Diso help - trojan/spyware invasion

[dangermouz]

Earlier today my computer randomly restarted while I was using it... "Uh-oh"... And sure enough an conspicuous red circle with a white x appears in my tray along with 2 new processes that want to start on startup (I disabled on startup).

The message it gives me is:

"Windows has detected spyware infection!"

click here to download etc, so I searched this and found a thread here. It told me to download a series of programs and scan and paste the logs... Some of which I already had (HJT and CCleaner). But odd thing is when I'm installing these anti-malware/spyware/trojan/virus softwares... They somehow don't run.. I go to see whats running in task manager and my computer freezes. This thing is slowly taking control of my computer. Without being able to run programs to fix this or close harmful processes in task manager I am really helpless and fell like I may have to system restore or reformatt...

Fortunately I was fast enough to open task manager and close brastk.exe and install spyware doctor. I know realize this program is useless.

ComboFIx doesnt run. Super antispyware professional does not run. One Live cannot install (freezes). Ad-aware doesnt detect anything. Malwarebites anti malware scanned for more than 1 hour and found nothing.

I did the fix knack posted here;

techspot.com/vb/topic66509.html

It only "partially removed" the "TrojanDownloader Win32/Renos infection

i am going to post a log of Hijack This shortly.

EDIT: Hijack This won't run either.

It seems anything that would be able to fix this, is defunct.

 

[tw0rld]

Did you run combofix in safe mode?

 

[dangermouz]

It won't even open when I click on it, along with all those other programs. Its like its being blocked. And I don't have any real-time protection or anything on if that matters. Probably why I have this to begin with.

And how do i enable 'safe mode'

 

[kimsland]

To get to Safe Mode, repeatively press F8 key just before Windows starts loading
Then select Safe Mode

You can then click on Start->Run-> msconfig

And turn off any unwanted startups

 

[dangermouz]

yeah i know that trick its saved me countless times

EDIT: Well, running windows in safe mode didnt help combofix.... perhaps I have to reinstall it.

Good news is that the message in my tray is gone and brastk.exe is no longer wanting to start on startup. I wont let my guard down now though I want to make sure my comp is 100% safe.

I can't even install AVG. I get this error.

Local machine: installation failed
Installation:
Error: Action failed for file avgemc.exe: starting service....
Error 0x8007041d
Warning: Preparation to unload of the service avg8wd failed.
Specified file was not found.
Rollback:
Error: Action failed for file avgwd.log: restoring from backup....
Error 0x80070005 %DESTINATION% = "C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log", %SOURCE% = "C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log.install_backup"
Warning: Action failed for file avgmfx86.sys: stopping service....
Service AvgMfx86 failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90204 ms.

Well. Malwarebytes Anti Malware finally detected 36 infections.

Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.1.2600 Service Pack 2

10/25/2008 7:15:09 PM
mbam-log-2008-10-25 (19-15-04).txt

Scan type: Quick Scan
Objects scanned: 48824
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karna.dat -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\karna.dat -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\av.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxx\Local Settings\Temp\wrdwn2 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxxxxxxx\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\xxxxxxxxxx\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSmtql.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSproc.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> No action taken.


And here is my Hijack This log (which started working as soon as I removed with previous prog)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:20 PM, on 10/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Steven Anderson\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3554 bytes

Its too bad theres no codebox (at least that im aware of).

 

[kimsland]

Have a look at:

Viruses/Spyware/Malware Preliminary Removal Instructions

Don't worry about installing Antivirus just yet

 

[dangermouz]

Yeah thanks but if you read everything I posted you'd realize I was attempting to do this but the Trojans/Spyware on my computer somehow interrupted installation and functionality of these programs, except for the malbyte anti malware one came through for me... Allowed me to get AVG up and do a more in depth scan. Turns out I have a lot of suspicious/infected files. 11 more threats once AVG ran. Its not even done scanning after 1.5 hours =0

Well I've regained control of my computer, ill post further logs and questions as they come. Thanks to all that helped.

 

[kimsland]

When you are able to

Try Free Antivirus like Avast or Avira