Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible siszyd32.exe infection


  • Please log in to reply
9 replies to this topic

#1 phoinix

phoinix

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 29 December 2009 - 06:09 PM

Hello!

First post here and I'm already asking for help :thumbsup: I think my computer is infected with siszyd32. The problems started when my computer got slowed down to a crawl by svchost. Either both cores would be at 50% for no reason or one of them would reach 100%. So I searched the internet and after a false alert about a bug at the window's process itself, I found about the annoying thing called siszyd32.exe I found that process as the parent process of the svchost that consumed my cpu, in process explorer.

Microsoft Essentials detected the virus and prompt me to quarantine it. Instead I chose to remove it. The operation was successful and on top, I disabled the siszyd32.exe process from starting up, using CCleaner. To my disappointment, after rebooting the pc, I found out that still svchost was eating away my cpu. Microsoft essentials found some more viruses (probably just got off the internet with help from siszyd32) that I cleared. I run malwarebytes anti-malware and fixed all problems that occured. It seems that the problem is no more, at least for now, but I'm sure that the virus is still somewhere on the pc, as it still appears on the start up list on CCleaner and I'm unable to remove it (it is just disabled).

I searched for a solution but it seems that there is no standard way of dealing with this, so better safe (asking the experts) than sorry (trying a solution tailored to another guy).

I have windows vista 32bit SP2. Any help greatly appreciated as I have precious work on my laptop.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 29 December 2009 - 09:36 PM

Hello and welcome to Bleeping Computer. My name is Computer Pro and I will be helping you with your issues.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.


Can you please tell me what all Microsoft Security Essentials has found? It can be found under the "History" tab in the program.
Computer Pro

#3 phoinix

phoinix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 December 2009 - 06:24 AM

It has found:

TrojanDownloader: Win32/Bredolab.AA
TrojanDownloader: Win32/Waledac.C

Bredolab was already running when essentials found it, as on the Items line, it mentions process:pid:2932. The other one was found on a disk path (C:\Users\[username]\AppData\Local\Temp\~TM24E7.tmp)

Edited by phoinix, 30 December 2009 - 06:28 AM.


#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 30 December 2009 - 02:57 PM

Lets run ESET:

Ok, please follow the instructions here for running the ESET online scanner:

Please perform a scan with ESET Online Scanner
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use

Now click Start.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
Answer Yes to install and download the ActiveX controls that allows the scan to run.

Click Start. (the Onlinescanner will now prepare itself for running on your pc)

To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan to start the online scan. (this could take some time to complete)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.

Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt

The scan results will open in Notepad.

Copy and paste the log results in your next reply.


Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.
Computer Pro

#5 phoinix

phoinix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 December 2009 - 06:51 PM

Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=23f1cc93afc6724892859bfa55cd1fd6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-30 10:16:39
# local_time=2009-12-31 12:16:39 )
# country="Greece"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776894 100 100 1144499 99738636 0 0
# compatibility_mode=8192 67108863 100 0 3838 3838 0 0
# scanned=203835
# found=4
# cleaned=4
# scan_time=5532
C:\Users\Σωτήρης\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BJW26QZ\myss_1021_upd[1].exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Σωτήρης\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K4KAMZ2D\silent_Adzgalore[1].exe Win32/Adware.BHO.NEB application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Σωτήρης\AppData\Local\Temp\~TM1C9B.tmp a variant of Win32/Kryptik.BOU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Σωτήρης\AppData\Local\Temp\~TM238E.tmp a variant of Win32/Kryptik.BOU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 30 December 2009 - 06:53 PM

How are things now?
Computer Pro

#7 phoinix

phoinix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 31 December 2009 - 04:03 AM

The computer seems clean. I havent had any problems. I'm wondering where all these viruses come from though

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 31 December 2009 - 11:29 AM

Malware can come from a number of places. Downloads, webpages, File Sharing, and so on.

If everything is good then:

Create a new Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.
Computer Pro

#9 phoinix

phoinix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 31 December 2009 - 11:54 AM

Will do. Thanks for your help and Happy new Year :thumbsup:

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 31 December 2009 - 12:37 PM

Happy New Year to you also.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users