siszyd32.exe Problems

Add me to the list of those hit with siszyd32.exe last week. I saw it happen when my java console popped open and shortly later Process Explorer that I keep in the tray went to 100% CPU. I use Avast and when I ran Spybot it found three attacks: Virtumonde.prx, PWS.small.bs and Nurech. I shut down the net and was able to clean up all the garbage – I thought. Repeated runs of Avast in boot mode and Spybot found nothing and my CPU useage had returned to normal with no strange processors running. When I turned on the network I got banged with another attack and CPU useage shot up to 100% again. I asked around and was told to load Malwearbyte and it found VUNDO.H. I’ve since run Spybot, Avast and Malewearbyte again and something I found, freefixer. Freefixer was able to remove siszyd32.exe but I looked at the Registry to check for any left over entries. When I searched the Registry at key:

                     HKCU/software/microsoft/Search Assistant/ACMru/5603

I found values: 9129837.exe, sys05020.dll, srpcss.dll, gdipro.dll and before clearing siszyd32.exe.

When I delete them they returned again. Something else is going on here. I should add I also deleted Csimplayer.exe and fjhdyfhsn.

My machine up to this point had been clean. I run Avast, Spybot, ad-aware and my OS is patched XP SP3 and up to date with a firewall. I am hesitant to turn on the network and have this all happen again. Thank you for any help or suggestions you can provide. :cry:


I suggest that you download FreeFixer from the below link.

How to remove siszyd32.exe with Freefixer:

  1. Download and install FreeFixer: http://www.freefixer.com/download.html
    Freefixer is freeware, so it will not cost you anything.

  2. Start FreeFixer and click “Scan”. The will scan finish in approximately 5 minutes.

  3. In the Scan result, scroll down to “Autostart shortcuts”. Locate the siszyd32.exe item and check its “Delete” checkbox. DO NOT check anything else for removal, unless you 100% it’s malware.

  4. Click “Fix”.

  5. Restart your machine.

  6. Start FreeFixer and scan your computer again.

  7. Verify that siszyd32.exe no longer appear anywhere in the scan result.

Did that completely remove siszyd32.exe from your machine?

siszyd32.exe is part of Troj/Agent-LVN as documented over at Sophos:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlvn.html

Please let us know the results.


Hi CharleyO thanks for reading my post. I ran FreeFixer and it found and I deleted the siszyd32.exe file. The problem is I’m not sure if I got it all. After running FreeFixer someone told me about Viper Rescue and I ran it and found more which Viper cleared. I am hesitant to turn on the Internet because the last time stuff seemed to come pouring in. I was told siszyd32.exe comes from a rootkit and I don’t know if I got it. Can someone look at an HJT report or other one since this isn’t what I’m good at. Thanks again.


If you will post a HJT log, someone will look at it and offer help. This probably will not show a rootkit but it may give other clues that can help.


Hi CharleyO, I’m new at posting logs publicly, but I think I’ve got it figured out. MY HJT log can be found at:

http://cid-c96b5052195124ca.skydrive.live.com/self.aspx/.Documents/Public/hijackthis.log

I’d appreciate anyone looking at this thing and letting me know if I got this problem licked. I’m willing to run anything else, too. Thanks again for your help.


An analysis of your HJT log shows the following :

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s firewall.

Possible problems :

(Note - If the Symantec entries are related only to Norton Ghost, they should be ok provided you are using Ghost. Entries not related to Ghost should be removed. There is also at least one McAfee entry and at least one Authentium entry.)

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Update related

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Symantec Update related

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
Norton Software

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O4 - HKLM..\Run: [Symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”

O4 - HKLM..\Run: [VerizonServicepoint.exe] “C:\Program Files\Verizon\VSP\VerizonServicepoint.exe” /AUTORUN
It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O9 - Extra button: (no name) - AutorunsDisabled - (no file)
To be fixed if the entry is unknown. Unnecessary (deactivated) entry that can be fixed.

[b]O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[/b]

[b]O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab[/b]

[b]O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/b]

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

As I stated above, if you are using Norton Ghost, some of the Symantec/Norton entries should be OK to keep. You will have to research the entries to be sure.

The McAfee and Authentium entries should be fixed as you seem to have a full install of avast. Having more than one av service is not recommend as this will cause many problems.



From the below, it appears that you may also be using more than just Norton Ghost as their virus scan and firewall appear as running tasks.

An Overview of running tasks when your HJT log was produced :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

ccSvcHst.exe
Firewall
Symantec Service Framework Executable

spoolsv.exe
System task
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ALUSchedulerSvc.exe
Virusscan
Symantec LiveUpdate Scheduler

ashServ.exe
Virusscan
Avast

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

CDAC11BA.EXE
Backgroundtask
cdac11ba

CTsvcCDA.exe
Backgroundtask
Creative CD-ROM Services

Explorer.EXE
System task
Microsoft Windows Explorer

dvpapi.exe
Virusscan
Authentium Antivirus

inetinfo.exe
System task
IIS Admin Service Helper

InCDsrv.exe
Backgroundtask
Ahead Nero InCD Service

IntuitUpdateService.exe
Backgroundtask
IntuitUpdateService.exe

LSSrvc.exe
Backgroundtask
NERO Light Scribe Module

mdm.exe
Application
Machine Debug Manager

sqlservr.exe
System task
Microsoft SQL Server Suite

DSentry.exe
Backgroundtask
Dell DVD Sentry

JupitCo.exe
Unknown task ( USB SECURITY DEVICE CoInstaller )
Unknown task http://www.bleepingcomputer.com/startups/JupitCo.exe-6000.html

TPPALDR.EXE
Backgroundtask
TPP Auto Loader Application

WrtMon.exe
Driver
WrtMon.exe

SiteAdv.exe
Security software
SiteAdvisor Browser Plugin

WrtProc.exe
Driver
WrtProc.exe

em_exec.exe
Application
Logitech MouseWare.

ccApp.exe
Virusscan
Symantec Common Client CC App

ccApp.exe
Virusscan
ccApp.exe

CTCheck.exe
Backgroundtask
ZEN Media Explorer

ashDisp.exe
Virusscan
Avast AntiVirus

RUNDLL32.EXE
System task
Microsoft Rundll32

msmdsrv.exe
Backgroundtask
Microsoft SQL Server Analysis Services

wcescomm.exe
System task
Microsoft ActiveSync Connection Manager

HDD Thermometer.exe
Backgroundtask
HDD Dynamic Link Library

IEPrivacyKeeper.exe
Backgroundtask
IEPrivacyKeeper.exe

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

rapimgr.exe
Backgroundtask
Microsoft ActiveSync Module

ctfmon.exe
System task
Alternative User Input Services

NPROTECT.EXE
Backgroundtask
Nprotect

GammaTray.exe
Suspicious task
MagicTune Traybar Assistant

tbnote.exe
Backgroundtask
TurboNote v6.4

WindowsSearch.exe
Backgroundtask
Windows Desktop Search Tray

nvsvc32.exe
Application
NVIDIA Driver Helper Service

w3dbsmgr.exe
Backgroundtask
Database Service Manager

procexp.exe
Backgroundtask
Sysinternals Process Explorer

NOPDB.EXE
Backgroundtask
Nopdb

sqlwriter.exe
Backgroundtask
Microsoft SQL Server

svchost.exe
System task
Microsoft Service Host Process

symlcsvc.exe
Firewall
Norton Internet Security Suite

svchost.exe
System task
Microsoft Service Host Process

fxssvc.exe
Application
Microsoft Fax

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

wuauclt.exe
System task
AutoUpdate Client

ashWebSv.exe
Virusscan
avast! Web Scanner

HijackThis.exe
Application
Merijn Hijackthis


Hi CharleyO, thanks for looking at the logs. My Windows Control Panel shows the MS Firewall turned on. I am using a NAT Router which I understand works as a firewall, too. I’m using Ghost for backup and am running an old version of Symantec Systemworks. I’ve had all sorts of anti-virus apps running at one time, but have uninstalled everything except Avast for the last two years. It looks like these apps left a lot of garbage on my machine. I’m surprised about the Authentium entry because I don’t recall having used anything by that name. VerizonServicepoint.exe point could be becasue I’m on Verizon DSL. I’m going to go back and knock out some of this garbage, but nothing obvious stands out from your viewpoint? Thanks again.


I did a little research on why you might have the Authentium entry and found this …

This dvpapi.exe program is part of the Authentium anti-virus and anti-malware software. It may have been distributed with your ISP or cable/dsl service, as this file is included in some security packages.

… at http://www.what-is-exe.com/filenames/dvpapi-exe.html
So, you should check with your ISP as to whether or not they supplied this. But, it would be my guess that they did.

Yes, MS firewall will not show up in a HJT log analysis which is explained in #1 of the firewall reasons of the HJT log analysis.

The VerizonServicepoint entry should be Ok since that is your ISP and I just listed it since the program and the executable are the same name which can appear suspicious.

If you have anymore problems, please let us know.


I thought I had it all cleaned up and I turned on the Internet. In the time it took to download database updates for Avast and Malwearbyte I got hit with four viruses. This is definitely a rootkit that the canned software can’t find. I feel it is part of the original siszyd32.exe problem. Any thoughts or suggestions?

After throwing out a lot of garbage I think I fixed the problem. MalWearBytes found the Adware.AdRotator which I guess was brought in by siszyd32.exe before it was cleared. MalWearBytes didn’t clear everything on AdRotator I found by researching on ThreatExpert.com. They listed a program “AU .exe” which was still on my machine. They also listed a URL for the attack which I blocked in the Hosts file just to be safe. I hope this is the end of it so far all clear scans. Thanks for your help CharleyO.


You are welcome for the help given.

I am happy that you have solved your problem.