Solved: IE Getting Hijacked - tdlwsp.dll reported by Avast

bet58 · 11-Nov-2009, 11:51 AM #1

About a week ago, I started getting popups pointing me to security web-sites that I hadn't asked for. I also noticed that my IE was going to web-sites other than those that I had requested. At the time, I was running AVG 8.5.425 and it had not detected any Trojan or Virus activity. I downloaded Avast 4.8, ran a scan in safe-mode and found a Trojan Horse pointing to a dll named tdlwsp.dll. I was able to remove tdlwsp using Avast but it has always returned on my next reboot. Looking through the forums, it appears that none of the usual anti-virus programs have been successful in eliminating this particular Trojan from reappearing. I should mention that I have also used Windows Defender to detect and remove tdlwsp.dll but it always returns.

I would appreciate any help I can get from this forum, I am including a HijackThis.log below.

Thank you very much in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:29 AM, on 11/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: {61ae890f-1b40-bd9b-58d4-bd58e329ee10} - {01ee923e-85db-4d85-b9db-04b1f098ea16} - C:\WINDOWS\system32\mrpkls.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {be8c5510-f284-47f2-958c-528bcb7e8a85} - C:\WINDOWS\system32\jazijase.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunServices: [Configuration Loader] lttime.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [sukidakove] Rundll32.exe "C:\WINDOWS\system32\fetijonu.dll",s (User 'LOCAL SERVICE')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mpix.com/customer/uploadi...eUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\bolapuno.dll mrpkls.dll c:\windows\system32\vajetezo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vajetezo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vajetezo.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9802 bytes

bet58 · 13-Nov-2009, 06:47 PM #2

Just curious, this is my first time using this site. It's been over two days since I posted my topic and I haven't heard a peep. Was the information I posted sufficient or do I need to include more details?

Thanks!

NeonFx · 14-Nov-2009, 04:17 AM #3

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

bet58 · 14-Nov-2009, 11:58 AM #4

Neonfix,

Thanks for the reply and the concise instructions. I'm attaching the OTS log here and pasting the SysProt log below. Thank you very much.

Bet58

SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************************************************** ***************
*************************************************************************** ***************

No Hidden Processes found

*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: srescan.sys
Service Name: srescan
Module Base: F7827000
Module End: F783B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys
Service Name: ---
Module Base: B8A68000
Module End: B8A6C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_si3112.sys
Service Name: ---
Module Base: B9565000
Module End: B9571000
Hidden: Yes

*************************************************************************** ***************
*************************************************************************** ***************
SSDT:
Function Name: ZwClose
Address: B72BF6B8
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwConnectPort
Address: B74E1040
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: B74DD930
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: B72BF574
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreatePort
Address: B74E1510
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: B74E7870
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: B74E7AA0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: B74EAFD0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateWaitablePort
Address: B74E1600
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: B74DDF20
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: B74E96E0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: B72BFA52
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: B74E7580
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: B74E98B0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: B74DDD70
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenKey
Address: B72BF64E
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: B74E7350
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenThread
Address: B74E7150
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwQueryValueKey
Address: B72BF76E
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRenameKey
Address: B74EA250
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: B74E9CB0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRequestWaitReplyPort
Address: B74E0C00
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: B72BF72E
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSecureConnectPort
Address: B74E1220
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: B74DE120
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: B72BF8AE
Driver Base: B72B7000
Driver End: B72D8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwTerminateProcess
Address: B74E7CD0
Driver Base: B74AE000
Driver End: B750E000
Driver Name: \SystemRoot\System32\vsdatant.sys

*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
IRP Hooks:
Hooked Module: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: B74F2C20
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: B74F2C20
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B74F2C20
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B74F2C20
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B74F2C20
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HOME-ZE661TVX98:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:10110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgemc.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:1035
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:1034
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
State: LISTENING

Local Address: HOME-ZE661TVX98:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HOME-ZE661TVX98:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HOME-ZE661TVX98.HSD1.MD.COMCAST.NET.:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HOME-ZE661TVX98:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HOME-ZE661TVX98:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HOME-ZE661TVX98:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HOME-ZE661TVX98:1031
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: HOME-ZE661TVX98:1030
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:1029
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:1028
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:1027
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:1026
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
State: NA

Local Address: HOME-ZE661TVX98:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HOME-ZE661TVX98:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\Documents and Settings\Owner\Favorites\Travel\Greece to Plovdiv, Bulgaria.url
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6UEJ84UK\6tileid%253D2%2526site%253Dcbs.wcbs%2526size%253 D160x600%252C300x250%252C300x600%2526ord%253D1616101855978362[1].5%2526zone%253Dslides%2C%7C2819585%7C25;sz=3
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6UEJ84UK\f;al=tar;al=yo;ec=pls;ec=pq;ec=tls;ec=tq;p=1;pec =ls;rb=ls;rmt=ov;st=aty;st=nug;upec=ls;atf=u;;tt=i;u=b0222z2qc480mbwzak5,f0 fu2sa,g100020;sz=300x250;tile=2;or
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6UEJ84UK\pf;al=tar;al=yo;ec=pls;ec=pq;ec=tls;ec=tq;p=1;pe c=ls;rb=ls;rmt=ov;st=aty;st=nug;upec=ls;atf=u;;tt=i;u=b0231z2qc480mbwzak5,f 0fu2sa,g100020;sz=728x90;tile=1;or
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6UEJ84UK\yo;ec=pls;ec=pq;ec=tls;ec=tq;p=1;pec=ls;rb=ls;rm t=ov;st=aty;st=nug;upec=ls;atf=u;clb=2067929;;tt=i;u=b0231w40gww0mbwzge1,f0 fu2sa,g10002w;sz=728x90;tile=1;ord
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\AwAhTwNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMfStUkAA AAA%2C%2Chttp%253A%252F%252Fwcbstv.com%252Flocal%252Framapo.high.school.2.9 54584[1].html%2C%7C249691%7C26;sz=
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\CA49EBG2CAXP9AZYCAD3RS21CA589924CA3KEOLFCAEDAHTH CAYDUUMJCAW4CMQBCAOT6M1VCAU7CZBJCAAF0P5JCAK1ZNVECA72SHD6CA076M9TCAE0584UCAW LDR0PCAROE338CA2QW2MXCA09X120CAY3J
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\e=yes;page=section;front=y;pageId=wpni-wpni;wpid=homepage_www.washingtonpost[1].com;!c=intrusive;cn=yes;pnode=homepage;ad=bb;ad=hp;sz=300x250,336x850;tile =1;
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\s;ec=pq;ec=tls;ec=tq;p=1;pec=ls;rb=ls;rmt=ov;st= aty;st=nug;upec=ls;gpc=e;gm=1;ssz=158x38;atf=u;;tt=i;u=b0201kyjoa20mbwzfo6, f0fu2sa,g100020;sz=888x7;tile=1;or
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\s_equipmentreviews;abr=!webtv;!category=;page=05 06samsung;subss=;subs=software_computers;sect=equipmentreviews;site=shutter bug;chan=sports;kw=;sz=336x280;til
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\treviews;abr=!webtv;!category=;page=0506samsung; subss=;subs=software_computers;sect=equipmentreviews;site=shutterbug;chan=s ports;kw=;dcopt=ist;sz=336x100;til
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CNO43ZBH\v=5%3Bm=2%3Bl=971%3Bc=3991%3Bb=15770%3Bp=ui%3D7N LsUDzQiEkjap2H5eoFdvxIlYpTnG-1XvwCqqam%3Btr%3DGwK6mGKkgcZ%3Btm%3D0-0%3Bts=20090309184715%3Bdct=;ord=200903091
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\al=macy;al=pf;ec=pls;ec=pq;ec=tls;ec=tq;p=1;pec= ls;rb=ls;st=aty;st=nug;upec=ls;atf=u;;tt=i;u=b0213z2qc480mbwzak5,f0fu2sa,g1 00020;sz=160x600,120x600;tile=3;or
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\CAFZO33WCAYVZFPHCASBIBJ1CA3E7Y3CCAG30NVKCA7DHRE7 CA7Q6EZZCAXMC3SJCAN4Z5TTCA3LZB73CAG4Y06KCAU1ZFWECAWD92DXCA0W2W8CCAUEEMMFCAU 4YMJICAX65WDSCAZIH88ICA7OVAF7CAGV0
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\CAL7FB7QCAUMAFZKCA4NY72JCAZXQI8TCA4VNPK6CAFRKT0G CAJ0CWZVCA6H7DE7CAXILLN3CA1U4UBICA2RWZ87CAM5CLPNCAY1EN2ZCARURMMTCAYTP42PCAJ 3LY6ICA64OSPFCAL9I41YCA8LEJ6ZCA5CK
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\CAXP6AN1CA5YUPXPCAGX94Z7CAQS6HR7CAN80D90CALGSZ1F CANCC2PLCAKX14UKCAT78TOVCAX0JWZDCA0487GDCA0L9RE2CA7A0O0SCA84QIX1CA9IZUA6CA6 603ESCAFK3I2XCAC61IG6CAVIQJK2CATW1
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\inglight.us%2Farchives%2F2005%2F04%2Fchina_is_pu shing_and_scripting_antijapanese_protes.php;http%3A%2F%2Fshininglight.us%2F archives%2F2005%2F03%2Fchinas_pres
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JATC7ZR1\treviews;abr=!webtv;!category=;page=0506samsung; subss=;subs=software_computers;sect=equipmentreviews;site=shutterbug;chan=s ports;kw=;dcopt=ist;sz=120x600;til
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\CA4CJSXACAE5RJONCA0FJWCGCA4HXOB8CAWYEQAPCAOZ3FUZ CA3GPZR2CA6J1PH6CAKDCK7JCA7V69K8CAYZ4X10CAFKLKTQCAH8KO9HCANPE21KCAORUBDKCA1 IR729CAOOMLSGCA4NVOT4CAACS16PCA0D5
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\CACWQ6CACA82WP2CCA6GDGHLCAA7IJUFCAZBSE4SCAZDZYX5 CARN28JECA8CQTBVCAW3PQZSCA4I0NA1CAOHSP02CAP3PKTPCANB1VCICAAST9D6CATGI6U9CAB 7HBJBCANLGDO8CAUQ9CIMCA526IGPCAA66
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\ntreviews;abr=!webtv;!category=;page=0506samsung ;subss=;subs=software_computers;sect=equipmentreviews;site=shutterbug;chan= sports;kw=;dcopt=ist;sz=728x90;til
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\q;ec=tls;ec=tq;pec=ls;rb=ls;rmt=ov;st=aty;st=nug ;upec=ls;atf=u;dt=s;!c=hagl;!c=hagn;at=m;pt=0;;tt=i;u=b0234z2qc480mbwzak5,f 0fu2sa,g10002g;sz=728x90;tile=4;or
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\treviews;abr=!webtv;!category=;page=0506samsung; subss=;subs=software_computers;sect=equipmentreviews;site=shutterbug;chan=s ports;kw=;dcopt=ist;sz=120x600;til
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\R911JIHV\treviews;abr=!webtv;!category=;page=0506samsung; subss=;subs=software_computers;sect=equipmentreviews;site=shutterbug;chan=s ports;kw=;dcopt=ist;sz=336x100;til
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{7FD0561D-8187-4EC6-93F6-082BCE3E6CE9}
Status: Access denied

NeonFx · 14-Nov-2009, 04:01 PM #5

Are you still experiencing the same symptoms? I'm not seeing it in the logs.

Please do the following:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

bet58 · 15-Nov-2009, 02:26 PM #6

Sorry it took me awhile to run through your instructions. I had a devil of a time disabling AVg and even uninstalling it. Finally got that done and ran combofix.exe. Attached is the log. Looks like combofix did find an infected file - let me know what you think of the log. Note that when combofix rebooted my computer, avast was restarted and it detected tdlwsp.dll right away. I had avast remove it.

Thanks very much.

NeonFx · 15-Nov-2009, 03:55 PM #7

Yep, and as an HDD driver it is most probably where the infection is loading from.

I will need to find more copies of it on your system to find one we can use to replace it. Please do the following:

Run OTS.exe and under the Custom Scans section at the bottom please copy and paste the following:

%SYSTEMDRIVE%\si3112.sys /s /md5

Then click on the Quick Scan button and attach the results to your next reply.

bet58 · 15-Nov-2009, 08:11 PM #8

OK, here's the OTS.txt file. When I booted up and started Firefox (before running OTS.exe), Avast caught tdlwsp.dll again. I checked in Windows Explorer and it noticed that the dll had been created the moment I opened Firefox. Let me know what you see in the log file, thanks again for looking at all of this.

NeonFx · 16-Nov-2009, 12:03 AM #9

Good. Sorry for the delay. Let's do the following to replace that file with a good one:

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to move:
C:\WINDOWS\OemDir\si3112.sys | C:\WINDOWS\system32\drivers\SI3112.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy and paste or attach the contents of c:\avenger.txt into your reply.

=====================

After doing that please run OTS.exe and under the Custom Scans section at the bottom please copy and paste the following:

%SYSTEMDRIVE%\si3112.sys /s /md5

Then click on the Quick Scan button and attach the results to your next reply.

bet58 · 16-Nov-2009, 07:22 PM **#10**

Neonfix,

Attached is the latest OTS.txt log and a jpg showing an error msg I received after Avenger booted up my computer and started running. I'm also including the text of the Avenger run below. Hope this helps, thank you very much!

Bet58

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\OemDir\si3112.sys|C:\WINDOWS\system32\drivers\SI3112.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

NeonFx · 16-Nov-2009, 07:25 PM **#11**

Thank you. I'll review the results and get back to you. Do you continue to get the same error when you restart your computer?

bet58 · 16-Nov-2009, 11:09 PM **#12**

No, I didn't get the Avenger error when I restarted the computer. Hopefully, that was just a fluke.

NeonFx · 16-Nov-2009, 11:18 PM **#13**

Good. Let's do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

FCopy::
C:\Program Files\Gigabyte\Silicon Image Base Driver\Si3112\Si3112.sys | C:\WINDOWS\OemDir\si3112.sys

Folder::
c:\documents and settings\All Users\Application Data\98043428
C:\WINDOWS\System32\jogezane

File::
c:\windows\system32\povufuyu.dll
C:\WINDOWS\System32\jogezane

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also, let me know if Avast still detects tdlwsp.dll

bet58 · 17-Nov-2009, 12:50 AM **#14**

Neonfx,

Attached is the latest combofix.txt file. I rebooted and restarted IE as well as Firefox. So far, tdlwsp.dll hasn't shown its ugly head - is this the end of the rainbow? I'll run a full scan overnight and let you know. Thank you so much for your help on this.

Bet58

NeonFx · 17-Nov-2009, 01:08 AM **#15**

You're welcome. We should run a couple more things to be sure you're clean.

When you get a chance, please do the following:

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!