Author Topic: siszyd32.exe  (Read 50949 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe
« Reply #15 on: December 12, 2009, 07:01:52 PM »
Lets kill the bad boy now

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
C:\Users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTListit log.

MudPuddles

  • Guest
Re: siszyd32.exe
« Reply #16 on: December 12, 2009, 10:15:42 PM »
Now....!

Thanks again essexboy, this help is greatly appreciated.

Here's an update:
After following your instructions, I rebooted (see my note on that point below...). Up until now, I could see the siszyd32.exe file in both CCleaner and in the Startup list via Windows Defender, and I could disable it, but not delete it. This time, I could still see it, but was able to delete it easily. Whether I have just deleted it from the startup list and its still there somewhere or its completely dead I'm not sure. I have attached the Combofix.txt and log.txt files for your info.

Anyway, CPU usage seems to have significantly improved (between 5% and 20% when I'm using the same programs where previously it was generally between 50% and 100%).

On the reboot, just one thing to note - the previous 2 times I ran ComboFix, it didn't ask / suggest / require a reboot, but this third time I couldn't open either Firefox or IE after the process had finished (a message popped up saying I had selected a registry item that was marked for deletion). A reboot seems to have gotten over that, but anyway, there you go... just for future reference in case its of interest.

MP

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe
« Reply #17 on: December 12, 2009, 10:37:31 PM »
OK it has a backup hidden that is now revealed so lets kill that as well

Again let me know how it runs on completion as this should be the end

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
c:\windows\pss\siszyd32.exe
c:\users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe

Registry::
[-HKLM\~\startupfolder\C:^Users^Conor ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^siszyd32.exe]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

MudPuddles

  • Guest
Re: siszyd32.exe
« Reply #18 on: December 13, 2009, 08:44:15 PM »
Ok, after doing that performance is pretty good, CPU usage bouncing around below 20%, of which svchost processes running about half.

.txt files attached.

MP

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe
« Reply #19 on: December 13, 2009, 09:27:11 PM »
The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

MudPuddles

  • Guest
Re: siszyd32.exe
« Reply #20 on: December 13, 2009, 10:22:52 PM »
All done. Thank you sir!

Two quick questions, for my own information -
Since the startup program listings in CCleaner and in Windows Defender could see it, but I couldn't find it on the hard drive, and CCleaner couldn't delete it, I am guessing that siszyd32.exe was not actually the root of the problem... is that correct? i.e. was the infection really another file hiding on my hard drive that created the siszyd32.exe file?

Second, I'm normally pretty good with antivirus security, running avast, MBAM, SAS pretty regularly. Apart from keeping software up to date, is there something I can do to better prevent this kind of problem?

Many thanks,
MP
« Last Edit: December 13, 2009, 10:28:34 PM by MudPuddles »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe
« Reply #21 on: December 13, 2009, 11:22:18 PM »
It was actually being protected by the second copy - which neither of the other programmes saw.  As it was being run from the registry under the appints

Unfortunately this is one of those nasties that could come from anywhere

Your security regime looks sound - I use Avast and MBAM, so in a way it is the luck of the draw if you visit an infected website 

MudPuddles

  • Guest
Re: siszyd32.exe
« Reply #22 on: December 13, 2009, 11:41:23 PM »
Thanks for your help with this essexboy and the others who posted advice, I really appreciate you taking the time out to go through everything with me and sort this out.
Best,
MP

ghosty85

  • Guest
Re: siszyd32.exe
« Reply #23 on: December 14, 2009, 04:21:21 PM »
I've got the exact same problem with siszyd32.exe. It's really annoying me!!! grrrrrrrrr.

I've got combofix and ccleaner but have no idea what to do. Any guidance EssexBoy?

Thanks in advance.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe
« Reply #24 on: December 14, 2009, 09:52:06 PM »
Yes - first do not run combofix as it has been pulled for the moment due to a rootkit causing mayhem when CF tries to remove it. 

So lets see what you have on your system with my other tools and see if I can kill it manually

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
    • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
      [/list]
      • Now click the Run Scan button on the toolbar.
      • Let it run unhindered until it finishes.
      • When the scan is complete Notepad will open with the report file loaded in it.
      • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

      ghosty85

      • Guest
      Re: siszyd32.exe
      « Reply #25 on: December 14, 2009, 11:24:23 PM »
      Much appreciated for your time essexboy  :)

      Here's the mediafire link:

      http://www.mediafire.com/?mqn0jjimjdd

      rankfast

      • Guest
      Re: siszyd32.exe
      « Reply #26 on: December 15, 2009, 12:26:50 AM »
      Hi EssexBoy,

      I have the same problem with siszyd32.exe and csimplayer.exe file. I have windows XP pro and I cant even boot into regular mode. I have run the OTS.exe in SAFE MODE and uploaded the file to http://www.mediafire.com/?yjyh5mjtrhn .
      I have also attached the RSIT log files with this post.

      Please help.

      Let me know if any other logs are needed.

      Thanks.
      « Last Edit: December 15, 2009, 01:19:04 AM by rankfast »

      brunobruck

      • Guest
      Re: siszyd32.exe
      « Reply #27 on: December 15, 2009, 01:24:49 AM »
      Hi everyone, I was with the same problem and figured out with the following program http://www.superantispyware.com/.
      I hope this can be helpful for you.


      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: siszyd32.exe
      « Reply #28 on: December 15, 2009, 09:59:21 PM »
      @rankfast  could you start your own thread and PM me the link as I cannot run two infections in one thread Ta

      @ghosty85

      Ok first the bad news you have the latest version of a rootkit.  It has infected both copies of a file on your computer.  Do you have access to another computer where you can get a copy of this file  C:\WINDOWS\system32\DRIVERS\atapi.sys if you can I will need you to copy it to your root C: drive.  Let me know on this

      Quote
      One or more of the identified infections is a backdoor Trojan and a key logger.

      If this computer is ever used for on-line banking, I suggest you do the following immediately:

      1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

      2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

      Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


      Lets clear some of the garbage now

      Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

      Code: [Select]
      [Unregister Dlls]
      [Modules - Safe List]
      YY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
      [Win32 Services - Safe List]
      YN -> (gupdate) Google Update Service (gupdate) [Auto | Stopped] ->
      YY -> (MyWebSearchService) My Web Search Service [Auto | Stopped] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
      [Registry - Safe List]
      < Internet Explorer Settings [HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\] > ->
      YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultName" -> My Web Search
      YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultUrl" -> http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm768YYGB&fl=0&ptb=hFaIfhRKCbQmyZGSCaRTFg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
      < FireFox Extensions [User Folders] > ->
      YY -> No name found   -> C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\osrbx5ud.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
      < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
      YY -> "{07B18EA9-A523-4961-B6BB-170DE4475CCA}" [HKLM] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL [My Web Search]
      YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
      < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      YY -> "Fnafidi" -> C:\WINDOWS\ucevenupehukuh.DLL [rundll32.exe "C:\WINDOWS\ucevenupehukuh.dll",Startup]
      YN -> "Regedit32" -> C:\WINDOWS\System32\regedit.exe [C:\WINDOWS\system32\regedit.exe]
      < Lee Startup Folder > -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup
      YY -> ~EmptyValue -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup\siszyd32.exe
      < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      *UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
      YY -> C:\WINDOWS\system32\sdra64.exe -> C:\WINDOWS\system32\sdra64.exe
      < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      [Files/Folders - Modified Within 30 Days]
      NY ->  fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
      NY ->  Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
      NY ->  Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
      NY ->  av_md.exe -> C:\WINDOWS\System32\av_md.exe
      NY ->  avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
      [Files - No Company Name]
      NY ->  fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
      NY ->  av_md.exe -> C:\WINDOWS\System32\av_md.exe
      NY ->  fvgqad.dat -> C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat
      NY ->  Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
      NY ->  Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
      NY ->  fvgqad.dat -> C:\Documents and Settings\LocalService\Application Data\fvgqad.dat
      NY ->  avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
      NY ->  ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
      NY ->  pn.ini -> C:\WINDOWS\pn.ini
      NY ->  pr.ini -> C:\WINDOWS\pr.ini
      [Empty Temp Folders]


      The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.


      Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

      Offline DavidR

      • Avast Überevangelist
      • Certainly Bot
      • *****
      • Posts: 88900
      • No support PMs thanks
      Re: siszyd32.exe
      « Reply #29 on: December 15, 2009, 11:01:17 PM »
      @ essexboy

      rankfast can't PM you as the PM function is unavailable to those without 20 posts.
      Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security