SISZYD32 here as well HJT log attached

Viruses and worms
1

I also have this issue.
I removesd it from startup, but reappears.
svhost process takes up 90-100% of cpu.
I have full version of Malwarebytes, running it to clean wipes out Opera 10
AVG doesn’t pick anything up.
Currently running OTS, will post results when finished, taking forever…
Thanks for any help

2
AVG doesn't pick anything up.
recommended, replace AVG with Avast..... ;D
3

Have it ready to go :slight_smile: It’ll be on once this is cleaned up. But that doesn’t solve the issue I’m having right now either.

4

OTS log attached

5

Windows XP Service Pack 3 has been available for over a year and a half plus it provides many Critical Updates and performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Adobe Acrobat 7.0 is very vulnerable to attack and should be installed.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

6

running the updates now…this was a fresh install from my sp2 disk, not sure why I didn’t update it before.

edit: adobe 9.2 installed, windows is downloading sp3 now.

7

Microsoft says the Windows Live OneCare safety scanner will remove this threat, but I haven’t tried it Myself as I haven’t come across this bug.

http://onecare.live.com/site/en-us/default.htm

8

Also install Windows Defender as it is not installed by default on XP:
http://www.microsoft.com/uk/athome/security/spyware/software/default.mspx

I keep it updated daily and have it run a daily Quick scan

Windows Defender Version: 1.1.1593.0
Engine Version: 1.1.5302.0
Definition Version: 1.71.1885.0
Product ID: 81664-512-5333412-04571

For more information on Windows Defender and available support options, visit http://go.microsoft.com/fwlink/?LinkId=70604

9

Here you go try this

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< TraderBob Startup Folder > -> C:\Documents and Settings\TraderBob\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\TraderBob\Start Menu\Programs\Startup\siszyd32.exe
[Files/Folders - Created Within 30 Days]
NY ->  4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  VUKOPTIBFYN -> C:\WINDOWS\System32\VUKOPTIBFYN
NY ->  Wxigaxeyuvasaxog.dat -> C:\WINDOWS\Wxigaxeyuvasaxog.dat
NY ->  Vqowirebanup.bin -> C:\WINDOWS\Vqowirebanup.bin
NY ->  4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  VUKOPTIBFYN -> C:\WINDOWS\System32\VUKOPTIBFYN
NY ->  Wxigaxeyuvasaxog.dat -> C:\WINDOWS\Wxigaxeyuvasaxog.dat
NY ->  nvDrv.sy -> C:\WINDOWS\nvDrv.sy
NY ->  Vqowirebanup.bin -> C:\WINDOWS\Vqowirebanup.bin
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

10

Hello and thanks for the reply.
Just as a side note, last night I updated XP to sp3, installed all the hotfixes for Windows and Office, uninstalled AVG, installed Avast. I also installed Secunia PSI. It shows all browsers insecure because of Acrobat Reader but says “insecure, no solution” as well as IE8, “insecure, no solution” So it’s as patched as it’s going to get.
Attached are the 2 logs you requested.

11

Phase two now - I would recommend replacing Adobe reader with Foxit reader but do not accept the toolbar http://www.foxitsoftware.com/pdf/reader/download.php

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Driver::
awxfnvd
tdoxm
vobja

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTS log.
12

Here is the combo fix log, the OTS I’ll have to upload I think

13

OTS log: http://www.mediafire.com/file/yymonmjnj0j/OTS.Txt

Thanks again

14

That looked OK - what problems are you having now ?

And a final sweep for orphans

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

15

I have malwarebytes, I bought it because of all the good reviews.
It seems all issues are gone at this point, no more call outs to various IPs either.
Thank you for your help, and I am already liking Avast more than AVG… :slight_smile:

16

OK tidy up time then - plus a better class of clientele here than the AVG forum ;D

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u17-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586-p.exe and select “Run as an Administrator.”)

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

17

Hmm, not sure if this is related, but at 1AM 3 hits were blocked to this IP 69.64.147.212 which is at Enom, showing 77000+ sites on there…parking server? Another one as I’m writing this.
Neither Malwarebytes or Avast show anything on my system after scanning again.
Something to worry about? Or not

18

That IP is listed at hpHost
http://hosts-file.net/default.asp?s=69.64.147.212

so Malwarebytes correctly blocked you from entering that page

19

That’s the thing, I wasn’t going anywhere…when it started, I was checking mail and browsing this forum.
I think it may have been a mail with an image (1x1 gif) pointing back there.
Thank you for the hosts-file.net link.

20

Any other problems ?