siszyd32.exe

[MudPuddles]

Hello everyone,

I have a file siszyd32.exe on my laptop.

My computer had started running extremely slowly, 100% CPU taken up by a few svchost and hkcmd processes. I noticed the siszyd32.exe file in the list of Start Up programs when I was using CCleaner. A Google search for this tells me that it is a dangerous trojan file. CCleaner puts its location at  C:\...AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe

Unfortunately, I can't actually see it in the location where CCleaner says it is, nor can I delete it via CCleaner. Apparently this is one of the problems with this file (it being a bugger to remove). Avast Home Edition and and Avast Virus Cleaner both fail to find it, as do SuperAntiSpyware and MalwareBytes.  I have managed to disable it from running at Startup (via CCleaner), but its still there on the CCleaner list of Start Up programs.

Any suggestions for what I could / should do would be greatly appreciated.

Many thanks,
MP

(p.s. I am using Windows Vista Home Premium 2007, Service Pack 2)

[Lisandro]

Does the file exist? I mean, it could be a hidden virus (a rootkit).
Did you try running avast at boot time?

[MudPuddles]

Thank you Tech, I have not tried that but will do a boot scan and see how that goes...

[Lisandro]

Thank you Tech, I have not tried that but will do a boot scan and see how that goes...

Post back if the problem persists.

[polonus]

Hi MudPuddles,

Let us delve into that a bit further now.
Download RSIT by random/random from here:  http://images.malwareremoval.com/random/RSIT.exe
but before saving, in the Save dialog, rename rsit.exe to explorer.exe and save it to your desktop.
* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)

polonus

[wvos]

The same happened to me today.

It all started with AVAST trowing these warnings. I was browsing with Firefox 3.5+

    11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.

I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:

    11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
    11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.

Then I looked at the running processes.

A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.

Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. It was still there, in the windows temp directory.

The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )


In the meantime a CMD (command prompt) process was VERY active running a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):

    @echo off
    :try
    @del /F /Q "C:\Program Files\Mozilla Firefox\firefox.exe"
    if exist "C:\Program Files\Mozilla Firefox\firefox.exe" goto try

The BAT file was dropped on my system at 11 december 23:08, right before the ~temp file.

Another file called siszyd32.exe was dropped in the StartUp folder.

I still don’t know what it was and why Avast isn’t detecting it.

What I did:

    * I ran process explorer: ( http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx )
    * I killed all CMDs, siszyd32.exe and CsimPlayer.exe (including the child processes)
    * I removeD all instances of siszyd32.exe and CsimPlayer.exe on my C:\drive and I deleted both the infected atapi.sys files.
    * I removed it from the registry
    * And I ran Malwarebyte's anti-malware

I checked the site where I thought it originated from, but it's not there... :-/  Can be a root-kit that resides, who knows how long, on my system. There's no way to check for root-kits when the OS is running. It's only noticeable when the root-kit installs or downloads files that inadvertently trigger avast.

So if someone knows a good OFFLINE (boot-cd) rootkit scanner, please let me know.

Thanks.

[pinnacle]

You can give Vipre Rescue a try it is effective against rootkits here, this explains it and the download link is there also, http://live.sunbeltsoftware.com/

[MudPuddles]

Hello all and thanks for the replies.

Here is an update.

I restarted and ran avast again, it found 4 infected files but could not move them to the virus chest.
I ran malwarebytes again and it found a file (C:\...\AppData\Local\Temp\0.27193285186218485.exe (Trojan.Dropper) and removed it.

Another scan of avast cleaner and SAS found nothing. I ran avast boot scan, seemed to find nothing. CCleaner still finds siszyd32.exe in the StartUp list.

Polonus - I have attached the RSIT files for info. I'm afraid I don't have the tech knowledge to understand these.

pinnacle - I have downloaded Vipre Rescue but will wait to use it until I here more on the RSIT outputs.

Thanks again folks,
MP

[YoKenny]

The Sun Java jre1.6.0_02 and Adobe Acrobat 8.0 are way downlevel and very vulnerable to attack.

Go to Add/Remove Programs ad remove all Sun Java and Adobe installs.

The current Sun Java is Version 6 Update 17:
http://www.java.com/en/download/manual.jsp

Adobe Acrobat 9:
http://www.adobe.com/products/acrobat/segments/individual

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

[MudPuddles]

Thanks YoKenny.

I've updated Sun Java to the latest version. Adobe Acrobat Standard 8 is a licensed product and I shouldn't have to purchase the latest edition (Acrobat Standard 9) - I have however downloaded all current updates (I now have updated to 8.1.7).

Thanks for pointing out that Secunia tool, its very useful. I also needed to update Flash Player and related Active X controls.

After that, it seems I still have an infection with siszyd32.exe that I can't shift....

MP

[essexboy]

Hi there is an infection hooked to your C:\WINDOWS\system32\drivers\atapi.sys file what we need to do is replace that with a legitimate version and kill the spawner.  Normally I ask for an analysis scan first - but as you have posted the data I need we can go straight for an automatic repair/replace

Note : As you have Vista you will not see the RC prompt 

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

 

[MudPuddles]

Many thanks essexboy.

I've gone through that, and the ComboFix.txt file is attached here.

MP

[essexboy]

There is no indication of the hook now.  A few to remove and then let me know how it is running

 1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

File::
c:\users\Conor \AppData\Roaming\fvgqad.dat
c:\users\Conor \AppData\Roaming\avdrn.dat

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

[MudPuddles]

Thanks again essexboy.
I've gone through that procedure, here is the new ComboFix.txt file.
How do I get an OTListit log? Sorry for my ignorance.
MP

EDIT: I've now also attached a new RSIT log file in case that's what you need.

[essexboy]

My apologies I used my standard canned from my malware forum 

Checking the logs now - what problems do you have at the moment