help needed! PC slow & infected

suhasmk · September 29, 2007, 5:28pm

I find my computer running very slowly. This is happening from just few days.
I regularly update my anti-virus and other similar programs. Whenever i scan my computer, it takes plenty hours to scan just a few files.
I cannot even open task manager and run regedit.

Please help me in this regard…

Ragwing · September 29, 2007, 5:42pm

Greetings,

If you can’t open task manager or regedit, it’s surely a malware.
Have you installed anything new this week or visited some site you haven’t before?
Download HijackThis(http://216.180.233.162/~merijn/programs.php#hijackthis) and run it and save the logfile, then post it here(not the file, copy the text from the logfile instead), to see if there’s anything that’s suspicious.
Also try Spybot S&D and Lavasoft Ad-aware.

Ragwing

suhasmk · September 30, 2007, 9:55am

I installed certain programs from my pen drive.
I ran spybot and ad-aware. Spybot detected the problem (with task manager) and but didn’t get it corrected.

However i have posted the log file. Please see attachment.

Moderator Edit: Please do NOT post HJT logs; they are simply too long. Instead, upload them as an attachment.

[attachment deleted by admin]

alaertsxan · September 30, 2007, 10:09am

C:\WINDOWS\system32\SSVICHOSST.exe

This one is a virus called SSVICHOSST.exe is W32/Sohana-R. a think it's a rootkit. Try A-squared downloadable here : http://www.emsisoft.com/en/software/download/

Try scanning in safe mode with this

please post your advance

Xan

zvaragabor · September 30, 2007, 10:33am

Uhh, suhasmk, your computer is a malware farm.

Tick, then fix these:
C:\WINDOWS\system32\SSVICHOSST.exe
C:\WINDOWS\system32\SSVICHOSST.exe(yes, there are two of this)
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O1 - Hosts: 203.27.235.25 www. payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www. sifymall.com
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKCU…\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSVICHOSST.exe
O4 - HKLM…\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-18…\RunOnce: [yisouu.dll] Regsvr32.exe /s C:\PROGRA~1\YiSou\yisouu.dll (User ‘SYSTEM’)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip…{48A41D8E-AED2-41C8-B82F-B28467017BBC}: NameServer = 202.144.95.4,202.144.66.6
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll

Also run a full scan in safe mode with disabled system restore.

alaertsxan · September 30, 2007, 10:41am

Uhh, suhasmk, your computer is a malware farm. :)

LOL

C:\WINDOWS\system32\SSVICHOSST.exe

Yeah, still got one right ;)

Xan

suhasmk · September 30, 2007, 11:23am

Thank you zvaragabor. I tried your way. I could not find when i ran hijackthis.
C:\WINDOWS\system32\SSVICHOSST.exe
C:\WINDOWS\system32\SSVICHOSST.exe

However, i can run regedit and task manager.

alaertsxan · September 30, 2007, 11:35am

Please send another log file so we can see that you’re totally secure

suhasmk · September 30, 2007, 1:16pm

here is my log file. i couldn’t remove C:\WINDOWS\system32\SSVICHOSST.exe & C:\WINDOWS\system32\SSVICHOSST.exe
how can i remove that?

[attachment deleted by admin]

alaertsxan · September 30, 2007, 1:38pm

I can’t see no problem any more but I’m not really an expert, still try a scan in safe mode (I hope you now how to do it? If not just say) and scan with avg, adaware, and spybot to be complete sure.

Also a saw 1 thing, it’s no longer BoClean 4.24 it’s 4.25 now, you should consider updating him

Hope I could help ya
Xan

zvaragabor · September 30, 2007, 2:17pm

I cannot see the SSVICHOSST.exe in the new report too.
As alaertsxan mentioned, try a scan in safe mode. I would also recommend a-Squared free to run. It’s a good antispy too.
Anyway, which antivirus do you use?

suhasmk · September 30, 2007, 3:32pm

I use AVG free-edition anti-virus, Spybot, Ad-aware and Comodo BOClean.

suhasmk · October 5, 2007, 3:26pm

Greetings,
Finally Comodo BOClean came to my rescue. It detected and healed that particular virus. :BNC :BNC :BNC

little_mermaid · October 27, 2007, 4:21pm

I have the same problem

and this is the log file in the next reply

plzzzzzzzzzzz tell me what should I do ???

Ragwing · October 27, 2007, 4:40pm

If none of the above works, post your own topic in ‘Virus/Malware Removal Assistance’.
Include what security products you use, and include a HijackThis log(http://216.180.233.162/~merijn/programs.php#hijackthis).

Ragwing

Rotty · October 28, 2007, 12:14am

As a side note:

The “C:\WINDOWS\system32\SSVICHOSST.exe” line was under the processes list, that means the there were two instances of the executable running at once. This cannot be fixed in hijackthis, although you could end the process…

The idea is to remove the entry that launched the process at startup: “O4 - HKCU…\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSVICHOSST.exe” which was removed.

Anything that starts with “O4” (Run registry entry) or “O23” (Registered service) means that it launches a process at startup. Hijackthis covers a few sections of the registry as “O4” but all have the same effect of starting a process at startup.

moysong · November 8, 2007, 11:36am

HEY GUYS! CAN YOU PLEASE TELL ABOUT THIS COZ I HAVE ALSO SAME PROBLEM I CANT OPEN TASK MANAGER…PLEASE HELP ME THANK YOU,…

Moderator Edit: Please do NOT post HJT logs; they are simply too long. Instead, upload them as an attachment. Also please do not capitalize posts as on the internet it implies shouting/yelling.

[attachment deleted by admin]

moysong · November 8, 2007, 11:43am

PLEASE TELL WHAT ARE THOSE IN RED COLOR…?

anderow · November 8, 2007, 1:11pm

Looks like you have bearshare on your pc as well as askpbar. There may be other things as well.

Do you have spybot S & D? If not I would recommend you download it and run it.

http://www.safer-networking.org/en/download/index.html

:SMLR

grue155 · November 9, 2007, 7:47pm

moysong:

This log entry

O4 - HKCU…\Run: [Tok-Cirrhatus-3939] “C:\Documents and Settings\ramil.bungque\Local Settings\Application Data\br8901on.exe”

matches a description http://www.prevx1.com/polywaredetail.asp?SQ=HCCI445255 for a polyware virus going by the name RAKYATKELAPARAN.EXE

A google search on RAKYATKELAPARAN.EXE turns this reference http://www.bleepingcomputer.com/startups/RakyatKelaparan.exe-13875.html
described as “Added by the W32/Brontok-I worm.”

Your log also has this item
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
meaning that your ability to edit the registry has been disabled. That’s a common thing for malware to do these days, it in effort to make cleanup more difficult.

For details on W32/Brontok-I, details at http://www.sophos.com/virusinfo/analyses/w32brontoki.html

From what I’ve seen in various malware cleanup forums elsewhere, Brontok is not an easy cleanup.

And that’s about the limit of my skills. I can follow logs for the most part, but doing the cleanup isn’t my field.

Edit: Doing some more checking, this description http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2FBrontok
confirms several additional details in your log as matching that of the Brontok virus. Microsoft rates removal of this malware as “difficult”.

There seem to be few tools dealing directly with Brontok removal. Several that I’ve found listed are for previous versions of the malware, and are incomplete or ineffective at removal of Brontok-I.

The Microsoft Malicious Software Removal Tool is listed as a removal tool. The MSRT can be downloaded at http://www.microsoft.com/security/malwareremove/default.mspx