VBS: Malware-gen, Win32:Bravix-B [Drp] [RESOLVED]

I noticed that my background had been changed to an ad for windows warning message and a notice saying that I was infected with Win32\Adware.Virtumonde and Win32\PrivacyRemover.M64

There was also a pop-up for Antivirus XP 2008 license agreement, which I didn’t download or anything. So I scanned my computer with Avast!. The scan came up with several files which I moved to the chest, but some would not move and so I deleted them.

The files that show up when ever I rescan and won’t delete are:

c:\docume~1\admni~1\locals~1\temp\nsm4.tmp\euladlg.dll (Malware name: Win32:Adware-gen [Adw]) VPS version: 080919-0, 09/19/2008

It recommendes that I move the file to chest, but even after doing so it keeps reappering when ever I rescan.

c:\windows\system32\tdssl.dll (Maleware name: Win32;Bravix-B [Drp]) Maleware type: Dropper (VPS version:080919-0, 09/19/2008)

It recommendes that I move the file to chest but it will not let me, saying:

The Process cannot access the file because it is being used by another process
Cannot process ‘c:\windows\system32\tdssl.dll’ file

So then I delete the file, but it doesn’t go away and re-appears next time I scan.

Then a notice would pop up saying that:

Avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated. Do you want to scedual the boot-time scan and restart the computer?

I click yes and it restarts my computer scanning. These things show up when it scans:

File C:\Documents and Settings\Administrator\Local Settings\Temp.tt1A.tmp.vbs is infected by VBS:Malware-gen

File C:\Documents and Settings\Administrator\Local Settings\Temp.tt1D.tmp.vbs is infected by VBS:Malware-gen

File C:\Documents and Settings\Administrator\Local Settings\Temp.tt1E.tmp.vbs is infected by VBS:Malware-gen

File C:\Documents and Settings\Administrator\Local Settings\Temp.tt20.tmp.vbs is infected by VBS:Malware-gen

File C:\Documents and Settings\Administrator\Local Settings\Temp.tt22.tmp.vbs is infected by VBS:Malware-gen

I send them all to the chest put they re-appear every time I rescan. I’ve deleted them all before too, and they re-appear anyway.

File C:\WINDOWS\SYSTEM32\tdssadw.dll is infected by Win32:Bravix-B [Drp]

File C:\WINDOWS\SYSTEM32\tdssl.dll is infected by Win32:Bravix-B [Drp]

File C:\WINDOWS\SYSTEM32\tdsslog.dll is infected by Win32:Bravix-B [Drp]

File C:\WINDOWS\SYSTEM32\tdssmain.dll is infected by Win32:Bravix-B [Drp]

File C:\WINDOWS\SYSTEM32\tdssserf.dll is infected by Win32:Bravix-B [Drp]

I send these ones to chest also and the same thing happens. They re-appear the next time I scan.

I have downloaded the newest version of CBO and this pops up:

Location of startup: FILE

c://WINDOWS/SYSTEM32/DRIVERS/SUCHOST.EXE

Then it mentions that that was a trojan horse and that it has been shut down, but the file it comes from remains. I remove the file but it shows up again when I restart my computer.

That’s really all the information I can think of to give. My Avast! is the lastest version as is CBO. I’ve turned off my System Restore. My operating system is a Windows XP, I don’t know about the bit part. My only virus software is Avast! and now CBO.

I’m sorry if this was not clear enough. Normally I can fix these things on my own, but I guess that this is a real virus or something. I am sorry to bother you, but please help. I need my laptop back.

Welcome to the forums ,

I’ve just created a topic for such stuff
https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_you_think_youre_infected-t27334.0.html

Try if that way helps you out

Xan

Ah, thank you. This appears to be working so far. I’m on the last scan, so if that still shows stuff I’ll post my Hijack log.

Thank you very very much! I really appreciate your help.

Okay so here’s my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:25 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [BearShare] “C:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 - HKLM..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.sad34.net/ClientDownloads/fcplugin.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

–
End of file - 8398 bytes

My background is now blue instead of blue with an ad. The other things have stopped popping up though. Um, sorry if this is obviously virus free now or something. I just don’t want to think it is and then have it get worse because I ignored it or something.

Seems clear to me. Have you tried just changing the wallpaper ? (How to change a wallpaper?

Try Kaspersky’s online scanner and see if anything still pops-up. I think however that you’re totally safe now

Xan

It won’t download all the way, it stops several seconds in and says that the license has expired.

The online scanner ? How’s that possible ?

Xan

For Antispyware/Malware Cleaning, Download, Install & Update with:

Malwarebytes’ Anti-Malware
SUPERAntispyware Free

If you’re looking for a good AV, I recommend either:

Avast! Home Edition
Avira AntiVir Personal

Go with Avast! for the features, But Avira for detection.

Only choose ONE Antivirus

Update your AV, Malwarebytes’ Anti-Malware and SUPERAntispyware. Reboot. On Reboot, Start pressing “F8” Until you reach the Safe Mode Configuration Screen. Click Safe Mode without Networking, And scan from there.

I personally use and like Avira AntiVir Personal.

Goodluck.
Josh

Not for something or so but err

https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_you_think_youre_infected-t27334.0.html

it’s explained in that topic Josh

Xan

Ahh… Okay!

Josh

I already did all that.

I’m sorry for being such a bother.

Well then your computer should be clean

Xan

Waa! Thank you so much! Really!

Then I should close this one.

Please PM any Online Mod if you want this thread re-opened.

Josh