got siszyd32, have no idea what to do, please help

Viruses and worms
1

I’m totally new to having a virus, and while I’m not terrible with computers I’m not good with them either. I have Avast Anti-virus, and today it told me that it found a virus and recommended I move it to the chest. I attempted to do so, but my computer tried to start running something that I hadn’t clicked, and it persisted, so I kind of freaked out and turned the computer off.

After I turned it on I noticed that My Documents kept opening periodically for no reason. Even if it was already open, after a period of time another would open up.

I did some research, found some info, looked into my computer’s files, and turns out I’ve got this siszyd32 thing, which is apparently darn near impossible to get rid of.

I hope my computer doesn’t have any other viruses on it. I did a scan and Avast said I was cool, but then again it didn’t pick up siszyd32.

But yeah, I have a laptop, using Windows Vista.

I really have no idea what to do, any help would be much appreciated.

2

Hi Shawn,

Welcome to the avast forum,

Anyway, don’t to be panic. Your notebook based to your information that infected with Trojan : siszyd32

This is source information that you need : http://htlogs.com/what-is-siszyd32-exe-how-to-remove-siszyd32-exe/

And please follow these steps : http://forum.avast.com/index.php?topic=52134.0

Hope you can reveal from this attacks

3

thanks for pointing me in the right direction. I’m still not really sure what to do though.

I seem to have found the siszyd32 file in the startup folder after a lot of navigation. Thought from what I’ve read it seems deleting this is not the end? Should I delete it? eh.

update: okay, so I deleted the siszyd32 file from the startup folder. Everything SEEMS to be going okay. My Documents has stopped opening at random times. But I’m still uneasy. I don’t want this thing on my computer.

correction: The My Documents issue has returned.

4

Hi Shawn,

At my referenced link, there is some steps from essexboy to follows.
Have you tried it?

5

Well, it seems like each of his steps are specifically catered to one person or another. I’ve requested that he check out my case in particular, like some other people have done.

6

Hi the initial analysis step is the same - the fixing will vary

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

7

Thanks for responding. Here’s hoping I did all that stuff right.

8

A 64bit system I am surprised that the malware worked. I have few tools that work on 64 bit but this is one of them ;D

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-3947582213-1791406327-2745404233-1000\] > -> HKEY_USERS\S-1-5-21-3947582213-1791406327-2745404233-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Csugedapesa" -> [rundll32.exe "C:\Users\Johnny Dorel Bud\AppData\Local\ihomaqud.dll",Startup]
YN -> "Ncowi" -> [rundll32.exe "C:\Users\Johnny Dorel Bud\AppData\Local\crkbods.dll",Startup]
[Files/Folders - Modified Within 30 Days]
NY ->  fvgqad.dat -> C:\Users\Johnny Dorel Bud\AppData\Roaming\fvgqad.dat
NY ->  avdrn.dat -> C:\Users\Johnny Dorel Bud\AppData\Roaming\avdrn.dat
NY ->  4 C:\Users\Johnny Dorel Bud\AppData\Local\Temp\Low\Google Toolbar\*.tmp files -> C:\Users\Johnny Dorel Bud\AppData\Local\Temp\Low\Google Toolbar\*.tmp
NY ->  223 C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp files -> C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp
NY ->  223 C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp files -> C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp
NY ->  223 C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp files -> C:\Users\Johnny Dorel Bud\AppData\Local\Temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

9

Okay, here’s the OTS info following the fix.

I’m gonna run the malwarebytes stuff now.

10

Ta

11

okay, here goes:

Malwarebytes’ Anti-Malware 1.44
Database version: 3521
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/8/2010 3:54:35 PM
mbam-log-2010-01-08 (15-54-35).txt

Scan type: Quick Scan
Objects scanned: 91713
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No problems really. OTS did freeze up the first time I ran the fix, but I turned it off and ran it again with no issues.

Computer seems to be fine.

Thanks a lot for the help man, you’re my hero.

12

No problem run it for 24 hours to see if any problems return . To remove the tools run OTS and hit the clean up button and all should vanish ;D - and clear your restore points

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
You are now done

13

Alright, did all that, everything seems good to go. I’ll let you know if any more problems arise.

Thanks again.

14

My pleasure