another siszyd32.exe

Hello,

Kaspersky sees that I have siszyd32.exe at startup and ask me if I want to remove it. I say yes and it restart to wipe the thing out, but siszyd is still here. Only when I’m connected though. It seems not to work and use 50% of my CPU when I’m not online…
Any solutions, please?

THanks in advance…

Hi mjolnirthor,

Thanks for creating a new thread, I have sent essexboy the link to the thread so he is aware of it.
When he is online, he should be able to help you.

-Scott-

Thanks a lot, Scott.
I’ve managed to erase siszyd32 using freefixer so it don’t autostart each time I start the computer.
The CPU usage don’t pass 50%.
How can I be sure there isn’t any traces of the rootkit elsewhere on my computer?

This would be better answered by essexboy, I’m no malware fighting expert…he is, and would be better at noticing any leftovers…

-Scott-

Thanks.
Let’s wait for the expert, then. :wink:

I would suggest a reboot and then run the same scan again to see if it has been regenerated as this seems to be what has been happening in other instances of this.

Other than that it is waiting for essexboy who has the tools and experience on how to use them and interpret the results to help.

Hi lets have quick shufti to see if there are any remnants - you may not have the tdl rootkit

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[
]File - Lop Check
[]File - Purity Scan
[
]Evnt - EvtViewer (last 10)
[*]Under custom scans copy and paste the following

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%*. /mp /s
c:$recycle.bin*.* /s
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Thanks a lot.

Here’s my OTS text:
http://www.mediafire.com/?t2lggommjzt

OK this should kill the respawners

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  ltzqkan.sys -> C:\WINDOWS\System32\drivers\ltzqkan.sys
NY ->  A552F140928961E0.job -> C:\WINDOWS\tasks\A552F140928961E0.job
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  avdrn.dat -> C:\Documents and Settings\Laurent Queyssi\Application Data\avdrn.dat
[Files - No Company Name]
NY ->  nidojzq.ini -> C:\WINDOWS\nidojzq.ini
NY ->  lydnofz.ini -> C:\WINDOWS\lydnofz.ini
[File - Lop Check]
NY ->  A552F140928961E0.job -> C:\WINDOWS\Tasks\A552F140928961E0.job
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks once again for your help, essexboy, that’s very nice of you.

Here are the three logs.
http://www.mediafire.com/?hhfdnmbwciw
http://www.mediafire.com/?0wkjmntintw
http://www.mediafire.com/?zmoeyamaofu

OTS has restarted the computer after the fix.

Then I’ve ran Mbam two times and each time, it detects C:\WINDOWS\system32\drivers\ltzqkan.sys (Rootkit.Agent)
but can’t erase it.

Freefixer couldn’t erase ltzqan.sys also.
Is this a rootkit or juste a remnant of the trojan?

I’ve noticed that my computer is very slow today. And it seems my antivirus is using 50% of the CPU usage most of the times. Is there a link with my problem?

No it needs a stronger tool to kill this rootkit. Normally I would use combofix to kill this but it is currently pulled so we will have to do it the old fashioned way

  1. Please download The Avenger2 by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:

Files to delete:
c:\windows\system32\drivers\ltzqkan.sysl


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Things don’t seem to have change…

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file “c:\windows\system32\drivers\ltzqkan.sysl”
Deletion of file “c:\windows\system32\drivers\ltzqkan.sysl” failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Completed script processing.


Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 23:03:20, on 17/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Laurent Queyssi\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cegetel.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.115.130.23:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM..\Run: [ISUSPM] “C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe” -scheduler
O4 - HKLM..\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Bannière - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

OK that is one deep rootkit _ don’t know why I asked for a HJT log as that shows nothing - I must remove that from my responses

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png

[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[
] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.

http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

No changes.

here are my reports

http://www.mediafire.com/?ylmyiu4nagd

http://www.mediafire.com/?yhinnm2z22b

One question:

Is it safe for me to surf the net? Is the rootkit active or does it just mess up with my anti-virus?

I’d be inclined to not surf the net, nor do anything else with the affected computer while a fix is underway. That would probably be the safer option.
Essexboy could advise more authoritatively when he’s back.


I suggest that you download FreeFixer from the below link.

How to remove siszyd32.exe with Freefixer:

  1. Download and install FreeFixer: http://www.freefixer.com/download.html
    Freefixer is freeware, so it will not cost you anything.

  2. Start FreeFixer and click “Scan”. The will scan finish in approximately 5 minutes.

  3. In the Scan result, scroll down to “Autostart shortcuts”. Locate the siszyd32.exe item and check its “Delete” checkbox. DO NOT check anything else for removal, unless you 100% it’s malware.

  4. Click “Fix”.

  5. Restart your machine.

  6. Start FreeFixer and scan your computer again.

  7. Verify that siszyd32.exe no longer appear anywhere in the scan result.

  8. Done.

Did that completely remove siszyd32.exe from your machine?

siszyd32.exe is part of Troj/Agent-LVN as documented over at Sophos:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlvn.html

Please let us know the results.


I doubt freefixer will kill it as it is a rootkit

AVZ FIX

[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 BC_DeleteFile('C:\WINDOWS\system32\Drivers\ltzqkan.sys');
 DeleteFile('C:\WINDOWS\system32\Drivers\ltzqkan.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[*] Note: When you run the script, your PC will be restarted
[*] Click Run
[*] Restart your PC if it doesn't do it automatically.

On completion re-run MBAM

MBAM tells me that the rootkit is still here… :cry: