Diso help - trojan/spyware invasion

By dangermouz
Oct 25, 2008
  1. Earlier today my computer randomly restarted while I was using it... "Uh-oh"... And sure enough an conspicuous red circle with a white x appears in my tray along with 2 new processes that want to start on startup (I disabled on startup).

    The message it gives me is:

    "Windows has detected spyware infection!"

    click here to download etc, so I searched this and found a thread here. It told me to download a series of programs and scan and paste the logs... Some of which I already had (HJT and CCleaner). But odd thing is when I'm installing these anti-malware/spyware/trojan/virus softwares... They somehow don't run.. I go to see whats running in task manager and my computer freezes. This thing is slowly taking control of my computer. Without being able to run programs to fix this or close harmful processes in task manager I am really helpless and fell like I may have to system restore or reformatt...

    Fortunately I was fast enough to open task manager and close brastk.exe and install spyware doctor. I know realize this program is useless.

    ComboFIx doesnt run. Super antispyware professional does not run. One Live cannot install (freezes). Ad-aware doesnt detect anything. Malwarebites anti malware scanned for more than 1 hour and found nothing.

    I did the fix knack posted here;

    It only "partially removed" the "TrojanDownloader Win32/Renos infection

    i am going to post a log of Hijack This shortly.

    EDIT: Hijack This won't run either.

    It seems anything that would be able to fix this, is defunct.
  2. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Did you run combofix in safe mode?
  3. dangermouz

    dangermouz TS Rookie Topic Starter

    It won't even open when I click on it, along with all those other programs. Its like its being blocked. And I don't have any real-time protection or anything on if that matters. Probably why I have this to begin with.

    And how do i enable 'safe mode'
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    To get to Safe Mode, repeatively press F8 key just before Windows starts loading
    Then select Safe Mode

    You can then click on Start->Run-> msconfig

    And turn off any unwanted startups
  5. dangermouz

    dangermouz TS Rookie Topic Starter

    yeah i know that trick its saved me countless times

    EDIT: Well, running windows in safe mode didnt help combofix.... perhaps I have to reinstall it.

    Good news is that the message in my tray is gone and brastk.exe is no longer wanting to start on startup. I wont let my guard down now though I want to make sure my comp is 100% safe.

    I can't even install AVG. I get this error.

    Local machine: installation failed
    Error: Action failed for file avgemc.exe: starting service....
    Error 0x8007041d
    Warning: Preparation to unload of the service avg8wd failed.
    Specified file was not found.
    Error: Action failed for file avgwd.log: restoring from backup....
    Error 0x80070005 %DESTINATION% = "C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log", %SOURCE% = "C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log.install_backup"
    Warning: Action failed for file avgmfx86.sys: stopping service....
    Service AvgMfx86 failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90204 ms.

    Well. Malwarebytes Anti Malware finally detected 36 infections.

    Malwarebytes' Anti-Malware 1.30
    Database version: 1321
    Windows 5.1.2600 Service Pack 2

    10/25/2008 7:15:09 PM
    mbam-log-2008-10-25 (19-15-04).txt

    Scan type: Quick Scan
    Objects scanned: 48824
    Time elapsed: 4 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 7
    Folders Infected: 0
    Files Infected: 27

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karna.dat -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\karna.dat -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\av.dat (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\delself.bat (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.
    C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
    C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxx\Local Settings\Temp\wrdwn2 (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxxxxxxx\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\xxxxxxxxxx\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
    C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSmtql.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSproc.log (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> No action taken.

    And here is my Hijack This log (which started working as soon as I removed with previous prog)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:19:20 PM, on 10/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\PROGRA~1\Mozilla Firefox\firefox.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Steven Anderson\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF:
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

    End of file - 3554 bytes

    Its too bad theres no codebox (at least that im aware of).
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  7. dangermouz

    dangermouz TS Rookie Topic Starter

    Yeah thanks but if you read everything I posted you'd realize I was attempting to do this but the Trojans/Spyware on my computer somehow interrupted installation and functionality of these programs, except for the malbyte anti malware one came through for me... Allowed me to get AVG up and do a more in depth scan. Turns out I have a lot of suspicious/infected files. 11 more threats once AVG ran. Its not even done scanning after 1.5 hours =0

    Well I've regained control of my computer, ill post further logs and questions as they come. Thanks to all that helped.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    When you are able to

    Try Free Antivirus like Avast or Avira
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...