Hi essexboy,

I was hoping you could help me removing siszyd32.exe, etc.

You see, I noticed it a month ago and found this forum. I thought I had removed it with antivir, but after a while I kept on getting all sorts of virus and trojan warnings. I kept on deleting them with antivir, but that was just temporary. Now my pc also keeps on restarting 1-3 times a day.

It’s not slow, but it’s definitely not ok.

When I press ctrl-alt-delete I see that I still only use less then 15% on average, so nothing suspicious there, but I do see svchost.exe at least 9-10 times which I think was an indication that my pc is infected by this siszyd32.exe bugger.

Other then that, I have no idea how to be sure it’s still there or how infected my pc is. All I know is that it’s infected

I also used freefixer to remove some nasty stuff. (Before removing them I did a google search first of course :P)

One more thing. It also seems that some of my wordpress blogs have been hacked at the moment (removing nasty script codes as we speak). Is that just a case of bad luck or has it got anything to do with my infected pc?

Please help.

Thanks in advance!
Robert

Follow this guide from Essexboy and post MBAM and OTL logs HERE
http://forum.avast.com/index.php?topic=53253.0

if the log is to big, go to " Additional Options… " down in left corner and Attach:

If you could post the logs please ;D

Thanks guys.

Here is the info you requested.

Hope it looks ok

try to setup a boot scanned of avast… 100% it will be removed…^^

Then scanned ur pc using: http://superantispyware.com

Good luck and God Bless…

OK try this I am not sure if OTL is strong enough to move it but we will try that first

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [_ex-68] C:\WINDOWS\Temp\_ex-68.exe File not found
[2010-03-06 08:24:28 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\txrggao.sys
[2010-03-01 05:40:03 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\rbuwzv.dat
[2010-03-06 08:29:26 | 000,792,064 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\txrggao.sys

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hmmm, ok.

Here is the requested info again.

Is it bad btw?

Also, I keep getting antivir warnings. Here’s the last one:

C:\WINDOWS\Temp\sig1E.tmp

Is the TR/Rootkit.Gen Trojan

Action: Delete

================================

C:\WINDOWS\Temp\sig12.tmp

Is the TR/Rootkit.Gen Trojan

Action: Delete

Thanks for the help so far! Really appreciate it very much! ;D

PS. I noticed that the txrggao file is still there, or is this an original file?

PPS. I installed the free avast and I have the registration code, but I can’t register it. Is this because of the infection?

There is a rootkit so I will get the big boy on the job

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Well, that sounds bad enough to me…

Anyways, here’s the log you requested.

Once again, thanks!

Hi essexboy,

Could you please help me some more and/or give me an update?

My pc still keeps restarting 1-3 times a day and I also keep getting virus and trojan warnings.

Don’t know what to do next :-\

Thanks!
Robert

Hi guys,

Is there something I said or did wrong here?

I don’t think so, normally (I think) essexboy suscribes to a topic so he can see replies, maybe he has missed it…

I will PM him so he is aware of this topic when he is back online

-Scott-

Hi Scott,

Thanks for your reply and for letting essexboy know ;D

Robert

Hi my apologies - for some reason I did not receive my notifications

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\txrggao.sys
c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat
c:\documents and settings\Eigenaar\g2mdlhlpx.exe
Renv::

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Hi, no problem ;D

Ok, here’s the Combofix.txt

Ok notifications are back on now for some reason ???

Removal of that driver has revealed two further hidden elements which we will now kill - on completion of this run could you let me know of any problems

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat

Driver::
uwhbbuo

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Hmm, I wish I knew what you mean or what is wrong…ór how bad it is ???

But I don’t…

So, here it is again:

PS. All went ok btw, no problems.

Now it looks good ;D That was the last - the malware used different layers of masking, kill one and the next is revealed

How is your computer behaving now ?

Alrighty then, cool! ;D

I assume it was a bad one?

Well, all looks good now. So, so far so good. Hopefully it stays like this for a looong time.

I’ll let you know if all goes well this week.

Anyways, thanks a LOT for your effort and time. I really appreciate it! 8)

Let me know tomorrow if all is well and I will remove my tools and tidy you up