Two quick questions, for my own information -
Since the startup program listings in CCleaner and in Windows Defender could see it, but I couldn’t find it on the hard drive, and CCleaner couldn’t delete it, I am guessing that siszyd32.exe was not actually the root of the problem… is that correct? i.e. was the infection really another file hiding on my hard drive that created the siszyd32.exe file?
Second, I’m normally pretty good with antivirus security, running avast, MBAM, SAS pretty regularly. Apart from keeping software up to date, is there something I can do to better prevent this kind of problem?
It was actually being protected by the second copy - which neither of the other programmes saw. As it was being run from the registry under the appints
Unfortunately this is one of those nasties that could come from anywhere
Your security regime looks sound - I use Avast and MBAM, so in a way it is the luck of the draw if you visit an infected website
Thanks for your help with this essexboy and the others who posted advice, I really appreciate you taking the time out to go through everything with me and sort this out.
Best,
MP
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[]File - Lop Check
[]File - Purity Scan
[]Evnt - EvtViewer (last 10)
[*]Under custom scans copy and paste the following
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%*. /mp /s
c:$recycle.bin*.* /s
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
I have the same problem with siszyd32.exe and csimplayer.exe file. I have windows XP pro and I cant even boot into regular mode. I have run the OTS.exe in SAFE MODE and uploaded the file to http://www.mediafire.com/?yjyh5mjtrhn .
I have also attached the RSIT log files with this post.
Hi everyone, I was with the same problem and figured out with the following program http://www.superantispyware.com/.
I hope this can be helpful for you.
@rankfast could you start your own thread and PM me the link as I cannot run two infections in one thread Ta
@ghosty85
Ok first the bad news you have the latest version of a rootkit. It has infected both copies of a file on your computer. Do you have access to another computer where you can get a copy of this file C:\WINDOWS\system32\DRIVERS\atapi.sys if you can I will need you to copy it to your root C: drive. Let me know on this
One or more of the identified infections is a backdoor Trojan and a key logger.
If this computer is ever used for on-line banking, I suggest you do the following immediately:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Lets clear some of the garbage now
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Modules - Safe List]
YY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
[Win32 Services - Safe List]
YN -> (gupdate) Google Update Service (gupdate) [Auto | Stopped] ->
YY -> (MyWebSearchService) My Web Search Service [Auto | Stopped] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\] > ->
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultName" -> My Web Search
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultUrl" -> http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm768YYGB&fl=0&ptb=hFaIfhRKCbQmyZGSCaRTFg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
< FireFox Extensions [User Folders] > ->
YY -> No name found -> C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\osrbx5ud.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{07B18EA9-A523-4961-B6BB-170DE4475CCA}" [HKLM] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL [My Web Search]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fnafidi" -> C:\WINDOWS\ucevenupehukuh.DLL [rundll32.exe "C:\WINDOWS\ucevenupehukuh.dll",Startup]
YN -> "Regedit32" -> C:\WINDOWS\System32\regedit.exe [C:\WINDOWS\system32\regedit.exe]
< Lee Startup Folder > -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup\siszyd32.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\sdra64.exe -> C:\WINDOWS\system32\sdra64.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Modified Within 30 Days]
NY -> fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY -> Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY -> Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY -> av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY -> avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
[Files - No Company Name]
NY -> fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY -> av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY -> fvgqad.dat -> C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat
NY -> Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY -> Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY -> fvgqad.dat -> C:\Documents and Settings\LocalService\Application Data\fvgqad.dat
NY -> avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
NY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
NY -> pn.ini -> C:\WINDOWS\pn.ini
NY -> pr.ini -> C:\WINDOWS\pr.ini
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Essexboy, the siszyd32.exe file is no longer on my system i believe. It doesn’t show up in my automatic start ups which it always used to do, so thank you for that.
However, i’ve tried copying the atapi.sys file from my housemates computer but it won’t let me copy it to a storage device as it’s ‘in use’ on his system. Any ideas on what to do there?
Also, sometimes my laptop decides to display an error message and a 1 minute countdown till a system restart. It mentions there’s an error with system32’s ‘services.exe’ or something like that. Probably because my atapi.sys is messed up (or deleted now).
You’ve been a star so far and i really appreciate you killing the little bastard (by far the worst virus i’ve had). So again thank you.
When I started my computer, Windows Defender warned me and I could easily delete this Trojan, but I’m still not sure if it is deleted entirely :s. Can I use your fixes you have made for the others?
I would say the short answer is no. Any specific fix is crafted from the logs submitted by the person the fix is for. So as has been said it would have to be in a topic of its own, so as not to confuse/complicate this one.
[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:
:filefind
atapi.sys
[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt
Any file not in use can be copied
EACH FIX IS INDIVIDUAL TO THAT COMPUTER AND MAY BREAK ANOTHER SYSTEM
@ghosty85 there is a new programme by Kaspersky that has had good results so far and is now out of Beta
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
[*]Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
[*]If it says “Hidden service detected” DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
[*]When it is done, a log file should be created on your C: drive called “TDSSKiller.txt” please copy and paste the contents of that file here.
Ok I am having this same siszyd32.exe problem pop up on my computer, and I’m not extremely good with computers. I have done some stuff with combo fix before but am not exactly sure how to use it.
can anyone assist me in removing the pesky thing? help would be super appreciated.
