Author Topic: Need Help removing siszyd32.exe and sr882388.exe et al  (Read 12423 times)

0 Members and 1 Guest are viewing this topic.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #15 on: January 05, 2010, 07:47:46 PM »
I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and a half that contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Update to IE8:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #16 on: January 05, 2010, 07:51:32 PM »
I wanted to ask again about the services.exe problem.  Is this perhaps a problem app, or a good app driven to do bad things by another app? 

I'm attaching the most recent log of firewall activity.  It was original a comma-separated value file, but I renamed it as a text file as this forum doesn't allow .csv attachements.  I don't know if the activity is suspicious or legitimate.  Any ideas?

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1931
  • Christian Geek - aka 'born again' Geek
    • The Early Today
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #17 on: January 05, 2010, 08:19:13 PM »
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

Author:Microsoft Corp.

Part of:Microsoft Windows Operating System

Common Path(s):%system%\services.exe

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1931
  • Christian Geek - aka 'born again' Geek
    • The Early Today
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #18 on: January 05, 2010, 08:33:59 PM »
You should be only be worried if it is SERVICES.EXE instead of services.exe

Read here

http://www.prevx.com/filenames/476339565022733292-X1/SERVICES.EXE.html

Virus with same name:

W32/Leave.B (service.exe) - Symantec Corporation
W32.Randex.R (service.exe) - Symantec Corporation
W32.HLLW.Kazping (service.exe) - Symantec Corporation
W32.XTC.Worm (service.exe) - Symantec Corporation

You should also be worried if services.exe is in C:\WINDOWS\services.exe instead of C:\Windows\system32.
« Last Edit: January 05, 2010, 08:45:14 PM by Chris Thomas »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 71430
  • No support PMs thanks
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #19 on: January 05, 2010, 08:42:30 PM »
I wanted to ask again about the services.exe problem.  Is this perhaps a problem app, or a good app driven to do bad things by another app? 

I'm attaching the most recent log of firewall activity.  It was original a comma-separated value file, but I renamed it as a text file as this forum doesn't allow .csv attachements.  I don't know if the activity is suspicious or legitimate.  Any ideas?

I have no idea about the services.exe it is strange as I son't see this being used on my logs, but you can do a whois on the IP addresses it is trying to connect and strangely they are the likes of Yahoo, Hotmail, Mozilla and Facebook were some of the ones I checked.

HiJackThis in cases of this type is almost useless all it is likely to do is reveal weaknesses in your software like not having SP3 as mentioned, acrobat 7 (old and vulnerable), etc. etc. - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

What it also shows is that you no longer have avast installed, but Trend Micro Internet security ???
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.2.2215 R2/ Outpost Firewall Pro9.1/ Firefox 36.0.4, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.4/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #20 on: January 05, 2010, 08:59:40 PM »
YoKenny,

Is it a good idea to install SP3 at this point while all this is going on, or better to wait 'til this is resolved?  I run all the critical updates on a regular basis, but haven't installed SP3 as I had heard horror stories about this particular release mucking up people's computers.  What say you?

Also, I once had IE 8 but had to roll back to 7 as 8 had a problem where every time I closed a browser, it started a second iteration of rundll32, and this second iteration would max out cpu.  Is it because I was running it under SP2, do you think?  It was terribly annoying.

secunia found three vulnerable apps, two adobe, one yahoo messenger.  I'm updating them as I'm writing this.  Thanks for that tip.

Jim

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #21 on: January 05, 2010, 09:07:45 PM »
David,

I uninstalled Avast in favor of TM because the TM firewall has particular services on its block list.  I don't want to stop the TM firewall until all this is fixed. 

Eventually, I'd like to find an antivirus/spyware combo that works.  As already noted, Avast was no better at finding these nasties than TM.  The Avast boot-scan showed nothing, after which Malwarebytes found a number of problems, and folks on other threads have related similar experiences.  That's all a bit off-topic for this thread, of course, but I would like to know what folks are using and if anything has successfully stopped siszyd32 and sr882388 from installing in the first place.

Jim

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #22 on: January 05, 2010, 09:31:12 PM »
It would help if you showed your system specifications as to CPU type and speed plus amount of RAM installed.

The best combo is avast! and Malwarbytes' Anti-Malware (MBAM).

The infection siszyd32 is a bit of a nasty one right now and may take the likes of essexboy or oldman to help remove but SP3 should be installed eventually.


E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #23 on: January 05, 2010, 09:54:43 PM »
YoKenny,

The system's on the older side.  Processor is an AMD Athlon "XP Processer" running at 3200 (2.2GHz).  512 MB RAM.  WinXP SP2, as you know.  Anything else you need?

I posted on a thread where essexboy was deeply involved, and had hoped to attract his attention to this thread by posting a link to it.  Perhaps a direct appeal is in order.

Jim

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #24 on: January 05, 2010, 10:33:00 PM »
In case essexboy stops in, I've gone ahead and run OTS according to his specs as posted in another forum.  The resulting log file is posted here:  http://www.mediafire.com/?jzkmjjywojo

Jim

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
  • Dragons by Sasha
    • Malware fixes
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #25 on: January 05, 2010, 10:43:30 PM »
Here you go lets try this, I will attempt to remove the hidden spawner first time around - if that fails then CF should get it

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command ->
YY -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command\\"" -> K:\Start.exe [K:\Start.exe]
[Files/Folders - Created Within 30 Days]
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #26 on: January 06, 2010, 12:57:46 AM »
I've run the fix, and the new OTS scan per your original specs.  The fix hit an exception error "no disk" almost immediately with the K: drive reference.  This is one of those HP MediaCenter computers, and the K: drive is one of a handful of drive-bays in the front of the computer intended for memory cards.  I'm not sure I've ever used it, hence I'm a bit confused about the reference to K:\startup.exe!

I wasn't sure if you wanted the new logs posted here or on mediafire, so I did both.  Mediafire links are http://www.mediafire.com/?olm2yxkmkyt for the fix log and http://www.mediafire.com/?dfuzwzomwgo for the new scan log.

Off to download Combofix.  Thanks very much for digging into this.

Jim

Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #27 on: January 06, 2010, 01:35:05 AM »
Combofix ran *almost* without problems.  On reboot, trendmicro, although supposedly disabled by combofix, managed to block PV.cfxxe.  When it became apparent Combifix was going to keep trying, I exited TM, after which the process concluded successfully.  I noticed, watching CF work, that it managed to delete buoraeym.sys and a couple of other things, although I don't see that in the log.

The log was too long to include in the message.  It is attached.

Jim
« Last Edit: January 06, 2010, 01:38:39 AM by gitarslinger »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
  • Dragons by Sasha
    • Malware fixes
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #28 on: January 06, 2010, 09:31:02 PM »
That file still appears to be there So I will use a different tool to try and kill it

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window:
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.
When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post or upload to mediafire


Offline gitarslinger

  • Jr. Member
  • **
  • Posts: 69
Re: Need Help removing siszyd32.exe and sr882388.exe et al
« Reply #29 on: January 07, 2010, 12:34:54 AM »
Watching it run, it doesn't seem to have found anything.  Please have a look.  Meanwhile, I ran it with trendmicro running, and perhaps shouldn't have.  I'll run it again with tm disabled while I'm waiting to hear from you.  If anything comes out differently, I'll post new logs.

Files are on mediafire at http://www.mediafire.com/?m2qmjmmyimh and http://www.mediafire.com/?jnkky2gunnz

Jim