YoKenny,

Is it a good idea to install SP3 at this point while all this is going on, or better to wait 'til this is resolved? I run all the critical updates on a regular basis, but haven’t installed SP3 as I had heard horror stories about this particular release mucking up people’s computers. What say you?

Also, I once had IE 8 but had to roll back to 7 as 8 had a problem where every time I closed a browser, it started a second iteration of rundll32, and this second iteration would max out cpu. Is it because I was running it under SP2, do you think? It was terribly annoying.

secunia found three vulnerable apps, two adobe, one yahoo messenger. I’m updating them as I’m writing this. Thanks for that tip.

Jim

David,

I uninstalled Avast in favor of TM because the TM firewall has particular services on its block list. I don’t want to stop the TM firewall until all this is fixed.

Eventually, I’d like to find an antivirus/spyware combo that works. As already noted, Avast was no better at finding these nasties than TM. The Avast boot-scan showed nothing, after which Malwarebytes found a number of problems, and folks on other threads have related similar experiences. That’s all a bit off-topic for this thread, of course, but I would like to know what folks are using and if anything has successfully stopped siszyd32 and sr882388 from installing in the first place.

Jim

It would help if you showed your system specifications as to CPU type and speed plus amount of RAM installed.

The best combo is avast! and Malwarbytes’ Anti-Malware (MBAM).

The infection siszyd32 is a bit of a nasty one right now and may take the likes of essexboy or oldman to help remove but SP3 should be installed eventually.

YoKenny,

The system’s on the older side. Processor is an AMD Athlon “XP Processer” running at 3200 (2.2GHz). 512 MB RAM. WinXP SP2, as you know. Anything else you need?

I posted on a thread where essexboy was deeply involved, and had hoped to attract his attention to this thread by posting a link to it. Perhaps a direct appeal is in order.

Jim

In case essexboy stops in, I’ve gone ahead and run OTS according to his specs as posted in another forum. The resulting log file is posted here: http://www.mediafire.com/?jzkmjjywojo

Jim

Here you go lets try this, I will attempt to remove the hidden spawner first time around - if that fails then CF should get it

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command -> 
YY -> \{c4ffb535-f79e-11dd-a3d1-000ea6261df6}\Shell\Shell00\Command\\"" -> K:\Start.exe [K:\Start.exe]
[Files/Folders - Created Within 30 Days]
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  45 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  qawin32.INI -> C:\WINDOWS\qawin32.INI
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  buoraeym.sys -> C:\WINDOWS\System32\drivers\buoraeym.sys
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I’ve run the fix, and the new OTS scan per your original specs. The fix hit an exception error “no disk” almost immediately with the K: drive reference. This is one of those HP MediaCenter computers, and the K: drive is one of a handful of drive-bays in the front of the computer intended for memory cards. I’m not sure I’ve ever used it, hence I’m a bit confused about the reference to K:\startup.exe!

I wasn’t sure if you wanted the new logs posted here or on mediafire, so I did both. Mediafire links are http://www.mediafire.com/?olm2yxkmkyt for the fix log and http://www.mediafire.com/?dfuzwzomwgo for the new scan log.

Off to download Combofix. Thanks very much for digging into this.

Jim

Combofix ran almost without problems. On reboot, trendmicro, although supposedly disabled by combofix, managed to block PV.cfxxe. When it became apparent Combifix was going to keep trying, I exited TM, after which the process concluded successfully. I noticed, watching CF work, that it managed to delete buoraeym.sys and a couple of other things, although I don’t see that in the log.

The log was too long to include in the message. It is attached.

Jim

That file still appears to be there So I will use a different tool to try and kill it

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.

http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post or upload to mediafire

Watching it run, it doesn’t seem to have found anything. Please have a look. Meanwhile, I ran it with trendmicro running, and perhaps shouldn’t have. I’ll run it again with tm disabled while I’m waiting to hear from you. If anything comes out differently, I’ll post new logs.

Files are on mediafire at http://www.mediafire.com/?m2qmjmmyimh and http://www.mediafire.com/?jnkky2gunnz

Jim

It’s also saying the extended monitoring driver AVZPM is not installed, so that check wasn’t performed.

New files at mediafire: re-run. http://www.mediafire.com/?jnkky2gunnz and http://www.mediafire.com/?qzkem4ytown Don’t think the result is any different.

I discovered that one of my email accounts had been hacked. It was being used by a Nigerian-style scammer. Oddly enough, the thief didn’t change the password, hence the address was recovered. “Captain Raymond Pierce.” I’ve canceled all the credit cards, changed all the passwords. Wonderful way to spend a day.

Which file were we going after?

Jim

What was TM doing when you got hacked?

Ostensibly, its job. It detected the initial trojan and claimed to have quarantined it, but I found it running as a process immediately thereafter along with sr882388.exe. It asked me if I wanted to allow sr882388.exe to access the internet, and I of course blocked it, but that didn’t stop it running. Nor, apparently, was it able to stop it or something else from accessing the internet, considering my email account was successfully stolen.

It was also updating daily and scanning twice weekly. It found nothing on a scan immediately after the incident, of course. I found siszyd32.exe myself in msconfig when I was trying to figure out what all had gone wrong. I’m assuming it hit a few months ago when TM “quarantined” another trojan. In that case, I failed to look further. I’m not sure what siszyd32 accomplished, but it’s apparent both left TM scratching its *** in midfield.

Jim

Mediafire is down for maintainence at the moment it should be up in about an hour when I will download your logs

Let’s bypass mediafire in case its updates take longer than advertised. I’ve changed the file extensions to .log so they can be attached here. Please change them back to .zip when you download them.

Jim

Ta, ok that shows that the file is no longer present so mayhap OTS was the older version

What problems are you experiencing now - are you still getting alerts ?

Not receiving any alerts, just flipping fearful bad things are going to happen if I start using the computer online again. Which file were we looking for? I’m guessing AVZ doesn’t find it now, but did it do so in the first place? Should we run something else to be certain it’s gone?

I have another question relating to the start menu for when this mess is finally behind me: is it ok or advisable to use CCleaner to delete start menu entries that are not checked and/or are unchecked second iterations of items that are checked?

Jim

Lets do a final check with MBAM and do this using the current computer - I.e. go online with it.

I have another question relating to the start menu for when this mess is finally behind me: is it ok or advisable to use CCleaner to delete start menu entries that are not checked and/or are unchecked second iterations of items that are checked?

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

The MBAM quick-scan was clean. I should point out, though, that a MBAM full system scan was also clean just prior to your entering this particular fray. Which particular utility found the item you’re after? Should we run that again?

I very much appreciate your help with these issues. I don’t mean to be a pest. Especially after having an email account hijacked, I’m thrice shy about all of this.

Jim

Malwarebytes’ Anti-Malware 1.43
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/7/2010 3:15:16 PM
mbam-log-2010-01-07 (15-15-16).txt

Scan type: Quick Scan
Objects scanned: 122704
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)