Kaspersky sees that I have siszyd32.exe at startup and ask me if I want to remove it. I say yes and it restart to wipe the thing out, but siszyd is still here. Only when I’m connected though. It seems not to work and use 50% of my CPU when I’m not online…
Any solutions, please?
Thanks a lot, Scott.
I’ve managed to erase siszyd32 using freefixer so it don’t autostart each time I start the computer.
The CPU usage don’t pass 50%.
How can I be sure there isn’t any traces of the rootkit elsewhere on my computer?
I would suggest a reboot and then run the same scan again to see if it has been regenerated as this seems to be what has been happening in other instances of this.
Other than that it is waiting for essexboy who has the tools and experience on how to use them and interpret the results to help.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[]File - Lop Check
[]File - Purity Scan
[]Evnt - EvtViewer (last 10)
[*]Under custom scans copy and paste the following
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%*. /mp /s
c:$recycle.bin*.* /s
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> ltzqkan.sys -> C:\WINDOWS\System32\drivers\ltzqkan.sys
NY -> A552F140928961E0.job -> C:\WINDOWS\tasks\A552F140928961E0.job
NY -> fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY -> avdrn.dat -> C:\Documents and Settings\Laurent Queyssi\Application Data\avdrn.dat
[Files - No Company Name]
NY -> nidojzq.ini -> C:\WINDOWS\nidojzq.ini
NY -> lydnofz.ini -> C:\WINDOWS\lydnofz.ini
[File - Lop Check]
NY -> A552F140928961E0.job -> C:\WINDOWS\Tasks\A552F140928961E0.job
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Freefixer couldn’t erase ltzqan.sys also.
Is this a rootkit or juste a remnant of the trojan?
I’ve noticed that my computer is very slow today. And it seems my antivirus is using 50% of the CPU usage most of the times. Is there a link with my problem?
No it needs a stronger tool to kill this rootkit. Normally I would use combofix to kill this but it is currently pulled so we will have to do it the old fashioned way
Please downloadThe Avenger2 by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
c:\windows\system32\drivers\ltzqkan.sysl
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file “c:\windows\system32\drivers\ltzqkan.sysl”
Deletion of file “c:\windows\system32\drivers\ltzqkan.sysl” failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)
Completed script processing.
Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 23:03:20, on 17/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.
[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
I’d be inclined to not surf the net, nor do anything else with the affected computer while a fix is underway. That would probably be the safer option.
Essexboy could advise more authoritatively when he’s back.
Start FreeFixer and click “Scan”. The will scan finish in approximately 5 minutes.
In the Scan result, scroll down to “Autostart shortcuts”. Locate the siszyd32.exe item and check its “Delete” checkbox. DO NOT check anything else for removal, unless you 100% it’s malware.
Click “Fix”.
Restart your machine.
Start FreeFixer and scan your computer again.
Verify that siszyd32.exe no longer appear anywhere in the scan result.
Done.
Did that completely remove siszyd32.exe from your machine?
[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )