Where do I send the single malt?

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 11:01:04 PM
Wierd that is corrupted when I open it could you repost it please
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 11:04:59 PM
Here it is again.  Odd that it corrupted.  I was just browsing through it myself.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 11:06:52 PM
Are you using wordpad or notepad for this ?

Could you zip it and attach it to see if that helps
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 11:10:04 PM
trying from a different computer. 
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 11:13:21 PM
Seems to have formating in it - could you re-run or use a different version

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 11:22:06 PM
Ah, now the forum is acting up.  Told me I'd already posted my note after giving me trouble about the file sizes, but there's no post there.  Here's me trying again.

I've resaved the file as ots 3a.txt.  I created a zip file and saved it as ots 3a.log.  I resaved it again as ANSI instead of unicode as ots 3b.txt.  The latter two should be attached to this email.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 07, 2010, 11:24:22 PM
OK, looks like both came through uncorrupted.  Thank goodness.

I'm off to a belated Christmas gathering for which I'm about to be late.  I'll look at your latest posts when I return this evening.  Thanks again so much for all your help and hard work. 

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 07, 2010, 11:27:52 PM
OK the last one worked - it must have been the coding and all looked clear

Run OTS again and hit the cleanup button that will remove all my tools except AVZ, for that just delete the folder

Enjoy the party I am now off to bed  ;D
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 08, 2010, 06:42:50 AM
Great news.  Now what can I do for you?  I owe you.

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: essexboy on January 08, 2010, 07:43:25 PM
Would you happen to know an 18 year old blonde who owns a brewery  ;D
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: gitarslinger on January 09, 2010, 12:55:35 AM
Quote from: essexboy on January 08, 2010, 07:43:25 PM
Would you happen to know an 18 year old blonde who owns a brewery  ;D

Yeah, but he's ugly.   ;)

Jim
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: mkis on January 09, 2010, 03:08:05 AM
Quote from: gitarslinger on January 07, 2010, 05:39:00 PM
Quote from: mkis on January 07, 2010, 11:49:05 AM
What was TM doing when you got hacked?

Ostensibly, its job.  It detected the initial trojan and claimed to have quarantined it, but I found it running as a process immediately thereafter along with sr882388.exe.  It asked me if I wanted to allow sr882388.exe to access the internet, and I of course blocked it, but that didn't stop it running.  Nor, apparently, was it able to stop it or something else from accessing the internet, considering my email account was successfully stolen.   

It was also updating daily and scanning twice weekly.  It found nothing on a scan immediately after the incident, of course. I found siszyd32.exe myself in msconfig when I was trying to figure out what all had gone wrong.  I'm assuming it hit a few months ago when TM "quarantined" another trojan.  In that case, I failed to look further.  I'm not sure what siszyd32 accomplished, but it's apparent both left TM scratching its *** in midfield.

Jim

I have come across OEM Vista + TrendMicro in laptops quite often over the last few years. I have yet to see any failing in this combo, so I still recommend TM to people. I have a few quibbles that I wont bring them up here as they're more to do with features rather than failings.

I am always tempted to clean TM off these systems and replace with avast, but for the time being I dont push the point.
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Chris Thomas on January 09, 2010, 08:48:37 AM
Hey

Why don't u install Prevx and do a scan?

http://www.prevx.com/

It is free for scanning and detection but not removal

Atleast, you will know, what all are there infected

Then you can make a plan B
Title: Re: Need Help removing siszyd32.exe and sr882388.exe et al
Post by: Avastfan1 on January 26, 2010, 10:28:31 PM
Hi Gitarslinger,

Glad to see you solved the problem. For health reasons I have not been as active on the forum over the last month. Hence I did not reply to your earlier post.

Best wishes,

Avastfan1