help needed! PC slow & infected

[Guest]

[Rotty]

As a side note:

The "C:\WINDOWS\system32\SSVICHOSST.exe" line was under the processes list, that means the there were two instances of the executable running at once.  This cannot be fixed in hijackthis, although you could end the process..

The idea is to remove the entry that launched the process at startup: "O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSVICHOSST.exe" which was removed.

Anything that starts with "O4" (Run registry entry) or "O23" (Registered service) means that it launches a process at startup.  Hijackthis covers a few sections of the registry as "O4" but all have the same effect of starting a process at startup.

[moysong]

HEY GUYS! CAN YOU PLEASE TELL ABOUT THIS COZ I HAVE ALSO SAME PROBLEM I CANT OPEN TASK MANAGER...PLEASE HELP ME THANK YOU,..


Moderator Edit: Please do NOT post HJT logs; they are simply too long.  Instead, upload them as an attachment.  Also please do not capitalize posts as on the internet it implies shouting/yelling.

[moysong]

PLEASE TELL WHAT ARE THOSE IN RED COLOR...?

[N.T.T.W.]

Looks like you have bearshare on your pc as well as askpbar. There may be other things as well.

Do you have spybot S & D? If not I would recommend you download it and run it.

http://www.safer-networking.org/en/download/index.html

 

[grue155]

moysong:

This log entry

O4 - HKCU\..\Run: [Tok-Cirrhatus-3939] "C:\Documents and Settings\ramil.bungque\Local Settings\Application Data\br8901on.exe"

matches a description http://www.prevx1.com/polywaredetail.asp?SQ=HCCI445255 for a polyware virus going by the name RAKYATKELAPARAN.EXE

A google search on RAKYATKELAPARAN.EXE turns this reference http://www.bleepingcomputer.com/startups/RakyatKelaparan.exe-13875.html
described as "Added by the W32/Brontok-I worm."

Your log also has this item
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
meaning that your ability to edit the registry has been disabled. That's a common thing for malware to do these days, it in effort to make cleanup more difficult.

For details on W32/Brontok-I, details at http://www.sophos.com/virusinfo/analyses/w32brontoki.html

From what I've seen in various malware cleanup forums elsewhere, Brontok is not an easy cleanup.

And that's about the limit of my skills. I can follow logs for the most part, but doing the cleanup isn't my field.

Edit: Doing some more checking, this description http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fBrontok
confirms several additional details in your log as matching that of the Brontok virus. Microsoft rates removal of this  malware as "difficult".

There seem to be few tools dealing directly with Brontok removal. Several that I've found listed are for previous versions of the malware, and are incomplete or ineffective at removal of Brontok-I.

The Microsoft Malicious Software Removal Tool is listed as a removal tool. The MSRT can be downloaded at http://www.microsoft.com/security/malwareremove/default.mspx

[moysong]

guys! please tell me excactly what can i do to get out of this malware to healed or to remove because my PC is running slowly

Moderator Edit: Please do NOT post HJT logs; they are simply too long.  Instead, upload them as an attachment.

[Goose18]

Best way for a 100% Clean PC.... *Reformat*     I know reformatting sucks but from time to time it will need done...

[grue155]

Your HiJackThis log still show signs of Brontok-I. Specifically these two lines:

O4 - HKCU\..\Run: [Tok-Cirrhatus-3939] "C:\Documents and Settings\ramil.bungque\Local Settings\Application Data\br8901on.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\ramil.bungque\Local Settings\Application Data\smss.exe"

From what I can tell, the forum here can provide basic help, but what you have isn't a basic kind of problem.

You've got these alternatives, in this order:

• Download and run the Microsoft Malicious Software Removal Tool, which does list itself as removing Brontok malware.
• A web search turns up removal instructions at trendmicro.com, at their web page http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBRONTOK%2EI&VSect=Sn
• The Trendmicro web page also lists their on-line scanner Housecall as being able to remove Brontok.
• If those methods don't work, then I'm going to point you to another malware removal forum for assistance to walk you thru the malware cleanup. I'll suggest castlecops.com, bleepingcomputer.com, spywareinfo.com, techsupportform.com.  Any of the forums listed at the ASAP page http://asap.maddoktor2.com/ can do the job.
• At worst, goose17 is right, then you zero wipe your disk, format, and reinstall.

Wish I could be more help, but this is outside my skill range.

[Ragwing]

C:\WINDOWS\SSVICHOSST.exe

Seems like this one has returned.
For info about it:
http://spywarefiles.prevx.com/RRDDGD036916051/SSVICHOSST.EXE.html

You can try downloading the tool there and see if it's able to fix the problem.

If you're able to, install CFP3 with HIPS, or another HIPS. This way you can prevent it from running.
Tho the best thing you can do is to backup all important data to a second HDD/external HDD/USB-drive or CD/DVD and then format.

Cheers,
Ragwing

[grue155]

C:\WINDOWS\SSVICHOSST.exe

And that, thru prevx, becomes W32/Sohana-R, Details http://www.sophos.com/security/analyses/w32sohanar.html

Note this from the Sophos description:

W32/Sohana-R includes functionality to
 - access the internet and communicate with a remote server via HTTP.
 - download, install and run new software.

With both Brontok and Sohana, I'd say the machine is fully compromised. While you might be able to get it cleaned thru one of the ASAP malware removal forums, I don't believe that the machine can be trusted again. At this stage of infection, I'd expect there to be a rootkit fully installed.

It's a judgment call, but I'd suggest what goose17 suggested: make what backups you can, and can verify are _not_ infected, then zero wipe the disk, and reinstall.

[moysong]

Thank you guys! i think i need to do the best way...

sorry for the bold letters thing & the Hjt logs...

thank you again guys for all your suggestion...i'll be back when my pc is reformat ok..cheers 

[Tags:]