Author Topic: another siszyd32.exe  (Read 18950 times)

0 Members and 1 Guest are viewing this topic.

mjolnirthor

  • Guest
Re: another siszyd32.exe
« Reply #15 on: December 18, 2009, 09:54:53 AM »
One question:

Is it safe for me to surf the net? Is the rootkit active or does it just mess up with my anti-virus?

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: another siszyd32.exe
« Reply #16 on: December 18, 2009, 10:02:30 AM »
I'd be inclined to not surf the net, nor do anything else with the affected computer while a fix is underway. That would probably be the safer option.
Essexboy could advise more authoritatively when he's back.
Windows 10,Windows Firewall,Firefox w/Adblock.

CharleyO

  • Guest
Re: another siszyd32.exe
« Reply #17 on: December 18, 2009, 05:42:25 PM »
***

I suggest that you download FreeFixer from the below link.

How to remove siszyd32.exe with Freefixer:

1. Download and install FreeFixer: http://www.freefixer.com/download.html
Freefixer is freeware, so it will not cost you anything.

2. Start FreeFixer and click "Scan". The will scan finish in approximately 5 minutes.

3. In the Scan result, scroll down to "Autostart shortcuts". Locate the siszyd32.exe item and check its "Delete" checkbox. DO NOT check anything else for removal, unless you 100% it's malware.

4. Click "Fix".

5. Restart your machine.

6. Start FreeFixer and scan your computer again.

7. Verify that siszyd32.exe no longer appear anywhere in the scan result.

8. Done.

Did that completely remove siszyd32.exe from your machine?

siszyd32.exe is part of Troj/Agent-LVN as documented over at Sophos:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlvn.html

Please let us know the results.


***

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: another siszyd32.exe
« Reply #18 on: December 18, 2009, 07:01:05 PM »
I doubt freefixer will kill it as it is a rootkit

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
Code: [Select]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 BC_DeleteFile('C:\WINDOWS\system32\Drivers\ltzqkan.sys');
 DeleteFile('C:\WINDOWS\system32\Drivers\ltzqkan.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

On completion re-run MBAM

mjolnirthor

  • Guest
Re: another siszyd32.exe
« Reply #19 on: December 19, 2009, 12:10:58 PM »
MBAM tells me that the rootkit is still here... :'(

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: another siszyd32.exe
« Reply #20 on: December 19, 2009, 04:35:03 PM »
Hi CF has just been given a limited release

Please download this file http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe

And then follow the Combofix instructions as below

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

mjolnirthor

  • Guest
Re: another siszyd32.exe
« Reply #21 on: December 19, 2009, 05:57:01 PM »
Thanks a lot Essexboy. A friend helped me all afternoon long and we got finally rid of the bugger...

You've been great helping me. Thank you.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: another siszyd32.exe
« Reply #22 on: December 19, 2009, 07:58:54 PM »
No problem - that is the trouble with working on the forums - the time between replies

fortius

  • Guest
Re: another siszyd32.exe
« Reply #23 on: December 20, 2009, 04:55:35 PM »
Hi Essexboy,

I'm another victim of this bugger, and I downloaded KittyFix.exe and double clicked it.
I hope this was correct, though the hint "IMPORTANT !!! Save ComboFix.exe to your Desktop" didn't mention KittyFix.

Before of having started KittyFix, I earlier stopped the malware program by starting Windows in secured mode, removing siszyd32.exe from the Autostart folder, and creating there a read-only text file with that name. The CPU usage was again low, but the internet connection remained very slow.

KittyFix downloaded and installed the Microsoft Windows Recovery Console, and started the scanning for malware (BTW, all messages were in German, Kittyfix detected the PC's language).
After reporting the deletion of avdrn.dat and kWab.dll, a message appeared in the same window telling (I'm translating from German) "Preparing log file. Don't start other programs, before ComboFix is ended".
All other windows disappeared, and the mouse was frozen.
I let this unchanged for more than 9 hours, but nothing happened, the same message was there.
Then I switched the power off.
If I double click KittyFix.exe again, the whole machine freezes now immediately, I have again to switch power off!

Maybe not everything was cleansed, because the internet connection is still quite slow (though better than before). The old 56Kbs modem I'm using now still shows a sent-received data ratio of about 1:2, even when I'm only downloading such huge programs. Maybe my PC is still sending a lot of data to the author of this malware?!
According to http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlvn.html, "Troj/Agent-LVN includes functionality to access the internet and communicate with a remote server via HTTP".
Maybe this functionality is still doing something there.

Though, I can now make the text file mentioned above rewritable, and after restarting the machine it's still there, the malware doesn't re-install himself there anymore, this is an improvement.

Unfortunately, I can't attach the file C:\KittyFix\ComboFix.txt, since it was deleted when trying to start KittyFix the second time, but it was quite small, apart of the mentioned two files it didn't mention other deletions.
Though, please find attached a file named cmdcons+Qoobox.txt, where I listed the files detected/duplicated by Kittyfix in the first call.

What do you recommend, should I try yet something else?
I wonder why allegedly most of the virus protection programs are not even able to detect this trojan horse.

Thanx, Fortius

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: another siszyd32.exe
« Reply #24 on: December 20, 2009, 06:51:54 PM »
Hmm Kittyfix is a beta version of Combofix that is being trialled on certain types of infection.  A word of caution be very careful with that tool as it is extremely powerful, I would not recommend running it without someone who knows the programme helping out.. 

However lets see if I can find the rest of your problems.  Once you have run this analysis programme I would like you to start a new thread and post the sharing link there, then put the link to your new thread here so that I receive notification..  It could be dangerous to run two or three different cases in one thread 

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
    • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      [/list]
      • Now click the Run Scan button on the toolbar.
      • Let it run unhindered until it finishes.
      • When the scan is complete Notepad will open with the report file loaded in it.
      • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

      Offline 12321

      • Newbie
      • *
      • Posts: 3
      Yessssssssssss and noooooo
      « Reply #25 on: December 20, 2009, 11:55:12 PM »
      Quote
      Logfile of The Avenger Version 2.0, (c) by Swandog46
      http://swandog46.geekstogo.com

      Platform:  Windows XP

      *******************

      Script file opened successfully.
      Script file read successfully.

      Backups directory opened successfully at C:\Avenger

      *******************

      Beginning to process script file:

      Rootkit scan active.
      No rootkits found!

      File "c:\windows\system32\drivers\rtzkk.sys" deleted successfully. -------->>>>  ;D ;D ;D

      Completed script processing.

      *******************

      Finished!  Terminate.

      hello to all

      finally i removed (or not?) this motherf*cker from my comp who's downloading/sending the data all day long and even deleted firefox from my system!!!  >:(
      i've trying all day to remove it but this "avenger" program finally helped me  8)

      but should i be happy?

      it appears that trojan is dead, no more downloading/sending the data non-stop, also rtzkk.sys is removed from drivers folder, but registry data is still there!

      btw i've removed this siszyd.exe easily with "freefixer" but this rtzkk is still in registry???

      Quote
      Services
      Delete? Online info Registry key Display name Path
      more info rtzkk   No file specified

      Errors
      Error when opening a registry key. Key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtzkk'. System error message: A device attached to the system is not functioning. Error code: 31.

      Error message
      An exception occurred in the AppInit plugin: Error when opening a registry key, access is denied. Key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. System error message: Access is denied. Error code: 5.
      An unexpected exception occurred in the AppInitDll plugin: Error when opening a registry key, access is denied. Key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. System error message: Access is denied. Error code: 5.

      also this KittyFix doesn't help me very much, it'll just freeze (stop) on step 9 or 10 after 1+ hour of running and then i have to restart the comp  :P

      any help is appreciated how to remove this trojan from registry now  >:(

      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: another siszyd32.exe
      « Reply #26 on: December 21, 2009, 12:00:26 AM »
      Run MBAM that should clear the registry entry - but be carefull with Avenger it does exactly what you tell it there is no go back option

      Please download Malwarebytes' Anti-Malware from Here.

      Double Click mbam-setup.exe to install the application.
      • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
      • If an update is found, it will download and install the latest version.
      • Once the program has loaded, select "Perform Quick Scan", then click Scan.
      • The scan may take some time to finish,so please be patient.
      • When the scan is complete, click OK, then Show Results to view the results.
      • Make sure that everything is checked, and click Remove Selected.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
      • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
      • Copy&Paste the entire report in your next reply.
      Extra Note:

      If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

      Offline 12321

      • Newbie
      • *
      • Posts: 3
      Re: another siszyd32.exe
      « Reply #27 on: December 21, 2009, 12:28:21 AM »
      well i cannot believe  >:(
      6 new buggers removed and comp restarted

      after that i manually removed this service (folder) "rtzkk" in registry  8) there are more values with this name "rtzkk", should i remove all manually?

      Quote
      Malwarebytes' Anti-Malware 1.42
      Database version: 3399
      Windows 5.1.2600 Service Pack 3
      Internet Explorer 6.0.2900.2180

      21.12.2009 0:24:53
      mbam-log-2009-12-21 (00-24-53).txt

      Scan type: Quick Scan
      Objects scanned: 102784
      Time elapsed: 11 minute(s), 22 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 1
      Registry Data Items Infected: 1
      Folders Infected: 0
      Files Infected: 4

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

      Registry Data Items Infected:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\Documents and Settings\Administrator\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
      C:\Documents and Settings\Administrator\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
      C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

      freefixer log shows that there is no errors and this rtzkk file/data :)

      gracias essexboy!!!!!!!!!!!!!!!!!!!!!!

      now i just have to reinstall firefox again, actually this is third time  ;D
      « Last Edit: December 21, 2009, 12:46:44 AM by 12321 »

      fortius

      • Guest
      Re: another siszyd32.exe
      « Reply #28 on: December 21, 2009, 01:55:00 AM »
      However lets see if I can find the rest of your problems.  Once you have run this analysis programme I would like you to start a new thread and post the sharing link there, then put the link to your new thread here so that I receive notification..  It could be dangerous to run two or three different cases in one thread 

      To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

      Here is the new thread, that contains the sharing link: http://forum.avast.com/index.php?topic=52434.0.
      BTW, I have no rtzkk entry in the registry (at least: not anymore).

      Thanks, fortius