Author Topic: another siszyd32.exe  (Read 18946 times)

0 Members and 1 Guest are viewing this topic.

mjolnirthor

  • Guest
another siszyd32.exe
« on: December 16, 2009, 01:07:00 PM »
Hello,

Kaspersky sees that I have siszyd32.exe at startup and ask me if I want to remove it. I say yes and it restart to wipe the thing out, but siszyd is still here. Only when I'm connected though. It seems not to work and use 50% of my CPU when I'm not online...
Any solutions, please?

THanks in advance...

spg SCOTT

  • Guest
Re: another siszyd32.exe
« Reply #1 on: December 16, 2009, 01:15:05 PM »
Hi mjolnirthor,

Thanks for creating a new thread, I have sent essexboy the link to the thread so he is aware of it.
When he is online, he should be able to help you.

-Scott-

mjolnirthor

  • Guest
Re: another siszyd32.exe
« Reply #2 on: December 16, 2009, 02:00:29 PM »
Thanks a lot, Scott.
I've managed to erase siszyd32 using freefixer so it don't autostart each time I start the computer.
The CPU usage don't pass 50%.
How can I be sure there isn't any traces of the rootkit elsewhere on my computer?

spg SCOTT

  • Guest
Re: another siszyd32.exe
« Reply #3 on: December 16, 2009, 02:13:23 PM »
...
How can I be sure there isn't any traces of the rootkit elsewhere on my computer?

This would be better answered by essexboy, I'm no malware fighting expert...he is, and would be better at noticing any leftovers...

-Scott-

mjolnirthor

  • Guest
Re: another siszyd32.exe
« Reply #4 on: December 16, 2009, 02:17:25 PM »
Thanks.
Let's wait for the expert, then.  ;)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88755
  • No support PMs thanks
Re: another siszyd32.exe
« Reply #5 on: December 16, 2009, 04:13:45 PM »
I would suggest a reboot and then run the same scan again to see if it has been regenerated as this seems to be what has been happening in other instances of this.

Other than that it is waiting for essexboy who has the tools and experience on how to use them and interpret the results to help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: another siszyd32.exe
« Reply #6 on: December 16, 2009, 08:59:07 PM »
Hi lets have quick shufti to see if there are any remnants - you may not have the tdl rootkit

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
    • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
      [/list]
      • Now click the Run Scan button on the toolbar.
      • Let it run unhindered until it finishes.
      • When the scan is complete Notepad will open with the report file loaded in it.
      • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
      « Last Edit: December 16, 2009, 09:00:42 PM by essexboy »

      mjolnirthor

      • Guest
      Re: another siszyd32.exe
      « Reply #7 on: December 16, 2009, 11:31:35 PM »
      Thanks a lot.

      Here's my OTS text:
      http://www.mediafire.com/?t2lggommjzt

      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: another siszyd32.exe
      « Reply #8 on: December 16, 2009, 11:52:14 PM »
      OK this should kill the respawners

      Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

      Code: [Select]
      [Unregister Dlls]
      [Files/Folders - Modified Within 30 Days]
      NY ->  ltzqkan.sys -> C:\WINDOWS\System32\drivers\ltzqkan.sys
      NY ->  A552F140928961E0.job -> C:\WINDOWS\tasks\A552F140928961E0.job
      NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
      NY ->  avdrn.dat -> C:\Documents and Settings\Laurent Queyssi\Application Data\avdrn.dat
      [Files - No Company Name]
      NY ->  nidojzq.ini -> C:\WINDOWS\nidojzq.ini
      NY ->  lydnofz.ini -> C:\WINDOWS\lydnofz.ini
      [File - Lop Check]
      NY ->  A552F140928961E0.job -> C:\WINDOWS\Tasks\A552F140928961E0.job
      [Empty Temp Folders]


      The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

      I will review the information when it comes back in.

      Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

      THEN

      Please download Malwarebytes' Anti-Malware from Here.

      Double Click mbam-setup.exe to install the application.
      • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
      • If an update is found, it will download and install the latest version.
      • Once the program has loaded, select "Perform Quick Scan", then click Scan.
      • The scan may take some time to finish,so please be patient.
      • When the scan is complete, click OK, then Show Results to view the results.
      • Make sure that everything is checked, and click Remove Selected.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
      • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
      • Copy&Paste the entire report in your next reply.
      Extra Note:

      If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

      mjolnirthor

      • Guest
      Re: another siszyd32.exe
      « Reply #9 on: December 17, 2009, 10:37:41 AM »
      Thanks once again for your help, essexboy, that's very nice of you.

      Here are the three logs.
      http://www.mediafire.com/?hhfdnmbwciw
      http://www.mediafire.com/?0wkjmntintw
      http://www.mediafire.com/?zmoeyamaofu

      OTS has restarted the computer after the fix.

      Then I've ran Mbam two times and each time, it detects C:\WINDOWS\system32\drivers\ltzqkan.sys (Rootkit.Agent)
      but can't erase it.

      mjolnirthor

      • Guest
      Re: another siszyd32.exe
      « Reply #10 on: December 17, 2009, 06:15:05 PM »
      Freefixer couldn't erase ltzqan.sys also.
      Is this a rootkit or juste a remnant of the trojan?

      I've noticed that my computer is very slow today. And it seems my antivirus is using 50% of the CPU usage most of the times. Is there a link with my problem?
      « Last Edit: December 17, 2009, 07:11:43 PM by mjolnirthor »

      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: another siszyd32.exe
      « Reply #11 on: December 17, 2009, 09:12:32 PM »
      No it needs a stronger tool to kill this rootkit.  Normally I would use combofix to kill this but it is currently pulled so we will have to do it the old fashioned way 

      1. Please download The Avenger2 by Swandog46 to your Desktop.
      • Right click on the Avenger.zip folder and select "Extract All..."
      • Follow the prompts and extract the avenger folder to your desktop
      2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

      Code: [Select]
      Begin copying here:

      Files to delete:
      c:\windows\system32\drivers\ltzqkan.sysl

      Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.


      3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
      • Right click on the window under Input script here:, and select Paste.
      • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
      • Click on Execute
      • Answer "Yes" twice when prompted.
      4. The Avenger will automatically do the following:
      • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
      • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
      • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
      5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

      mjolnirthor

      • Guest
      Re: another siszyd32.exe
      « Reply #12 on: December 17, 2009, 11:05:01 PM »
      Things don't seem to have change...

      Logfile of The Avenger Version 2.0, (c) by Swandog46
      http://swandog46.geekstogo.com

      Platform:  Windows XP

      *******************

      Script file opened successfully.
      Script file read successfully.

      Backups directory opened successfully at C:\Avenger

      *******************

      Beginning to process script file:

      Rootkit scan active.
      No rootkits found!


      Error:  could not open file "c:\windows\system32\drivers\ltzqkan.sysl"
      Deletion of file "c:\windows\system32\drivers\ltzqkan.sysl" failed!
      Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


      Completed script processing.

      *******************

      Finished!  Terminate.


      Logfile of HijackThis v1.99.1
      Scan saved at 23:03:20, on 17/12/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16945)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\NOTEPAD.EXE
      C:\WINDOWS\stsystra.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      C:\WINDOWS\System32\DLA\DLACTRLW.EXE
      C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
      C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe
      C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Documents and Settings\Laurent Queyssi\Bureau\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cegetel.net/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.115.130.23:8080
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
      O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
      O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
      O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
      O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -startup
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
      O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
      O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -scheduler
      O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
      O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
      O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
      O8 - Extra context menu item: Ajouter à Kaspersky Anti-Bannière - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
      O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
      O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
      O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
      O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
      O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
      O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
      O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: another siszyd32.exe
      « Reply #13 on: December 17, 2009, 11:18:50 PM »
        OK that is one deep rootkit  _ don't know why I asked for a HJT log as that shows nothing - I must remove that from my responses

        Download avz4.zip from
      here
      • Unzip it to your desktop to a folder named avz4
      • Double click on AVZ.exe to run it.
      • Run an update by clicking the Auto Update button on the Right of the Log window:
      • Click Start to begin the update
      Note: If you recieve an error message, chose a different source, then click Start again


      • Start AVZ.
      • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

      • Click on the “Execute selected scripts”.
      • Automatic scanning, healing and system check will be executed.
      • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
      • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
      • All applications will work properly after the system restart.
      When restarted

      • Start AVZ.
      • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

      • Click on the "Execute selected scripts".
      • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
      Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

      [/list]

      mjolnirthor

      • Guest
      Re: another siszyd32.exe
      « Reply #14 on: December 18, 2009, 12:14:30 AM »