Win32:DNSChanger-VJ (Trj) and Win32:Bravix-B (Drp) infection

Hello kind and knowledgeable persons,
My daughter has avast home virus protection on her Dell laptop running XP home. Somehow she got these two viruses yesterday and is stuck in the startup loop. Avast offers to delete, ignore, or put them in the quarantine chest, but none of the options works. Win32:DNSChanger-VJ (Trj) and Win32:Bravix-B (Drp)

How did they get past avast, first of all? I thought avast was a great and sufficient barrier to such things.
Secondly, How on earth does she get rid of them?

Thanks for your help, and please remember that we are not “techies”. Again thanks for your kindness.


Welcome to the forums, rodbond. :slight_smile:

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Do not download HJT to the desktop but instead download it into it’s own folder on the hard drive. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


As well as the HJT, you may want to read another recent post about Win32:Bravix-B (Drp), which seemed to be resolved.Also Win32:DNSChanger-VJ (Trj),only seems to be picked up by 3 Anti viruses, so there might be a remote possibility of a false positive,although I,m only a novice.
http://forum.avast.com/index.php?topic=38699.0
http://www.virustotal.com/analisis/1465db77ada4b671759307e514764322

Lest start with some information gathering.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Why don’t the options work, e.g. what errors are displayed (commonly file in use, etc.) ?

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

avast is constantly updating its virus database, so it is entirely possible that something on your system might not have been previously detected.

Hello all,

I was just hit with this virus. Prior to finding out what took hold of my system, I ran a boot time virus scan and found the following.

tdsserv.sys infected with win32:Rootkit-gen [RtK]
tdsslog.dll infected with win32:Bravix [Drp]
tdssmain.dll infected with win32:Bravix [Drp]
tdssserf.dll infected with win32:Bravix [Drp]
tdssserf1.dll infected with win32:DNSChanger-VJ [trj]

I have them moved to the chest for now but want to get the beast totally removed from my system for obvious reasons.

My symptoms started with my Windows Built in Firewall being disabled. The other thing was my search engines ceased to work. Well they would work but clicking on the links from my searches totally brought me elsewhere.

This system has just recently been reformatted due to my having the above symptoms as described. Knowing that I had something that took hold of my machine and my lack of reformatting for a couple of years simply promtpted me to do it. Now I have the similar issues; this time I identified the virus’ and would rather not reformat if there is another way to get rid of this virus/malware/spyware.

Any additional information or steps would be greatly appreciated, thnx.

I suggest:

  1. Clean your temporary files.
  2. Schedule again a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

What was the original location of the files ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

A google search on just one of the file names give a good idea of what they are, http://www.google.co.uk/search?q=tdssmain.dll, so they look like good detections.

I would also suggest now they are in the chest running an avast though scan in Normal mode plus these other tools. If as is reported one was a rootkit, that could have been hiding other malware.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. Also MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Thanks for the quick reply, I haven’t been ignoring it…

Still in the process of going through the steps you suggested.

I am currently running the complete scan using Dr. Web. The express didn’t pick anything up.

Prior to that, Avast found 4 *.dll’s within the same system restore file and put them into the chest during the boot up scan.

I am still getting errors about my Windows Firewall being turned off when I boot up but do have control over my search engines again.

I will continue with the guidelines given above and will post more when I have more - thanks

Ignore items in system restore
go through tech’s list
do BOTH MBAM and SAS scans
wit MBAM update check all baddies and click REMOVE SELECTED
With SAS update Clean and send to quarantine

I suggest if you find anything live that you start your onw threads and post the MBAM, SAS and AV scans there
If the first poster happend to follow advise ment for you he could hose his system- and vice versa

Did you have any other firewall besides Windows one in the past in this computer?

Hello good day
I am new here at the forum but I have been using avast for a long time, mostly I would have find ways to clean up the virus but not this time so I need help. I am using xp pro with sp3, installed spybot S&D, and avast but not yet up to date. My problem is how do I get into the main desktop instead of keep looping in the login window? when I use safe mode the computer would just keeps on getting restart.` :cry:

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.

  • Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Actually i think his problem is relevent here.

I’ve also got the Win32:Bravix-B infection
I downloaded avast and had it check for viruses and it found
TDSLOG.DLL
TDSDOMAIN.DLL
TDSSERF.DLL
TDSSL.DLL
in my system32 folder.
when i rebooted, after that it won’t go back to my desktop.
As soon as my desktop shows, it reboots the pc. Same thing happens in safe mode.

I installed windows in another folder just to be able to access my stuff. but i still don’t know how to repair the old windows.

see posts 2,5,6,8
work through them

I do not know how we can access old windows If we can’t get into safemode in old Windows
Anyone?

I am also not able to get past the Windows Start-Up screen. What now?

Can you boot in Safe Mode?
Did you try Avira rescue CD? Download the file, or get someone to do it for you, double click on file, and you will be prompted to burn to CD. Insert CD into the infected PC and boot up. Choose option 2 for virus scanning. Choose language, then PRESS SPACE, then enter. The download is updated daily. Good luck and post back.
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

A-squared also has a trojan remover that runs from a usb dongle and there are others
If you have valuable data do not give up

In the end, i had to re-install windows into a second directory just to be able to boot up. i transfered valuable info on to my other partition and then formated the windows partition (this includes the “Program Files” folder).

I haven’t seen the virus since.

Even in that second windows installation, avast was not able to completely clean windows. But at least it recongnized it. Symantec doesn’t even list Bravix

If you could recover your documents and data, maybe passing them to an USB drive, format the partition (disk) and starting again will be easier. Polimorphic malware, rootkits, replicants, file infectors… some of them are very difficult to get rid of.