Win32 Bravix [Drp] Virus alert from Avast

[SteveRB0]

XP Service Pack 2

I was infected recently with a number of viruses, adware, malware, etc. and managed to remove most of problems. But there are two files. tdsslog.dll and tdssserf.dll that I can't seem to get rid of. The scanner picks them up when I launch it and it's testing memory and start up. Attempting to delete them gives me the message that they are in memory and can't be removed/altered. I've tried running avast on startup and it says that the infected files are successfully removed but then they show up again when I run the scanner after startup and it's just an endless loop of all this. I've tried manually locating the files and they aren't there (show hidden files is on) and windows searches dont come up with anything either.

In addition to running Avast I've run Spybot Search and Destroy which got rid of the adware problems but it the exact same issue as Avast had with something called Virtumonde.sci I think. There were two registry entries that it could only remove before startup. Now it's random as to whether or not the program picks them up. Manually locating them didn't work, as if they didn't actually exist at all.

A couple of what I'm assuming are related problems: Clicking on any link in a Google/yahoo search sends me to various add sites instead of where I'm supposed to go. Copy and pasting the proper URL works on occasion. Most sites related to virus help including Avasts sends me to the "Cannot connect" page. My main browser is Firefox (one version behind the most recently released one), but Internet Explorer had the same problem as well.

A couple of other issues that didn't start until after infection: There have been three completely random system freezes; Sometimes on startup windows gets stuck right after the XP logo screen. Black background with a mouse cursor and I've left it there for an hour with not luck. It seems to work just fine every other time. I get the same result with Safe Mode, sometimes it works fine other times it gets stuck as soon as the screen with safe mode in each corner comes up.

Now, aside from the issues mentioned above, when its up and running my computer works just fine. There aren't any strange processes in the Task Manager, no abnormal CPU or memory usage, no system slow downs, no popups or desktop background images, programs (games, business, etc.) run fine. It's all very confusing.

If any of the issues i mentioned are unclear just ask me to clarify exactly what the problem im experiencing is. Thanks in advance for your help.

[DavidR]

When you say you have run avast on startup, do you mean scheduling a boot-time scan ?

If not, Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

If so then it is likely that there are other hidden/undetected elements to the infection restoring or downloading the file again.

These files are associated with a trojan backdoor which could mean there is something avoiding your firewall, what is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Check out this - HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

This could also be used to redirect google, etc. to other sites.

[SteveRB0]

Havn't had time to do any of that yet but to answer your question yes I meant a boot time scan, which did find the files and successfully deleted them but they still showed up again after that. I'll try the other things you suggested and come back with my results when I have a spare hour or two.

[Lisandro]

which did find the files and successfully deleted them but they still showed up again after that.

It's safer to send the files to Chest for further analysis than direct deleting them.

[DavidR]

Havn't had time to do any of that yet but to answer your question yes I meant a boot time scan, which did find the files and successfully deleted them but they still showed up again after that. I'll try the other things you suggested and come back with my results when I have a spare hour or two.

As Tech mentions best not to delete but send to the chest, whilst in this case I don't believe it is a problem, it isn't a good habit to get into.

We or someone should be around when you get back, welcome to the forums.

[wyrmrider]

Hi
David R is In Europe
I'm West Coast US so I'll be around for awhile

When you run the SAS Scan Clean and Quarantine  do not remove/delete
With MBAM put a check next to any baddies then
click
REMOVE SELECTED- a backup will be made
post the logs 

With Spybot update every Wednesday and re-immunize

then (after the general purpose scanners)
read the stickie at the top of the forum and run a scan and log with Hijack This
post it here

we may then want to run a special purpose tool VUNDOFIX but I do not want anything exciting like a virus  active so let's get rid of any other infections (we can find) first

also
what
AV
Firewall
Browser
etc


are you running Spybot's immunize  it adds entries to your Hosts file (but no redirects)
are you running any other Hosts file such as MVPS Hosts or HPHosts?
If just Spybot you could remove Spybots Host list (from Mode>Advanced>Tools>Hosts)
then see if there is anything left- replace after looking and cleaning
be advised that Avast Mail scanner sometimes has entries in the Hosts file
they should be obvious
I do not think that removing spybot or other host entries will disturbe them but deleting hosts would
you can use spybot to back up your hosts file

Scotty the Win Patrol watchdog will alert on any changes to Hosts

[Spiritsongs]

   Hi Steve :

 Those 2 "dll"s you mentioned I think are part of One of the many "Rogue"
 programs that are quite frequent nowadays, which are Best dealt with by
 the FREE Version of Malwarebytes' Anti-Malware that has been recommended
 twice to you .

[SteveRB0]

Well its been a hectic... however long it was since I asked you guys for help. But I FINALLY got around to trying all your suggestions and they worked great. All the problems are gone, and just to check I reran everything an additional time and no threats came up.

All the issues I stated in my original post are gone. Thanks so much for your help guys.

[DavidR]

You're welcome, glad that your issues are now resolved.

[wyrmrider]

hi steve
great news
If you want to post a hjt we will take a look at it- see the stickie at the top of the forum
run secunia software inspector and get updated 
REMOVE ALL OLD JAVA

install a third party firewall for outbound protection
have an active anti malware/anti spyware
Spybot with t-timer as a minimum or ask (depends on system resources memory speed etc)
cheers