On Friday, December 11 a trojan horse got it’s way into my Windows.
It all started with AVAST trowing these warnings:
11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.
I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:
11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.
Then I looked at the running processes.
A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.
Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )
In the meantime a CMD (command prompt) process was eagerly active tunning a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):
@echo off
:try
@del /F /Q "C:\Program Files\Mozilla Firefox\firefox.exe"
if exist "C:\Program Files\Mozilla Firefox\firefox.exe" goto try
The BAT file was dropped on my system at 11 december 23:08, moments before the ~temp files.
Another file called siszyd32.exe was dropped in the StartUp folder.
I still don’t know what it was and why Avast isn’t detecting it. I will keep you posted if more info is available.
At the mean time try following:
- download process explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
- Run it then kill all CMDs, siszyd32.exe and CsimPlayer.exe
- remove all instances of siszyd32.exe and CsimPlayer.exe on your C:\drive
- Remove it from the registry
Removal Instructions
You’ve got this malware probably because java, flash or acrobat aren’t up to date. Older versions are insecure and potentially exposes your system to security threats! Scan your system with this online scanner.
Removal: