since 24.12.2009 I was struggling with slow internet connection, blue screens and program aborts.
I also needed to reinstall Firefox, because the firefox.exe suddenly wasn't there anymore.
I did a mix of windows updates (.Net framework) and installing a numerous of tools like AVG, a-squarred, MS process monitor.
The tools found some files (*.exe,*.exe in Zips), which I haven't started for a long time and haven't been referenced
in the registry, but my original problem still existed.
One of the more interesting founds was the siszyd32.exe and ~tmp-something files.
In MS process monitor I saw SMTP-connections from a lot of different services even from the Idle task.
The first thing I did - after not finding the source for the problem - to use the ipsec windows filter to lock outbound port 25 calls.
My internet access was still slow, also I haven't checked explicitly for it, but it seemed that the process did a lot of syn-calls - showed via "netstat -an".
So today I've tried Sophos which couldn't check a .sys-file in windows/system32/drivers called jrgpijz.sys and also HijackThis had problems opening it.
After not finding anything about a file named like this in google, I thought that must be a malicous autogenerated file.
I've tried to start windows in safe mode with the network drivers or the command shell, but that resulted in a blue screen with an IRQ(L?) exception.
On one of the (normal) reboots, I tried to delete the file with a command prompt and saw, that it will be rewritten (first 0 bytes then either 704.512 or 702.512 bytes).
So I've read a bit more about the combofix solution in the other subforum and created that cfscript.txt,
which finally removed the service registry entry and the .sys-file.
After a chat with a friend we discovered, that we were parallel infected with the same stuff -
his .sys-file was called jikztvm.sys (maybe a j*.sys-pattern???) and also got that siszyd32.exe dropped in his autostart.
He told me, he uploaded it and
now AntiVir knows that trojan as Agent.aagq -
looks like a derivation of an existing version. He got rid of it using a linux partition.
Although I don't see any Port-25 accesses anymore, I still have that feeling that something is not right.
- I.e. the process monitor tool has a GUI problem and can't display the founds anymore;
- I've got a blue screen with an "mbr.sys"-error after the deletion of that .sys-file and a restart ... I'm not sure anymore, if I ran combofix.exe /u without restarting before that bluescreen though
(System-Ver: Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.1370 with no MS updates to be added)
I googled a bit about that rootkit, but didn't find anything about the infection way.
Of course I'm practicing most of the Safe internet practices and
my friend is even more rigorous about that. Its just noticeable that users (maybe another friend too) with different kind of
usage behaviour suffer the same problem simultanously. The only contact we had in the last few days were ICQ and non-html emails via Thunderbird.
*EDIT* Ok, I've tried to execute RootRepeal, but it will crash when launched from the Desktop. Then I've started Dr.Web which found another thread (sendstatus.exe, userreg.exe).
Restarted - but RootRepeal still crashes */EDIT*
- Is the rootkit related to the siszyd32.exe dropper?
*EDIT* After browsing a bit more, it seems that more people here have the same problem - at least this post sounds familiar. Another post
- Do you know where it comes from and how the infection takes place?
*EDIT* Found a bit more of information here and here
- Is it known for infecting other system files, e.g. mbr.sys?
Thanks for the help,
Edited by kiwiwings, 28 December 2009 - 05:57 AM.