Win32:Bravix-B [Drp]

Can anyone help me get rid of this? Avast finds it when scanning in boot mode, where I have tried to repair it, move it to chest and delete it in different scans. In the regular scan it gives further info…2 items in system32…tdssdw.dll and tdssl.dll, which neither of them can be repaired , deleted or moved to chest…the message is they are in use by another program. So I tried scanning in safe mode and same results. Also, I can’t find the tdssdw.dll or tdssl.dll files in system 32. The other problem is my desktop has been taken over by what looks to be a warning window, but is non functional…ie…cannot be closed, minimized etc. The desktop properties box has no background or screensaver tabs. The warning saysWin32/Adware.Virtumonde…and Win32/PrivacyRemover.m64. I did a SpyHunter scan which temporarily restored my background and screensaver functions, and the warning window shows as phc10kj0ea6g…I can’t remember if it was a jpeg or what. I managed to control that with msconfig. I can set my own background. Otherwise no apparent symptoms. I have also run adaware, a squared and regrun scans. They don’t find anything. And not to mention I have cleared temp files both manually and with internet options as well as with ccleaner.

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Also, for Virtumonde:
Maybe this tool helps:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3

The tool described in the essexboy’s post will produce a list of altered files. You will be able to see which programs are corrupted. This link will take you to his post and the tool link.
http://forum.avast.com/index.php?topic=32297.msg269932#msg269932

Also, he explains more here: http://forum.avast.com/index.php?topic=32331.msg270253#msg270253

I believe this is the imfamous xp antivirus ( yet again ) While following Techs advice,I would start with the MBAM link,he kindly posted. :slight_smile:

:slight_smile: Hi Krypton :

For what you are describing, Best to start with the FREE Malwarebytes’
Anti-Malware, followed by using the FREE “VundoFix”, available at
http://vundofix.atribune.org/ ; IF you use VundoFix, follow the Directions on
that Site .

Hi,
i think i have the same problem but i still don’t know what to do with this.
First of all - i have two accounts at my computer. One is totally blocked - i can log in, but after 30 sec computer doesn’t respond. On this account i have this wallpaper with this warning window. One the second accound i can do something, but sometimes (50% of cases) is the same.
I checked all system with avast and i found Win32:Bravix - i sent all files (at least i think so) with this to Quarantine but it didn’t help. Then i checked all system with Malware bytes and it showed me that i have still this viruses in Windows\System32
Now i checked all system with:
Avast - didn’t show anything,
Malware bytes -
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) → Delete on reboot.

But after rebooting - is the same
Please - help ???

p.s.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:58:17, on 2008-09-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\Creator\Remind_XP.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Documents and Settings\magda\Ustawienia lokalne\Temporary Internet Files\Content.IE5\GXMN4HI7\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [V0400Mon.exe] C:\WINDOWS\V0400Mon.exe
O4 - HKLM..\Run: [lphcptrj0e3a7] C:\WINDOWS\system32\lphcptrj0e3a7.exe
O4 - HKLM..\Run: [inrhcttrj0e3a7] C:\Documents and Settings\Ela\Ustawienia lokalne\Temp.tt1D.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BC3EF2A0B8D4F95AFB7E86F09C85854FA20DB307C94181365F398B6912549C44095CEA173731B071758E59FDCBC4C3C34C8A5D7C9B2498E40213A49C8BCA821844CA
O4 - HKCU..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dpwsock32 - dpwsock32.dll (file missing)
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


End of file - 8297 bytes

… and how to get background or screensaver tabs in desktop properties box ??

Ok guys thanks a ton. I tried the MBAM first as it was twice recommended, and it found trojans and more trojans, or maybe the same one but several listings…very similar to lizzy-b’s list. After quarantining them and re-booting I was very pleased to see I had re-gained my desktop and screensaver tabs in desktop properties. So I am hopeful. Currently running a full avast av scan including archives and the memory scanned clean. I also ran the avast rootkit scan that was recommended and it found nothing. So lizzy…try the MBAM, it worked for me. I do still have that phc10kj0ea6g.exe that was the name of the desktop “window” but I have that disabled in msconfig startup menu. Once again thank you’s to the repliers.

No, problem, Krypton.

And lizzy_b, your Java is out-of-date. Please uninstall the old version and install the latest here.

I suggest Secunia Software Inspector and JavaRa and make sure everything is up-to-date.

okay now, fix this item. It appears to be Starware.

O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)

New day - new hope… :slight_smile: I checked all system with Malware bytes once again and it helped! But this time and managed to use my “first” account and everything where just the way you described - at least i hope so :slight_smile:

Thanks a lot for your help !!!

had a problem elaborated here, solved it, thanks, but now after my computer has been cleaned
my desktop is blank, that is, it’s white and I can’t change it in any way (I can change the background
in desktop properties but it looks like the white background overlays the other background )
The system is free off all malware, spyware viruses, as I followed the Tech’s instruction in the post
(thx). Did run MBAM several times nothing more to be found.
Any ideas or suggestions?

That is a setting in the registry. I had the same problem and solved it as described on this page:

http://billjr.spaces.live.com/blog/cns!28CBD6442F406227!362.entry

Otherwise search for “desktop tab missing registry”

OK guys this thread has been hijacked into a general winxp antivirus removal thread
that’s ok
but let’s make sure that any advice is specifically directed at the appropriate poster

posters- if things get difficult or if advise is not clear it would be best to start your own thread
Follow the OUTLINE by TECH in REPLY 1

posters please all run Malware bytes anti Malware, update, quick scan
put a check mark next to any hits and
click REMOVE CHECKED

AND
Run SuperAntiSpyware update scan and clean quarantine any hits

Rt click on the avast ball and update>programs
then open avast and schedule a boot time scan- when convenient reboot

IT WOULD BE BEST TO POST LOGS IN YOUR OWN THREAD-give your thread a meaningful name
do not run a HJT prior to doing the above unless asked and post HJT’s in your own thread
we do NOT want to NUKE someone else’s system

appreciate your helping each other

Hi lizzy_b,

This is the evaluation of your HijackThis log:
Fix these entries with HijackThis:
O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll (file missing) Must be fixed!

Unnecessary (deactivated) entry that can be fixed. Starware.dll, Starware***.dll (* = random digit) - Starware, http://www.symantec.com/security_respons e/writeup.jsp?docid=2005-050313-4341-99 adware variant - also see here, http://vil.nai.com/vil/content/v_135504. htm and here, http://www.siteadvisor.
First check this file if it is malicious at virustotal.com ,
O4 - HKLM..\Run: [V0400Mon.exe] C:\WINDOWS\V0400Mon.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file. V0400Mon.exe = Live! Cam Console Auto Launcher so SAFE!

The same goes for this: check else fix with HJT:
04 - HKLM..\Run: [lphcptrj0e3a7] C:\WINDOWS\system32\lphcptrj0e3a7.exe Unknown application.
and fix this one also:
O4 - HKLM..\Run: [inrhcttrj0e3a7] C:\Documents and Settings\Ela\Ustawienia lokalne\Temp.tt1D.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BC3EF2A0B8D4F95AFB7E86F09C85854FA20DB307C94181 365F398B6912549C44095CEA173731B071758E59FDCBC4C3C34C8A5D7C9B2498E40213A49C8BCA82 1844CA Nasty (2.68 / 5.00

This is nasty and therefore delete this executable: Scheduler.exe = Trojan Horse = SUBWOOFER TROJAN!

We found harmfull software on your system (virusses, spyware, etc…).
Scan your system with a virusscanner and spyware remover.

Overview of running tasks: (Click on the task for more info)
smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
spoolsv.exe

System task

Microsoft Printer Spooler Service
svchost.exe

System task

Microsoft Service Host Process
btwdins.exe

System task

Microsoft Bluetooth Service
LSSrvc.exe

Backgroundtask

NERO Light Scribe Module
svchost.exe

System task

Microsoft Service Host Process
hpqwmiex.exe

Backgroundtask

HP ProtectTools security manager
asghost.exe

Backgroundtask

Cognizance Identity and Access Management
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
ashWebSv.exe

Virusscan

avast! Web Scanner
Explorer.EXE

System task

Microsoft Windows Explorer
AGRSMMSG.exe

System task

IBM AMR modem driver
PTHOSTTR.EXE

Backgroundtask

System Tray Applet
HPWuSchd2.exe

Backgroundtask

Hewlett Packard Software Update Scheduler
DLACTRLW.EXE

Backgroundtask

Sonic Solutions Drive Letter Access (DLA)
SynTPEnh.exe

Driver

Synaptics touchpad tray icon
igfxtray.exe

Application

Intel Graphics configuration and diagnostic application
hkcmd.exe

Application

Intel multimedia devices
igfxpers.exe

Driver

Intel Common User Interface Module
QlbCtrl.exe

Backgroundtask

QLB Controller
igfxsrvc.exe

Driver

Intel(R) Common User Interface
Remind_XP.exe

Backgroundtask

SoftThinks CD Creator Reminder
Scheduler.exe

Trojan Horse

SUBWOOFER TROJAN!
issch.exe

Application

InstallShield Update Service
ashDisp.exe

Virusscan

Avast AntiVirus
HP Wireless Assistant.exe

Backgroundtask

JHP Wireless Assistant.exe

V0400Mon.exe

Unknown task

Unknown task
BTTray.exe

Driver

Widcomms Bluetooth Tray Application
BTSTAC~1.EXE

Driver

Bluetooth Stack COM Server
IEXPLORE.EXE

Application

Windows internet explorer
HPQTOA~1.EXE

Backgroundtask

HpqToaster Module
wuauclt.exe

System task

AutoUpdate for WindowsME
mbam.exe

Anti Add/Spyware software

mbam.exe
HiJackThis[1].exe

Backgroundtask

HiJackThis[1].exe

Now take SUBWOOFER trojan out of the registry:

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.

  1. Click Start, and click Run. The Run dialog box appears.

  2. Type regedit and then click OK. The Registry Editor opens.

  3. Navigate to the key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    In the right pane, delete the value

    Tweak UI “RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup”

  4. Navigate to the key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

  5. In the right pane, delete the value

    Scheduling Agent “Scheduler.exe”

  6. Click Registry, and click Exit.

polonus