Evening all!

I noticed this afternoon that a couple of new processes had appeared in the task manager and they, as well as an instance of svchosts.exe, were using up large amounts of cpu. Also there was an instance of firefox running at startup which after I killed, seemed to disappear from the firefox folder (odd?). After a quick google I stumbled upon multiple results about siszyd32 and a lot of threads on this forum. I’ve just spent the evening running scans. I’ve run adaware, mbam, sas and freefixer. I’ve removed everything the first 3 scans picked up and I’m not sure what to make of the results from freefixer. A lot of it seems normal but there is the oddly named dll file which is making me wonder if I am free of this virus/trojan/rootkit. Please see the attached log file.

If anyone can help I’d be extremely grateful!

/digitalxni

Hey Digitalxni.

I’m not really advanced in this kind of thing but siszy32d.exe is not a vital Windows process, and it looks like it’s not a good one either. Find a way to remove it. I’ll take a look at that log file later.

I’m not here to advertise but you might want to try this:

http://www.kaspersky.co.uk/virusscanner

I haven’t actually tried it but it might find something.

–

By the way, make sure you update everything that is not up-to-date. Go to Windows update, search for newer versions of programs, whatever. You might also want to tell us your configuration. Schedule a boot-time scan with avast!. If you don’t have it yet, get the home edition on the avast! website.

Ok so I’ve reinstalled firefox (although I’ve still got the wireless disabled) and rerun mbam which came back completely negative. After rebooting I’ve noticed that I have no odd looking processes and nothing is taking up mega amounts of cpu. So I think I may well be rid it but those odd looking results in freefixer worry me slightly.

Send erivujepopepacu.dll from C:\WINDOWS\erivujepopepacu.dll to virus total and post the results
http://www.virustotal.com/

Here are the virus total results. Looks like win32.hiloti.

Sorry i am not really convinced. Not many are picking it up, F secure says generic, Sophos, suspicious, both are not definite. I don’t count the other findings.None of the big ones are finding this. I may be wrong but at this moment, I don’t think its virus related. Then again I doubt its anything important, no hits on google

Could it be from security tool you have run ?

It says it was created in 2004 so surely not? I just noticed a file next to this dll called Lgelimuwesebeb.bin which appeared yesterday afternoon which is when the problems began but none of my scans have said it is a threat. (I will upload to virustotal shortly). All scans keep coming back negative but I’m still rather worried about connecting the computer back to the internet where it may download more bad things. Is this possible? How can I be sure that I am indeed clean?

One thing I am rather worried about at the moment is that if I were to reconnect to the network, my pc would go on a download rampage of lots more trojans and viruses etc. Is this something I should worry about doing and should I stay disconnected until this matter is resolved?

Of course you should be worried, as it makes cleaning harder, but any downloader has to gain access to the internet.

What is your firewall ?

• It should be capable of blocking unauthorised outbound Internet Connections.

I too am not familiar with freefixer, but the one thing I do see is that you are using XP SP2 and SP3 has been out for about 18 months, this leaves you more vulnerable to attack in the first place. Unfortunately you can’t begine to install SP3 until your system is clean and this particular siszyd32.exe has in other topics proven difficult to irradiate.

Also JAVA is also out of date leaving another vulnerability (you need to uninstall the old version using add remove programs before installing the latest version).

• I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

I’ll be downloading and running OTS soon in the way that essexboy has said in many other threads. I will upload the results later tonight and hopefully someone can make some sense out of them!

Here is s a link to the OTS log:

http://www.mediafire.com/?jzbwikktngn

Just to add few things I’ve noticed lately. Once the pc has booted into windows I get a message saying that there is no internet connection etc. This is probably due to some software trying to update on boot though. I also connected to the internet briefly the other day to upload some logs and as soon as I did, an instance of svchosts.exe started hogging lots of cpu again.

Hopefully, essexboy will be in sometime soon and see this thread.

Here I be - there is a rootkit/hidden driver that I will need to kill

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Modules - Safe List]
YY -> erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> http [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
YN -> https [open] -> "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
[Files/Folders - Created Within 30 Days]
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  daleg.sys -> C:\WINDOWS\System32\drivers\daleg.sys
NY ->  Lgelimuwesebeb.bin -> C:\WINDOWS\Lgelimuwesebeb.bin
NY ->  Yhenij.dat -> C:\WINDOWS\Yhenij.dat
NY ->  49 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
NY ->  117 C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Ben\Local Settings\Temp\*.tmp
[Files - No Company Name]
NY ->  erivujepopepacu.dll -> C:\WINDOWS\erivujepopepacu.dll
[Custom Scans]
NY ->  2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Just ran the OTS fix. After reboot I got a RUNDLL error saying that the module could not be loaded for the file C:\WINDOWS\erivujepopepacu.dll

Please find attached the OTS log file. I will run combofix once you’ve had a gander at this log file

EDIT: Just to add I noticed that this fix has only moved the oddly named files (ddls, bins etc.) Will combo fix remove these completely?

Yep run CF now and that should tidy up the registry entries and kill the other files I missed ;D

The files have been moved to quarantine now and are harmless

Meh think I might have buggered it up! I wasn’t actually connected to the internet when I ran combofix and it carried on scanning regardless. On the final reboot, I still got a rundll error about the missing dll file which OTS moved. Here is the log anyway. Should I run it again so that I can download the recovery console?

Yes you will need the recovery console for Combofix to replace your infected Atapi file

So re-run whilst connected to the net and allow it to download the recovery console

On completion of that could you re-run OTS again but without the custom scan elements

Hmmm it doesn’t seem to be doing a lot… Ran it again and it’s downloaded the recovery console… It’s said it’s currently scanning or files but I’ve not seen anything pop up to show what it’s scanning and it’s been going for 30mins now. Just seems odd

Does ot show the stages it is going through ?

No, all it says is that is scanning for infected files. Last time I ran the scan it had finished and started rebooting after a few mins.