Siszyd32 Root Kit Help

Viruses and worms
1

Hi.

I have read some of the other posts on siszyd32 and so ran MAM to remove it, however there is still a fxkoby.sys file on my system which I can not get rid of.

Can you please help me get rid of the trojan?

Thanks.

2

I have done the OTS scan and the txt file is attached.

3

welcome

another suggestion you can try is SAS

http://filehippo.com/download_superantispyware/

good luck and write back on your progress

4

Hi try this first to clear the fellow travellers

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  fxkoby.sys -> C:\WINDOWS\System32\drivers\fxkoby.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  Kvetarorohugewu.dat -> C:\WINDOWS\Kvetarorohugewu.dat
NY ->  Dwixuvupo.bin -> C:\WINDOWS\Dwixuvupo.bin
NY ->  initdebug.nfo -> C:\WINDOWS\System32\initdebug.nfo
NY ->  4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  3 C:\Documents and Settings\Kultar S\Local Settings\Temp\010810235003\*.tmp files -> C:\Documents and Settings\Kultar S\Local Settings\Temp\010810235003\*.tmp
NY ->  3 C:\Documents and Settings\Kultar S\Local Settings\Temp\010810235003\*.tmp files -> C:\Documents and Settings\Kultar S\Local Settings\Temp\010810235003\*.tmp
[Custom Scans]
NY ->  4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

5

I ran the OTS fix and it asked for me to reboot and so clicked ok, but it only partially rebooted as it stayed on the XP loading screen for quite a while so manually turned it off and on.

Combofix ran fine though.

Logs are attached.

6

CF killed the rootkit that OTS couldn’t kill - but more to remove still - ever thought of changing from AVG to Avast ?

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


MBR::

File::
c:\windows\pss\siszyd32.exe
c:\documents and settings\Kultar S\Start Menu\Programs\Startup\siszyd32.exe

Driver::
ebvzqta

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Kultar S^Start Menu^Programs^Startup^siszyd32.exe]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
7

Yeh I’ve installed avast now. Combofix log attached.

8

What problems are you experiencing now ?

9

I just started a full MAM scan and avast popped up saying I have a sign of win32:CTX in c:\windows\system32\activescan\pskavs.dll and clicked to send it to the chest.

So far MAM has found 2 infected reg entries it looks like but will post again once the scan has finished.

10

c:\windows\system32\activescan\pskavs.dll Is paty of Panda active scan :slight_smile:

11

I hate the way Panda’s on-line scanner dumps it virus signatures in the system folders and even worse it doesn’t encrypt those virus signatures so other anti-virus software will alert on it.

When running scans by third party security software is can be advisable to pause the Standard Shield, this prevents this type of thing as the other scanner opens the file for scanning avast hooks the file and scans it first. This can cause conflict and duplication of scanning, so pausing the Standard Shield for the duration of the scan should avoid the potential conflict and duplication of scan, reducing overall scan duration.

12

During the MAM scan avast popped up again and said found fxkoby.sys and so moved it to chest.

Below is what the MAM scan found, so hopefully everything will be gone now. Going to reboot and do another scan.
Files Infected:
C:\System Volume Information_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP668\A0039021.sys (Malware.Trace) → Quarantined and deleted successfully.
C:\System Volume Information_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP668\A0039291.sys (Malware.Trace) → Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fxkoby.sys.vir (Rootkit.Agent) → Quarantined and deleted successfully.

13
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fxkoby.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
In combofix quarantine area - nice and safe there :)
14

Hi all,

I got infected with this siszyd32 malware. It keeps running at start up no mater how many times i disable it.I have limited internet usage and this virus keeps downloading some junk(i dont know where ). It terribly consumes the Internet bandwidth.

I’m a newbie to this virus removal things.I have gone through the forums regarding this virus but got bit confused as so many s/ws are mentioned and i dont know how to proceed.I have Installed latest avast home edition. Can anyone guide me to remove this virus by providing the steps to be followed.

Need Help badly. Thank you in advance.

15
Hi all,

I got infected with this siszyd32 malware. It keeps running at start up no mater how many times i disable it.I have limited internet usage and this virus keeps downloading some junk(i dont know where ). It terribly consumes the Internet bandwidth.

I’m a newbie to this virus removal things.I have gone through the forums regarding this virus but got bit confused as so many s/ws are mentioned and i dont know how to proceed.I have Installed latest avast home edition. Can anyone guide me to remove this virus by providing the steps to be followed.

Need Help badly. Thank you in advance.

follow the guide from essexboy and start a new topic when you post the log, and not inside this belonging to somone else
http://forum.avast.com/index.php?topic=53253.0

16

MAM and SAS didnt find anything bad, SAS only found a couple cookies. And there is no longer any random net activity so it appears everything has gone.

Thanks essexboy, you the man!

17

Nice run OTS and hit the cleanup button and it will remove the tools - enjoy

18

Hi all,
My computer got infected with siszyd32 to!
Before I found this forum I did some reading about “Security Program” or what the name was of a rouge program that was installed on my computer. I followed some intructions and deleted some files manually.
Then when I found this forum and read some threads i runned MAM and CF.
Now every thing seams to have been deleted… or I think its more safe thing to say is that MAM only finds 1 file that is infected. Its the Rootkit.Agent C:\WINDOWS\system32\drivers\yuwiadwz.sys
I can select to delete it on MAM and its says that it was deleted, but when I reboot my comp and make a new search with MAM it finds the same file again… does any one have any suggestions? If I do a systemreparation, formation ( dont know the exact word in English ) = if I reinstall the computer, reinstall windows and every thing… is there a risk that this malware will survive? I would like to get rid of it before i reinstall every thing to be on the safe side but maby that isnt necessary? PLease X-use my misspelling! Thanks

19

I will need to run an analysis tool first to determine the strength of tool to use, but a reformat should not be required

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

20

Hi
I did a scan on my comp with OTS just as your instructions said. Here is the report file:

Is there any way to get rid of this rootkit? thanks for the help