Author Topic: siszyd32.exe - am I free?  (Read 13823 times)

0 Members and 1 Guest are viewing this topic.

digitalxni

  • Guest
siszyd32.exe - am I free?
« on: January 02, 2010, 11:30:43 PM »
Evening all!

I noticed this afternoon that a couple of new processes had appeared in the task manager and they, as well as an instance of svchosts.exe, were using up large amounts of cpu. Also there was an instance of firefox running at startup which after I killed, seemed to disappear from the firefox folder (odd?). After a quick google I stumbled upon multiple results about siszyd32 and a lot of threads on this forum. I've just spent the evening running scans. I've run adaware, mbam, sas and freefixer. I've removed everything the first 3 scans picked up and I'm not sure what to make of the results from freefixer. A lot of it seems normal but there is the oddly named dll file which is making me wonder if I am free of this virus/trojan/rootkit. Please see the attached log file.

If anyone can help I'd be extremely grateful!

/digitalxni
« Last Edit: January 02, 2010, 11:57:14 PM by digitalxni »

cakedoer2

  • Guest
Re: siszy32d.exe - am I free?
« Reply #1 on: January 02, 2010, 11:43:21 PM »
Hey Digitalxni.

I'm not really advanced in this kind of thing but siszy32d.exe is not a vital Windows process, and it looks like it's not a good one either. Find a way to remove it. I'll take a look at that log file later.

I'm not here to advertise but you might want to try this:

http://www.kaspersky.co.uk/virusscanner

I haven't actually tried it but it might find something.

--

By the way, make sure you update everything that is not up-to-date. Go to Windows update, search for newer versions of programs, whatever. You might also want to tell us your configuration. Schedule a boot-time scan with avast!. If you don't have it yet, get the home edition on the avast! website.
« Last Edit: January 02, 2010, 11:50:05 PM by cakedoer2 »

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #2 on: January 03, 2010, 01:02:10 AM »
Ok so I've reinstalled firefox (although I've still got the wireless disabled) and rerun mbam which came back completely negative. After rebooting I've noticed that I have no odd looking processes and nothing is taking up mega amounts of cpu. So I think I may well be rid it but those odd looking results in freefixer worry me slightly.

micky77

  • Guest
Re: siszyd32.exe - am I free?
« Reply #3 on: January 03, 2010, 02:31:24 AM »
Send  erivujepopepacu.dll from C:\WINDOWS\erivujepopepacu.dll to virus total and post the results
http://www.virustotal.com/

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #4 on: January 03, 2010, 08:12:08 PM »
Here are the virus total results. Looks like win32.hiloti.

micky77

  • Guest
Re: siszyd32.exe - am I free?
« Reply #5 on: January 03, 2010, 08:43:39 PM »
Sorry i am not really convinced. Not many are picking it up, F secure says generic, Sophos, suspicious, both are not definite. I don't count the other findings.None of the big ones are finding this. I may be wrong but at this moment, I don't think its virus related. Then again I doubt its anything important, no hits on google

Could it be from security tool you have run ?

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #6 on: January 03, 2010, 08:57:57 PM »
It says it was created in 2004 so surely not? I just noticed a file next to this dll called Lgelimuwesebeb.bin which appeared yesterday afternoon which is when the problems began but none of my scans have said it is a threat. (I will upload to virustotal shortly). All scans keep coming back negative but I'm still rather worried about connecting the computer back to the internet where it may download more bad things. Is this possible? How can I be sure that I am indeed clean?

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #7 on: January 03, 2010, 11:29:12 PM »
One thing I am rather worried about at the moment is that if I were to reconnect to the network, my pc would go on a download rampage of lots more trojans and viruses etc. Is this something I should worry about doing and should I stay disconnected until this matter is resolved?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
Re: siszyd32.exe - am I free?
« Reply #8 on: January 04, 2010, 12:17:24 AM »
Of course you should be worried, as it makes cleaning harder, but any downloader has to gain access to the internet.

What is your firewall ?
- It should be capable of blocking unauthorised outbound Internet Connections.

I too am not familiar with freefixer, but the one thing I do see is that you are using XP SP2 and SP3 has been out for about 18 months, this leaves you more vulnerable to attack in the first place. Unfortunately you can't begine to install SP3 until your system is clean and this particular siszyd32.exe has in other topics proven difficult to irradiate.

Also JAVA is also out of date leaving another vulnerability (you need to uninstall the old version using add remove programs before installing the latest version).
- I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #9 on: January 04, 2010, 06:28:55 PM »
I'll be downloading and running OTS soon in the way that essexboy has said in many other threads. I will upload the results later tonight and hopefully someone can make some sense out of them!

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #10 on: January 05, 2010, 12:01:32 AM »
Here is s a link to the OTS log:

http://www.mediafire.com/?jzbwikktngn

Just to add few things I've noticed lately. Once the pc has booted into windows I get a message saying that there is no internet connection etc. This is probably due to some software trying to update on boot though. I also connected to the internet briefly the other day to upload some logs and as soon as I did, an instance of svchosts.exe started hogging lots of cpu again. :(
« Last Edit: January 06, 2010, 12:49:28 PM by digitalxni »

CharleyO

  • Guest
Re: siszyd32.exe - am I free?
« Reply #11 on: January 06, 2010, 07:14:58 PM »
***

Hopefully, essexboy will be in sometime soon and see this thread.


***

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe - am I free?
« Reply #12 on: January 06, 2010, 09:38:47 PM »
Here I be - there is a rootkit/hidden driver that I will need to kill

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Modules - Safe List]
YY -> erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> http [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
YN -> https [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
[Files/Folders - Created Within 30 Days]
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  daleg.sys -> C:\WINDOWS\System32\drivers\daleg.sys
NY ->  Lgelimuwesebeb.bin -> C:\WINDOWS\Lgelimuwesebeb.bin
NY ->  Yhenij.dat -> C:\WINDOWS\Yhenij.dat
NY ->  49 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
[Files - No Company Name]
NY ->  erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Custom Scans]
NY ->  2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.


THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

digitalxni

  • Guest
Re: siszyd32.exe - am I free?
« Reply #13 on: January 07, 2010, 04:30:47 PM »
Just ran the OTS fix. After reboot I got a RUNDLL error saying that the module could not be loaded for the file C:\WINDOWS\erivujepopepacu.dll

Please find attached the OTS log file. I will run combofix once you've had a gander at this log file :)

EDIT: Just to add I noticed that this fix has only moved the oddly named files (ddls, bins etc.) Will combo fix remove these completely?
« Last Edit: January 07, 2010, 04:33:16 PM by digitalxni »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: siszyd32.exe - am I free?
« Reply #14 on: January 07, 2010, 09:57:01 PM »
Yep run CF now and that should tidy up the registry entries and kill the other files I missed  ;D

The files have been moved to quarantine now and are harmless