Solved: TDLWSP.dll persists.

cyru · 15-Nov-2009, 02:35 PM #1

McAfee keeps detecting DNSChanger!ca File: C:\WINDOWS\System32\TDLWSP.dll every couple of hours. This has been happening for a week or so but prior to that McAfee quarantined lots of other nasties. (I can attaching quarantine log if needed.)

When I looked in System32 I couldn't locate the file, but I'm getting regular web page/search redirecting to random sites.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:34:25, on 15/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Tenda\W541U\UI.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PandoraFox\App\firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/pandora.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tenda W541U.lnk = C:\Program Files\Tenda\W541U\UI.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6571533-2CC0-4ECA-997E-E5E875558541}: NameServer = 62.24.128.190 62.24.128.191
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

NeonFx · 28-Nov-2009, 01:51 PM #2

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
nvatabus.sys
si3112.sys
viadsk.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Please also give me an update on the symptoms since it's been a while.

cyru · 30-Nov-2009, 11:01 AM #3

Hi, NeonFx. Big thanks for responding to this!

OTS attached.

Couldn't paste fit GMER in so I've attached it too.

The symptoms have remained the same, as in frequent redirects in Google search results. I don't know if the following is worth mentioning but any extra info might help:

When I scanned with GMER I just left it having only the C: checked. If I need to scan E: just tell me. (btw D: is my DVD-RW)

This is because the PC has two HDD's. See when I got the PC in Jan 08, what is now the E: was then my main drive. Then in Dec 08 when I tried to update to XP Service Pack 3, I got the BSOD and couldn't boot the PC. So after a little panic, I remembered the second HDD (still after nearly a year I hadn't used it!) and as it was completely empty I installed XP onto it. So now that previously unused second HDD became my main C: drive and thankfully the BSOD drive containing all my docs, pics, music, etc showed up as the E: thus allowing me to access my files!!

In simple terms both hard drives have a windows installation, and recently the now old BSOD one I fixed by repairing the XP installation but I don't use it to boot up as everything on it is out of date (AV software, etc.)

The next thing is the infection(s) started around 16-23rd Oct. Mainly on the 17th and 21st when the McAfee real-time scanner was bombarding with alerts. I originally posted this topic http://forums.techguy.org/malware-re...lp-needed.html (apologies for the last post moan, I didn't know to use the "Report" button!) and attached the McAfee OAS (On-Access Scanner log) and a notable MBAM report to that topic. I don't know if viewing those logs will help, but they show lots of other malware, and I'm sure some of it is still lurking and secretly dropping new bad stuff onto the PC (i.e the sdra64/lowsec that appeared in HJT a few days back, though I think MBAM cleaned it up.)

Also I wanted to mention are a few items that I noticed when searching the C: for created files between the above dates. Below I found the first was created on 19th Oct and other 2 on 21st Oct.
c:\windows\system32\msrfcint.dat
c:\windows\system32\mscomct2.dat
c:\windows\system32\ntrdectr.dat

I googled and found the files in a CFScript for removal here: http://www.bleepingcomputer.com/foru...p/t211294.html

I'm not sure about these either:
c:\windows\Hqedipe.dat
c:\windows\Vxuqiwepasule.bin
c:\windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D550DA9E-D9EA-448E-B511-62828D09479A}.crmlog

Lastly I've attached a pic of a suspect registry key too. There's probably lots more malware that hasn't been detected too but I'm happy to trust your capable hands. Forgive me if I've babbled on too much!!

Thanks, Cyru

NeonFx · 30-Nov-2009, 03:09 PM #4

Alright. I can see the bugger. It seems we will need ComboFix on this one.

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

cyru · 03-Dec-2009, 03:46 PM #5

Aagh! As soon as it downloaded it gave an error saying it couldn't be saved there. Next I tried again but renaming to Combo12Fix. Still same error. Both times I get a McAfee pop-up infection warning.

Then when I tried again, just clicking on the link brought up a different McAfee warning, not letting me even get to the "save" box to download it and try saving elsewhere :O

Below I've pasted the last 5 entries from the McAfee realtime scanner log. (I've attached the full log anyway.) Each entry relates to the pop-up alert I got when trying to download Combofix.

Also I've attached the screenshot from the last pop-up before I pulled out my internet plug *panic.*It shows the alert happening just as after clicking on (this time the second link) to download Combofix.

03/12/2009 19:03:38 "C:\DOCUMENTS AND SETTINGS\DAVID\DESKTOP\COMBOFIX.EXE.PART" "Artemis!DDB329676758,Artemis!DDB329676758" "1"
03/12/2009 19:05:16 "C:\DOCUMENTS AND SETTINGS\DAVID\DESKTOP\COMBOFIX.EXE" "Artemis!DDB329676758,Artemis!DDB329676758" "1"
03/12/2009 19:07:04 "C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMP\NULXDZBS.EXE.PART" "Artemis!DDB329676758,Artemis!DDB329676758" "1"
03/12/2009 19:09:47 "C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMP\MLL0LMOT.EXE.PART" "Artemis!DDB329676758,Artemis!DDB329676758" "1"
03/12/2009 19:10:51 "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RegistryMonitor1" "W32/Koobface.worm.gen.v,W32/Koobface.worm.gen.v,W32/Koobface.worm.gen.v" "1"

NeonFx · 03-Dec-2009, 03:53 PM #6

Those are false positives and the reason why we ask you to disable your security programs before running these tools. Your security programs will detect what they are capable of and disable them even if we're going to use them for good.

There is no need to worry, the tool is safe.

The instructions for disabling it should be similar to this:

MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.

Click Advanced Menu (bottom mid-left). Click Configure (left). Click Computer & Files (top left). VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
Do the same via Internet & Network for Firewall Plus.

cyru · 04:59 PM

Oh sorry about that, I thought I had to disable AV before running Combofix, not before downloading it too! After I'd disabled firewall and disconnected from internet, I ran Combofix and was advised to download/install recovery console. I wanted to do this, but realised I'd need to access the internet, hence enable firewall....kinda a catch 22 situation.

Anyway I've attached C:\ComboFix.txt

Thanks for the continued instructions

P.S: Woops...I re-enabled McAfee and now Combofix has been abducted by it. (Maybe I shouldn't have re-enabled the real-time scanning part. Bleh..) Anyway I'll be back on tomorrow. Thanks again Neon :thumbsup:

NeonFx · 03-Dec-2009, 04:54 PM #8

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

You can reenable your firewall and turn your internet on, download the necessary files and then disconnect and turn your firewall off.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

NeonFx · 03-Dec-2009, 04:56 PM #9

If you have problems, in your case you will want to drag and drop the file found at this website:

http://www.microsoft.com/downloads/d...displaylang=en

cyru · 05:42 PM

Done it! But log showed firewall enabled...argh I disabled everything else and disconnected, so does it matter? I thought I better turn off the firewall then run Combofix again...but the McAfee icon had gone from system tray; so I opened up McAfee from All Programs instead, turned FW off.....and guess what, the next scan log also showed *firewall enabled.*

So I've attached the log from the earlier scan at 20:21. At present, real-time scanning, spyware scanning, script scanning and SystemGuards protection are all disabled. I'll have to leave it like this until told otherwise because one or more of those will quarantine Combofix again. But is it safe to browse online, because with the AV modules off, I won't get alerted if malware tries to infect, and see the relevant "Allow/Block access" in real-time. Does this mean everything is set to allow, for real-time infections or will the firewall auto-block everything as the AV modules are off and can't alert?

Lastly I just wondered when I scanned yesterday without Recovery Console installed, and the log showed some deletions. Well after this part it showed:

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

What's "kitty ate it :P" mean? Is that a message from the malware or just Combofix trying to be funny?

NeonFx · 04-Dec-2009, 07:37 PM **#11**

An infected atapi.sys was the source of your main problem (tdlwsp.dll). ComboFix uses some special methods to cure it and doesn't reveal them just to make sure the malware writers can't tell what we've done.

You should leave your Antivirus disabled but having your Firewall enabled should not interfere. We don't want combofix being deleted. As long as you're being careful online (not clicking on ads, not opening suspicious email attachments, going to new websites, etc.) you should be fine. Just stick to websites you know are safe for now. We're almost done.

I notice some proxy settings are set. Did you install Privoxy (or similar) on your system?
Also, you have a lot of files that are outdated. Did you have trouble installing Service Pack 3?

STEP 1

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\Vxuqiwepasule.bin
c:\windows\Hqedipe.dat

FCopy::
c:\windows\ServicePackFiles\i386\browser.dll | c:\windows\system32\browser.dll
c:\windows\ServicePackFiles\i386\lsass.exe | c:\windows\system32\lsass.exe
c:\windows\ServicePackFiles\i386\netman.dll | c:\windows\system32\netman.dll
c:\windows\ServicePackFiles\i386\rpcss.dll | c:\windows\system32\rpcss.dll
c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\system32\spoolsv.exe
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\cryptsvc.dll | c:\windows\system32\cryptsvc.dll
c:\windows\ServicePackFiles\i386\es.dll | c:\windows\system32\es.dll
c:\windows\ServicePackFiles\i386\imm32.dll | c:\windows\system32\imm32.dll
c:\windows\ServicePackFiles\i386\msvcrt.dll | c:\windows\system32\msvcrt.dll
c:\windows\ServicePackFiles\i386\netlogon.dll | c:\windows\system32\netlogon.dll
c:\windows\ServicePackFiles\i386\powrprof.dll | c:\windows\system32\powrprof.dll
c:\windows\ServicePackFiles\i386\scecli.dll | c:\windows\system32\scecli.dll
c:\windows\ServicePackFiles\i386\sfc.dll | c:\windows\system32\sfc.dll
c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\tapisrv.dll | c:\windows\system32\tapisrv.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
c:\windows\ServicePackFiles\i386\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\srsvc.dll | c:\windows\system32\srsvc.dll
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll
c:\windows\ServicePackFiles\i386\shsvcs.dll | c:\windows\system32\shsvcs.dll
c:\windows\ServicePackFiles\i386\schedsvc.dll | c:\windows\system32\schedsvc.dll
c:\windows\ServicePackFiles\i386\ssdpsrv.dll | c:\windows\system32\ssdpsrv.dll
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

cyru · 06-Dec-2009, 04:43 PM **#12**

Ok did it; then rebooted (to restore the missing items from system tray).....only to get a BSOD! *groans*

Message:
STOP C0000139 {Entry Point Not Found}
The procedure entry point GdiGetBitmapBitsSize could not be located in the dynamic link library GDI32.dll.

I hoped I could quick fix the same way I did the USER32.dll the last time I got a BSOD; by booting into the Windows on the other HDD, and then copying the file on that to replace the one on the HDD that won't boot. But it didn't work, as explained here:

I'll call the HDD that won't boot: Number1 and the other HDD: Number 2.

On Number1 there is GDI32.dll at 277kb and GDI32(2).dll at 277kb.
On Number2 there is one GDI32.dll at 271kb.

Ok so I've booted into Number2, and copied it's GDI32 over to replace the GDI32 on Number1. (I first moved the GDI32.dll from Number1 to a safe place, if I need to copy it back.)

Obviously I'm on Number2 now, but it's AV expired over 12 months back and it's only on XP SP2, so going online with it to post this, I'm a little wary (well, I store quite a lot of my files, docs, programs, etc on it still!)
So my first priority is to get Number1 bootable again. HELP!

-------

Regarding your previous thread, I've attached the Combofix log.
Yes the proxy 127.0.0.1:8118 is for Tor. Vidalia is it's GUI, but I'm not sure about Privoxy which came with it. I used Tor a while back for Pandora Radio.
I thought SP3 installed correctly. One thing was odd though; ever since SP3 I got no more Automatic Updates. I even went to the Windows Update site to check, but it showed no new updates of any kind, only a couple of newer drivers. !?

NeonFx · 06-Dec-2009, 05:43 PM **#13**

It must not like that I tried to replace the out of date files with newer ones.

Let's see if ComboFix saved copies of those older versions. Please attach C:\QooBox\ComboFix-quarantined-files.txt to your next reply if you can.

cyru · 07-Dec-2009, 09:38 AM **#14**

Attached. Booting from Number2 HDD means it is C: (it showed as E: when booted from Number1) and the main C: that won't boot, is showing as D: here, hence the D: path for attachment.

NeonFx · 07-Dec-2009, 03:14 PM **#15**

Alright. If the computer that is down is on D: right now, the following should work:

Open Notepad (Start > Programs > Accessories) on the working computer and paste in the contents of the following code box:

Code:

@echo off
CD /d "D:\Qoobox\Quarantine\C\WINDOWS\system32"
copy /Y srsvc.dll.vir D:\WINDOWS\system32\srsvc.dll
copy /Y schedsvc.dll.vir D:\WINDOWS\system32\schedsvc.dll
copy /Y termsrv.dll.vir D:\WINDOWS\system32\termsrv.dll
copy /Y browser.dll.vir D:\WINDOWS\system32\browser.dll
copy /Y cryptsvc.dll.vir D:\WINDOWS\system32\cryptsvc.dll
copy /Y es.dll.vir D:\WINDOWS\system32\es.dll
copy /Y eventlog.dll.vir D:\WINDOWS\system32\eventlog.dll
copy /Y imm32.dll.vir D:\WINDOWS\system32\imm32.dll
copy /Y lsass.exe.vir D:\WINDOWS\system32\lsass.exe
copy /Y msvcrt.dll.vir D:\WINDOWS\system32\msvcrt.dll
copy /Y netlogon.dll.vir D:\WINDOWS\system32\netlogon.dll
copy /Y netman.dll.vir D:\WINDOWS\system32\netman.dll
copy /Y powrprof.dll.vir D:\WINDOWS\system32\powrprof.dll
copy /Y rpcss.dll.vir D:\WINDOWS\system32\rpcss.dll
copy /Y scecli.dll.vir D:\WINDOWS\system32\scecli.dll
copy /Y sfc.dll.vir D:\WINDOWS\system32\sfc.dll
copy /Y shsvcs.dll.vir D:\WINDOWS\system32\shsvcs.dll
copy /Y spoolsv.exe.vir D:\WINDOWS\system32\spoolsv.exe
copy /Y ssdpsrv.dll.vir D:\WINDOWS\system32\ssdpsrv.dll
copy /Y svchost.exe.vir D:\WINDOWS\system32\svchost.exe
copy /Y tapisrv.dll.vir D:\WINDOWS\system32\tapisrv.dll
copy /Y winlogon.exe.vir D:\WINDOWS\system32\winlogon.exe
copy /Y ws2_32.dll.vir D:\WINDOWS\system32\ws2_32.dll
copy /Y user32.dll.vir D:\WINDOWS\system32\user32.dll
copy /Y D:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir D:\WINDOWS\explorer.exe

Go to File > Save As.. and save the file as "Fix.bat" . Next to "File Type" make sure you select "All Files." and save it to your desktop.

Then double click on the file and a black and white window should pop up and go away pretty quick like.

You should be able to boot into that machine now.

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory monitor motherboard mouse network operating system printer problem ram registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!