Author Topic: Need Help removing siszyd32.exe and sr882388.exe et al  (Read 23578 times)

0 Members and 1 Guest are viewing this topic.

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Need Help removing siszyd32.exe and sr882388.exe et al
« on: January 04, 2010, 11:27:50 PM »
I hit a bad link the other day, and Trendmicro Internet Security recognized but failed to quarantine the resulting trojan which it referred to as TROJ_BREDLAB.SME.  Within seconds, "Sandboxie Start" (sr882388.exe) was trying to access the internet.  I blocked it.  The trojan and Sandboxie Start were both running in task manager processes, as was an instance of cmd.exe, busy eating up cpu.

I ended the processes, removed the quarantined trojan, found and removed sr882388 and a prefetch file with the same name (manually; TM didn't find them).  I then looked at startup programs (msconfig) and found both this one and siszyd32.exe.  I unchecked both, restarted, and the second one was rechecked, and had in fact two iterations, one of which was checked, one which was not.  I searched for, but did not find, this file.  Nor did I find either of these names in searching the registry.

I remembered this point that a number of months ago, TM warned me that services.exe was trying to access the internet.  I blocked it.  It finally occurred to me to look at the firewall log.  Services.exe is making attempts every couple of seconds to reach a variety of external ip addresses through multiple ports.  I don't know enough to know whether or not this is one or services.exe's jobs, but it seems odd.

On advice from another web forum, I installed and ran ATF-Cleaner and the free version of Superantispyware.  Superantispyware found and removed siszyd32.exe, along with two other spyware apps.  The perma-checked iteration of siszyd32 in msconfig is gone.  I've attached log files from superantispyware and trendmicro internet security firewall.

Can anyone help me clean up this computer?  I know little and have no idea what to do next.

Jim

Offline Avastfan1

  • Advanced Poster
  • **
  • Posts: 965
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #1 on: January 05, 2010, 12:23:29 AM »
Hi,

I would recommend doing the following:

1. Download and update Avast (http://files.avast.com/files/latest/avast_home_setup.exe)
2. Download and update MBAM (http://www.malwarebytes.org/mbam-download.php)
3. Disconnect your computer from the internet (ie. pull the cable out or turn the router off)
4. Run a boot-time scan with Avast
5. Do a full scan with MBAM
6. Download CCleaner (http://www.ccleaner.com/download/builds/downloading-slim)
7. Run Ccleaner
8. Download HJT (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe)
9. Run HJT and click 'Do a scan and save a logfile)

Post the results from Avast, MBAM and HJT here. The friendly Avast Forum members will be able to help you further :-)

Good luck!

Avastfan1
Window 7 Home Premium - Avast Pro 7.0.1474 - PC Tools Firewall Plus 7.0.0.123 - MBAM 1.70 - Firefox 17.0.1 - NoScript 2.6.4.2 - Adblock Plus 2.2.1

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #2 on: January 05, 2010, 12:31:30 AM »
Quick question: will the existing running copies of superantispyware and trendmicro internet security interfere with running these processes?  Should I exit them before installing and/or before running the suggested apps?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #3 on: January 05, 2010, 01:53:03 AM »
I suggest you do a forums search for this particular file siszyd32.exe as has in some cases been a pig to remove and currently requires specialist tools and knowledge to analyse them.

Unfortunately there aren't that many avast users that are also malware removal specialists on the forums.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #4 on: January 05, 2010, 02:21:54 AM »
Thanks, David.  I did that in fact before I posted.  The experts in question advised beginning a new thread for each specific case and posting a link to it in the original thread.  This is what I did.

Jim

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #5 on: January 05, 2010, 03:23:10 AM »
Yes, that is correct because the tools may return different data such is the complexity of this little monster, that multiple threads within a topic would become very confusing for all concerned.

Were you not sandboxed when this all happened ?

Just seeing the "Sandboxie Start" in your first post, I wondered if you weren't using it, or perhaps this is it trying to sandbox itself to protect it from attack
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #6 on: January 05, 2010, 03:37:55 AM »
Quick question: will the existing running copies of superantispyware and trendmicro internet security interfere with running these processes?  Should I exit them before installing and/or before running the suggested apps?


Trendmicro internet security may likely interfere with the smooth running of your avast antivirus. You may choose one or the other, but running the two - avast and trendmicro - at the same time can cause problems all round.

Otherwise the suggested apps are good. They can only be helpful. However as DavidR says specialist tools may be needed to remove this beastie. You will find an abundance of info on avast webforum to put you further in the picture.



Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #7 on: January 05, 2010, 04:41:29 AM »
David, no I don't use Sandboxie.  From what I've read elsewhere, this particular beastie identifies itself as "Sandboxie Start," even to the point of using the Sandboxie icon, but is in fact spyware and nothing to do with the real Sandboxie. 

Jim

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #8 on: January 05, 2010, 04:20:28 PM »
OK thanks for that, they are very sneaky like that trying to pass themselves off as security applications. Fortunately you realised it wasn't as you don't use that particular particular one.

In the meantime whilst we are waiting for one of the malware specialists, you could try running these programs and report the findings.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #9 on: January 05, 2010, 06:49:02 PM »
Thanks, David.  I'm in the process of doing that exactly.  I ran superantispyware before my initial post, and corrected three issues.  The log is attached to my first post.  I'm since following the protocol suggested by avastfan, in running an Avast boot-scan (no issues found, but a problem I'll go into later), Malwarebytes (two runs, found a number of issues on the first, one on the second), CCleaner (I'm on that step now, and have questions; see below), and finally HijackThis.  I'll post logs when I'm all done.

I have a question about CCleaner.  I ran the regular file removal tool, and took advantage of the startup program manager to remove known trojans from the list.  Now I'm looking at the registry cleaner, and I'm not sure what to do.  Lots of these issues:
missing shared dll
unused file extensions (what will it do if I ask it to "fix" an unused file extensions?  There are plenty of them that I do indeed use all the time, and I don't know what CCleaner means)
invalid default icons
open with application issues
activex/com issues
missing typelib references
application paths issues
helpfile issues
installer reference issues
uninstaller reference issues
obsolete software key
and old start menu keys.

Avastfan, should I be messing about with all that?  I've read that CCleaner has a registry backup utility, but I'm not finding it, either.  I'd like to do a backup prior to digging into the registry.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #10 on: January 05, 2010, 07:03:42 PM »
Male sure you have Show prompt to select the backup enabled.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36320
  • Weihrauch Airguns
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #11 on: January 05, 2010, 07:04:19 PM »
Quote
Avastfan, should I be messing about with all that?  I've read that CCleaner has a registry backup utility, but I'm not finding it, either.  I'd like to do a backup prior to digging into the registry.
If you are using the deafult settings it will ask when you start fixing.
But you can look in options > advanced > X - show prompt tro backup registry issues



...nice picture kenny.... ;D
« Last Edit: January 05, 2010, 07:06:13 PM by Pondus »

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #12 on: January 05, 2010, 07:10:49 PM »
Thanks for that.  I've run it, I've trusted it, and the computer has rebooted with no discernible problems.  There's a relief.  Should be ready to post log files requested by avastfan shortly.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #13 on: January 05, 2010, 07:18:07 PM »
Yes, looks like it removed the startup entry for isizyd32.exe and a couple of suspect files.

No powerreg scheduler v3.exe in my PSS folder and no REMOVED.EXE in my system32 folder on winXP Pro SP3.

Personally I only use ccleaner to clean up temp files, whilst it has a registry cleanup and all options are checked by default, first it runs a scan but doesn't remove unless you opt to Fix selected issues. Generally it shouldn't be a problem, but any editing of the registry caries a risk. It does ask to Do you want to backup changes to the registry, select yes, this creates a .reg file with all the changes so that they can be reversed. It will then ask again to fix.

It isn't a radical registry cleaner, doesn't go into too much depth certainly not near the depth my registry cleaner goes, but for me not an issue as you need to have a working knowledge of what something does before removing it.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #14 on: January 05, 2010, 07:38:01 PM »
Ok, here's the goods.  I've attached the Avast boot-scan log (it's empty, essentially, but there for completeness' sake), two Malwarebytes logs, and the HijackThis log.  I'm hoping we've made some real progress here.  Avastfan, what next?

David, I suppose I'm happy CCleaner's registry cleaner isn't all that robust, as I certainly lack that working knowledge you mentioned.  It did get rid of 1103 of those shallow issues it does address.

A question about the startup menu manager: I have a number of programs unchecked in msconfig that I did not uncheck myself.  How can I know what is needed and what is not?  Is it safe to use CCleaner to remove unchecked entries if I'm sure the program isn't needed or that I simply don't want it to run on startup?

I mentioned an issue I had with Avast.  I ran the setup, and it downloaded the program.  On first run, it performed a memory scan and warned of a hidden service named "buoraeym.sys."  It asked if I wanted to delete or ignore this service, and suggested "ignore."  I clicked ignore, and up popped a warning that there was a virus running in memory.  It asked me if I wanted to perform a boot-scan, I clicked yes, and the system froze.  I wound up doing a hard restart, and the boot-scan started.  I had trouble with freezes on restarts, as Avast and TM were fighting with one another, and was eventually able to stop the apps as they were loading, boot fully, and uninstall Avast.  Hence:
I don't know if the buoraeym.sys service is a problem, or if it has been solved, and
I don't know if Avast was up to date when it ran the boot-scan.

It has been stated elsewhere in the forum that Avast fails to identify these particular issues.  Do you suggest mucking abot with it again, or leave it for now?