I hit a bad link the other day, and Trendmicro Internet Security recognized but failed to quarantine the resulting trojan which it referred to as TROJ_BREDLAB.SME. Within seconds, “Sandboxie Start” (sr882388.exe) was trying to access the internet. I blocked it. The trojan and Sandboxie Start were both running in task manager processes, as was an instance of cmd.exe, busy eating up cpu.
I ended the processes, removed the quarantined trojan, found and removed sr882388 and a prefetch file with the same name (manually; TM didn’t find them). I then looked at startup programs (msconfig) and found both this one and siszyd32.exe. I unchecked both, restarted, and the second one was rechecked, and had in fact two iterations, one of which was checked, one which was not. I searched for, but did not find, this file. Nor did I find either of these names in searching the registry.
I remembered this point that a number of months ago, TM warned me that services.exe was trying to access the internet. I blocked it. It finally occurred to me to look at the firewall log. Services.exe is making attempts every couple of seconds to reach a variety of external ip addresses through multiple ports. I don’t know enough to know whether or not this is one or services.exe’s jobs, but it seems odd.
On advice from another web forum, I installed and ran ATF-Cleaner and the free version of Superantispyware. Superantispyware found and removed siszyd32.exe, along with two other spyware apps. The perma-checked iteration of siszyd32 in msconfig is gone. I’ve attached log files from superantispyware and trendmicro internet security firewall.
Can anyone help me clean up this computer? I know little and have no idea what to do next.
Quick question: will the existing running copies of superantispyware and trendmicro internet security interfere with running these processes? Should I exit them before installing and/or before running the suggested apps?
I suggest you do a forums search for this particular file siszyd32.exe as has in some cases been a pig to remove and currently requires specialist tools and knowledge to analyse them.
Unfortunately there aren’t that many avast users that are also malware removal specialists on the forums.
Thanks, David. I did that in fact before I posted. The experts in question advised beginning a new thread for each specific case and posting a link to it in the original thread. This is what I did.
Yes, that is correct because the tools may return different data such is the complexity of this little monster, that multiple threads within a topic would become very confusing for all concerned.
Were you not sandboxed when this all happened ?
Just seeing the “Sandboxie Start” in your first post, I wondered if you weren’t using it, or perhaps this is it trying to sandbox itself to protect it from attack
Trendmicro internet security may likely interfere with the smooth running of your avast antivirus. You may choose one or the other, but running the two - avast and trendmicro - at the same time can cause problems all round.
Otherwise the suggested apps are good. They can only be helpful. However as DavidR says specialist tools may be needed to remove this beastie. You will find an abundance of info on avast webforum to put you further in the picture.
David, no I don’t use Sandboxie. From what I’ve read elsewhere, this particular beastie identifies itself as “Sandboxie Start,” even to the point of using the Sandboxie icon, but is in fact spyware and nothing to do with the real Sandboxie.
OK thanks for that, they are very sneaky like that trying to pass themselves off as security applications. Fortunately you realised it wasn’t as you don’t use that particular particular one.
In the meantime whilst we are waiting for one of the malware specialists, you could try running these programs and report the findings.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Thanks, David. I’m in the process of doing that exactly. I ran superantispyware before my initial post, and corrected three issues. The log is attached to my first post. I’m since following the protocol suggested by avastfan, in running an Avast boot-scan (no issues found, but a problem I’ll go into later), Malwarebytes (two runs, found a number of issues on the first, one on the second), CCleaner (I’m on that step now, and have questions; see below), and finally HijackThis. I’ll post logs when I’m all done.
I have a question about CCleaner. I ran the regular file removal tool, and took advantage of the startup program manager to remove known trojans from the list. Now I’m looking at the registry cleaner, and I’m not sure what to do. Lots of these issues:
missing shared dll
unused file extensions (what will it do if I ask it to “fix” an unused file extensions? There are plenty of them that I do indeed use all the time, and I don’t know what CCleaner means)
invalid default icons
open with application issues
activex/com issues
missing typelib references
application paths issues
helpfile issues
installer reference issues
uninstaller reference issues
obsolete software key
and old start menu keys.
Avastfan, should I be messing about with all that? I’ve read that CCleaner has a registry backup utility, but I’m not finding it, either. I’d like to do a backup prior to digging into the registry.
Avastfan, should I be messing about with all that? I've read that CCleaner has a registry backup utility, but I'm not finding it, either. I'd like to do a backup prior to digging into the registry.
If you are using the deafult settings it will ask when you start fixing.
But you can look in options > advanced > X - show prompt tro backup registry issues
Thanks for that. I’ve run it, I’ve trusted it, and the computer has rebooted with no discernible problems. There’s a relief. Should be ready to post log files requested by avastfan shortly.
Yes, looks like it removed the startup entry for isizyd32.exe and a couple of suspect files.
No powerreg scheduler v3.exe in my PSS folder and no REMOVED.EXE in my system32 folder on winXP Pro SP3.
Personally I only use ccleaner to clean up temp files, whilst it has a registry cleanup and all options are checked by default, first it runs a scan but doesn’t remove unless you opt to Fix selected issues. Generally it shouldn’t be a problem, but any editing of the registry caries a risk. It does ask to Do you want to backup changes to the registry, select yes, this creates a .reg file with all the changes so that they can be reversed. It will then ask again to fix.
It isn’t a radical registry cleaner, doesn’t go into too much depth certainly not near the depth my registry cleaner goes, but for me not an issue as you need to have a working knowledge of what something does before removing it.
Ok, here’s the goods. I’ve attached the Avast boot-scan log (it’s empty, essentially, but there for completeness’ sake), two Malwarebytes logs, and the HijackThis log. I’m hoping we’ve made some real progress here. Avastfan, what next?
David, I suppose I’m happy CCleaner’s registry cleaner isn’t all that robust, as I certainly lack that working knowledge you mentioned. It did get rid of 1103 of those shallow issues it does address.
A question about the startup menu manager: I have a number of programs unchecked in msconfig that I did not uncheck myself. How can I know what is needed and what is not? Is it safe to use CCleaner to remove unchecked entries if I’m sure the program isn’t needed or that I simply don’t want it to run on startup?
I mentioned an issue I had with Avast. I ran the setup, and it downloaded the program. On first run, it performed a memory scan and warned of a hidden service named “buoraeym.sys.” It asked if I wanted to delete or ignore this service, and suggested “ignore.” I clicked ignore, and up popped a warning that there was a virus running in memory. It asked me if I wanted to perform a boot-scan, I clicked yes, and the system froze. I wound up doing a hard restart, and the boot-scan started. I had trouble with freezes on restarts, as Avast and TM were fighting with one another, and was eventually able to stop the apps as they were loading, boot fully, and uninstall Avast. Hence:
I don’t know if the buoraeym.sys service is a problem, or if it has been solved, and
I don’t know if Avast was up to date when it ran the boot-scan.
It has been stated elsewhere in the forum that Avast fails to identify these particular issues. Do you suggest mucking abot with it again, or leave it for now?
I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and a half that contains several Critical Security updates plus performance improvements.
You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.
Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.
I wanted to ask again about the services.exe problem. Is this perhaps a problem app, or a good app driven to do bad things by another app?
I’m attaching the most recent log of firewall activity. It was original a comma-separated value file, but I renamed it as a text file as this forum doesn’t allow .csv attachements. I don’t know if the activity is suspicious or legitimate. Any ideas?
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.
I have no idea about the services.exe it is strange as I son’t see this being used on my logs, but you can do a whois on the IP addresses it is trying to connect and strangely they are the likes of Yahoo, Hotmail, Mozilla and Facebook were some of the ones I checked.
HiJackThis in cases of this type is almost useless all it is likely to do is reveal weaknesses in your software like not having SP3 as mentioned, acrobat 7 (old and vulnerable), etc. etc. - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
What it also shows is that you no longer have avast installed, but Trend Micro Internet security ???
