Author Topic: siszyd32.exe again  (Read 12433 times)

0 Members and 1 Guest are viewing this topic.

fortius

  • Guest
siszyd32.exe again
« on: December 21, 2009, 01:37:05 AM »
As proposed by Essexboy (http://forum.avast.com/index.php?topic=52265.15), I'm starting a new thread for this occurence of the malware.

I stopped the trojan program by starting Windows in secured mode, removing siszyd32.exe from the Autostart folder, and creating there a read-only text file with that name. The CPU usage was again ok, but the internet connection remained very slow.

After having used ComboFix, the malware is not trying anymore to re-install itself to the Autostart folder.
The performance of the internet connection improved strongly, but it's still slow. Also, I can notice a lot of sending-receiving activities when I myself don't do anything.

Now I used OTS, here's the logfile:
http://www.mediafire.com/?mmy5zld0cfw.
Are there some infected files mentioned to be still in use?

Is there some virus checker that can reliably find all files infected by this trojan?

Thank you.
--
some remarks to add:
I have no rtzkk entry in the registry, and no file 'C:\WINDOWS\system32\Drivers\ltzqkan.sys' (at least: not anymore).
Also, Firefox was not deleted from my system.
I plan to run also MBAM, but can do it only in the coming evening.
« Last Edit: December 21, 2009, 02:19:16 AM by fortius »

Offline 12321

  • Newbie
  • *
  • Posts: 3
Re: siszyd32.exe again
« Reply #1 on: December 21, 2009, 02:03:00 PM »
you should search for ltzqkan in registry because this rtzkk is just for my comp, every comp has different name of this .sys file, smart trojan ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #2 on: December 21, 2009, 09:15:29 PM »
On completion of this run - run MBAM and post the log as well please

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1482476501-746137067-1957994488-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-746137067-1957994488-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Gabriel Startup Folder > -> C:\Dokumente und Einstellungen\Gabriel\Startmenü\Programme\Autostart
YY -> ~EmptyValue -> C:\Dokumente und Einstellungen\Gabriel\Startmenü\Programme\Autostart\siszyd32.exe
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\Temp\~TM1972.tmp" -> C:\WINDOWS\Temp\~TM1972.tmp [C:\WINDOWS\Temp\~TM1972.tmp:*:Disabled:services]
< Drives with AutoRun files > ->
NY -> E:\autobus.jpg  -> E:\autobus.jpg [ NTFS ]
[Files/Folders - Created Within 30 Days]
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  ssvvvlr.sys -> C:\WINDOWS\System32\drivers\ssvvvlr.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  7 C:\Dokumente und Einstellungen\Gabriel\Lokale Einstellungen\temp\*.tmp files -> C:\Dokumente und Einstellungen\Gabriel\Lokale Einstellungen\temp\*.tmp
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  ssvvvlr.sys -> C:\WINDOWS\System32\drivers\ssvvvlr.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


fortius

  • Guest
Re: siszyd32.exe again
« Reply #3 on: December 22, 2009, 03:54:38 AM »
Many thanks, Essexboy!
My PC seems to be clean now!!!

MBAM and OTS (with the fix script you wrote) have identified the Rootkit Agent, it's name was C:\WINDOWS\system32\drivers\ssvvvlr.sys.

They both tried to delete it immediately and also after a reboot, but they failed.
Then I downloaded Avenger (I found its homepage in 12312's posting in the other thread) and deleted at first only the driver (was Avenger's hint, on its tutorial pages), whose name was ssvvvlr.
Then I could delete already myself, manually the driver file (Rootkit) named above.
Finally, I deleted with Avenger these registry key folders (I couldn't do it manually):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SSVVVLR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SSVVVLR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSVVVLR
(though the latter didn't exist anymore when Avenger came to delete it).

Now there are only these two registry keys that contain the hated string:
1.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Arbeitsplatz\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Enum\\Root\\LEGACY_SSVVVLR"
2.
[HKEY_USERS\S-1-5-21-1482476501-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Arbeitsplatz\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Enum\\Root\\LEGACY_SSVVVLR"

But I suppose these keys are harmless and maybe mustn't be deleted, they should get another value soon.

Now MBAM doesn't find any infected file anymore, nor does OTS it.
The internet connection is again fast, there is no sending-receiving of data when I don't do anything, and the sent-received ratio is about 2:7, instead of 1:2.

Thanks again, I wouldn't have solved this without your help!
---
Update:
1. the two remaining registry keys were indeed harmless, they contain now other values.
2. it's worth to start also a full scan with MBAM (not only the quick scan as before), since it detected and deleted me now these items (though, maybe this is only a waste-paper basket?):
C:\System Volume Information\_restore{C91713DB-C2ED-47C6-8A6B-CF59A1ED3B03}\RP2\A0000027.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C91713DB-C2ED-47C6-8A6B-CF59A1ED3B03}\RP2\A0000041.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C91713DB-C2ED-47C6-8A6B-CF59A1ED3B03}\RP2\A0000043.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C91713DB-C2ED-47C6-8A6B-CF59A1ED3B03}\RP2\A0000052.exe (Trojan.Banker) -> Quarantined and deleted successfully.
« Last Edit: December 22, 2009, 09:58:27 AM by fortius »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #4 on: December 22, 2009, 07:47:48 PM »
Be careful with Avenger - If you just deleted the control set with no number the other two would have gone as well

You will need to reset your restore points now as when MBAM removed infections from there it broke the chain so they are useless to you now

fortius

  • Guest
Re: siszyd32.exe again
« Reply #5 on: December 23, 2009, 12:37:56 AM »
Ok, that was lucky, good thing that I deleted only these few registry entries.

Which restore points do you mean, where should I set them?
I know only about that option in msconfig, there I have set a new restore point now, thanks for the hint.
« Last Edit: December 23, 2009, 12:48:06 AM by fortius »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #6 on: December 23, 2009, 07:35:21 PM »
Here is my restore point spiel  ;D

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

virdi

  • Guest
siszyd32.exe
« Reply #7 on: January 07, 2010, 08:07:40 AM »
Hi essexboy,

I have siszyd.exe running in the startup (msconfig.exe)

Here's my OTS log http://www.mediafire.com/?t2zqgqoziu3

Thanks!

- Virdi

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #8 on: January 07, 2010, 08:26:26 PM »
Mediafire is down for maintainence at the moment it should be up in about an hour when I will download your logs

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #9 on: January 07, 2010, 09:52:29 PM »
Could you upload it again they have messed the link

virdi

  • Guest
Re: siszyd32.exe again
« Reply #10 on: January 08, 2010, 12:51:12 AM »
hello,

here is my OTS logfile: http://www.2shared.com/file/10528600/76641465/OTS.html

Some more information:

(1) I got infected with siszyd32.exe at around 3:50 pm on Jan 4th 2010

(2) After infection, it asked me to buy full version of some malware protection software, which i got rid of using norton and deleting a folder, files, registry entries it created under the names "08031618.exe"

(3) Now, Norton Antivirus keeps alerting me continuously with lots of pop up boxes saying that "the mail server coudn't send the email to .... ". It seems the trojan (or rootkit?) is trying to send some information out but i hav not configured any mail client so it's throwing an error... or may be Norton is blocking the outgoing messages.

(4) msconfig says that siszyd32.exe is in "startup programs" but i can't see it in Process Explorer

Thanks!

virdi

  • Guest
Re: siszyd32.exe again
« Reply #11 on: January 08, 2010, 01:04:49 AM »
OTS log uploaded again on mediafire: http://www.mediafire.com/?4oxmigmcmf0

Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #12 on: January 08, 2010, 07:58:36 PM »
I think I have pinpointed all the fellow travellers with this

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< NewUser Startup Folder > -> C:\Documents and Settings\NewUser\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\NewUser\Start Menu\Programs\Startup\siszyd32.exe
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
YY -> \\"caclnmgr" -> C:\WINDOWS\System32\netskman.dll [C:\WINDOWS\system32\netskman.dll]
[Files/Folders - Created Within 7 Days]
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 7 Days]
NY ->  tknvcp.sys -> C:\WINDOWS\System32\drivers\tknvcp.sys
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  avdrn.dat -> C:\Documents and Settings\NewUser\Application Data\avdrn.dat
NY ->  53 C:\Documents and Settings\NewUser\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\NewUser\Local Settings\Temp\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  fvgqad.dat -> C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat
NY ->  tknvcp.sys -> C:\WINDOWS\System32\drivers\tknvcp.sys
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  fvgqad.dat -> C:\Documents and Settings\LocalService\Application Data\fvgqad.dat
NY ->  avdrn.dat -> C:\Documents and Settings\NewUser\Application Data\avdrn.dat
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


virdi

  • Guest
Re: siszyd32.exe again
« Reply #13 on: January 08, 2010, 11:54:57 PM »
Log after running fix: http://www.mediafire.com/?nm4zo42dkly

I don't think it removed those files... C:\WINDOWS\System32\drivers\tknvcp.sys as it says file move failed...  :(

i ran the OTS again... here's the new log: http://www.mediafire.com/?orq1omdzmoz
can you post the new fix or suggest another approach... like booting from usb linux and removing files manually...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe again
« Reply #14 on: January 09, 2010, 02:02:14 PM »
No need for using external OS yet

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (DGIFLLUK) DGIFLLUK [On_Demand | Stopped] ->
YN -> (CUICKIZXS) CUICKIZXS [On_Demand | Stopped] ->
[Files/Folders - Modified Within 30 Days]
NY ->  tknvcp.sys -> C:\WINDOWS\System32\drivers\tknvcp.sys
[Custom Items]
:services
DGIFLLUK
CUICKIZXS
:end
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
« Last Edit: January 09, 2010, 05:32:59 PM by essexboy »