I’ve tried going to different places with no help, and Avast is the program that found this so I was hoping someone here could help. Avast finds it, but if I delete it during a bootup scan it comes back, if it’s found during normal operation I can’t do anything other than click no action because “avast cannot process file: C:\Windows\System32\tdlwsp.dll”. Full scans are of no help either. Malwerebyte’s Anti-Malware didn’t pick it up either, norton couldn’t fix it, microsoft’s malicious software removal tool didn’t fix it, superantispyware couldn’t pick it up, and I’ve also tried these programs during safe mode. I also have spyware blaster already installed.
hey i suggest you run a hjt scan and post the result here so meaby we could help you solve your problem. what is avast detect the file as?
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
you can upload this file to virustotal.com an see if it is a malware or not. It sounds it can be a false threat also if only avast i detect it and no other program does.
good luck and write back with your progress.
It’s not just avast that detected it, microsoft’s antivirus software did too, as well as their mailcious software removal tool, although they weren’t able to completely remove it.
Avast says the file name is “C:\Windows\System32\tdlwsp.dll”, the malware type: Win32:Alureon-EC[Rtk], Malware type: rootkit, VPS version: 091115-0, 11/15/09
here’s the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:04 AM, on 11/15/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [EmpoweringTechnology] C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe boot
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [Zune Launcher] “c:\Program Files\Zune\ZuneLauncher.exe”
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - (no file)
O9 - Extra ‘Tools’ menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - (no file)
O13 - Gopher Prefix:
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AODService - Unknown owner - C:\Program Files\AMD\OverDrive\AODAssist.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
–
End of file - 8190 bytes
Sorry for the double post, but its a bit large.
Here’s the report from virus total, I’m not familiar with handling viruses and the sort so I’m lost.
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.15 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.15 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.15 -
Avast 4.8.1351.0 2009.11.15 -
AVG 8.5.0.425 2009.11.15 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.15 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.15 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 -
McAfee 5803 2009.11.15 -
McAfee+Artemis 5803 2009.11.15 -
McAfee-GW-Edition 6.8.5 2009.11.15 -
Microsoft 1.5202 2009.11.15 -
NOD32 4610 2009.11.15 -
Norman 6.03.02 2009.11.15 -
nProtect 2009.1.8.0 2009.11.15 -
Panda 10.0.2.2 2009.11.15 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 -
Rising 22.21.06.05 2009.11.15 -
Sophos 4.47.0 2009.11.15 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.15 -
Additional information
File size: 8191 bytes
MD5…: 99c8c2c751162bb034c94d21b2f80c93
SHA1…: e51d53ab65e6236f9bc028e350f7ae7884420fbd
SHA256: 2eebea4a7fdb8e271495a229ad4c75ac04cd24d6217658be42579f8e90619a79
ssdeep: 192:wGpnH1Y/5UrFnVatvxK9a0x9pl2lMDh7hoG+sdGu:wGq5oFnVmq9plv7hoG+
sdGu
PEiD…: -
PEInfo: -
RDS…: NSRL Reference Data Set
pdfid.: -
trid…: HijackThis logfile (100.0%)
sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
You have sent the HJT log to virustotal, not the file.Download rootrepeal, extract the program, open the program,click on report tab, click scan, tick all seven boxes, click ok, tick C drive, scan and save the report,post the log,if its huge use the additional options to post as an attatchment http://rootrepeal.googlepages.com/
Hjt does not detect rootkits
Download and run RootRepeal.
Sorry that you already posted your suggestion, micky. Never mind.
Okay, this time I sent the HJT.exe file to virus total, and this is it’s log, I’m sorry if this isn’t the one you meant, I’ve tried getting to the file avast says is the rootkit but isn’t there even when hidden files are shown. On a side note, I found the file now, and I can’t upload it to virustotal for scanning because i don’t have admin permission, even though I’m admin and have disabled UAC at the moment. I’m having a bit of trouble with Root Repeal, it keeps on getting stuck at window’s manifest folder. Now it’s having errors, and I’ve got no clue why. Is there something else to try? On one run it did pick up the file Avast said was the problem though. I’ve fixed Avast’s problem of being unable to access it, but even if I delete it, and click the delete during next reboot button it comes back. RootRepeal is now completely frozen at window’s manifest folder and isn’t working, is there another tool?
I finally got MBAM to quarantine it, and even that failed. I’ve got it in the chest and deleted it from there. It’s probably going to come back, for the sake of help just assume it has please.
a-squared 4.5.0.41 2009.11.15 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.15 -
Antiy-AVL 2.0.3.7 2009.11.13 Worm/Win32.Mabezat.gen
Authentium 5.2.0.5 2009.11.15 -
Avast 4.8.1351.0 2009.11.15 -
AVG 8.5.0.425 2009.11.15 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eSafe 7.0.17.0 2009.11.15 Suspicious File
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.15 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.15 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 -
McAfee 5803 2009.11.15 -
McAfee+Artemis 5803 2009.11.15 -
McAfee-GW-Edition 6.8.5 2009.11.15 -
Microsoft 1.5202 2009.11.15 -
NOD32 4610 2009.11.15 -
Norman 6.03.02 2009.11.15 -
nProtect 2009.1.8.0 2009.11.15 -
Panda 10.0.2.2 2009.11.15 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 -
Rising 22.21.06.05 2009.11.15 -
Sophos 4.47.0 2009.11.15 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.15 -
Additional information
File size: 396288 bytes
MD5…: c4ca7416a6df6d95075f81d9e3b41ad1
SHA1…: 6ebbb54156e21ac20c27ca1fb8b3ddcacc919fa8
SHA256: 825fd88fe258b67759ca3b55063956510d65a536568b54ca8d2717efbe91cbc6
ssdeep: 6144:+CjUfQ7DbE66sVHdkyUkEYn+nVewn+ob/xIytqi20dcUSGreicGGSzMZY:+
CjUSbEAVG95YnNsr2ytL2cc3Gr1
PEiD…: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x142830
timedatestamp…: 0x466838c1 (Thu Jun 07 16:56:33 2007)
machinetype…: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xfc000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xfd000 0x46000 0x45a00 7.93 8764d7eac0301131e6c79e4aa30317bf
.rsrc 0x143000 0x1b000 0x1ae00 4.69 5f1a0873640fcdb4a281dbf91049814f
( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
MSVBVM60.DLL: -
( 0 exports )
RDS…: NSRL Reference Data Set
pdfid.: -
sigcheck:
publisher…: Trend Micro Inc.
copyright…: (c) 2007 Trend Micro Inc
product…: HijackThis
description…: HijackThis
original name: HijackThis.exe
internal name: HijackThis
file version.: 2.00.0002
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
trid…: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Antiy-AVL): UPX 0.89.6 - 1.02 / 1.05 - 1.22
@matrixdude171
Go back and read what micky77 said as you sent HijackThis.exe to be checked.
You need to download then unpack then run RootRepeal and post its log:
http://rootrepeal.googlepages.com/RootRepeal_1.3.5.zip
I try running RootRepeal, but it keeps on freezing whenever it reaches the windows manifest folder on my c drive. It’s crashed both times I’ve reached that point. I’ve also just tried running it in safe mode to no avail.
I guess its time to backup all important files then find the Windows Vista CD and do a clean install of Vista after a FORMAT of the hard drive.
Searching Google does not find any other fix.
Are you sure? I really can’t afford to loose this data, and I don’t have anywhere to backup files to. Are there any other programs like rootrepeal I can run? I’ve also tried GMER, but that didn’t help.
its time for essexboy. he is a trained guy. he will help you out. make sure you will do what ever he says.
wait, don’t format the pc.
I have sent him a message : http://forum.avast.com/index.php?action=profile;u=11091
nmb
Thank you so much!
NP.
Don’t know when he will post here. make sure you keep track of this topic.
nmb
Does the system have a CD reader capable of writing CDs?
Buy some blank CD-RW CDS as they can be purchased for $15.99 for 10:
http://en.wikipedia.org/wiki/CD-RW
http://www.tigerdirect.ca/applications/category/category_slc.asp?CatId=56&name=CD-RW%20Discs
A USB Flash drive is good as well:
http://en.wikipedia.org/wiki/USB_flash_drive
http://www.newegg.ca/Product/Product.aspx?Item=N82E16820233037
Yea, it does, and I have a few CD’s but they aren’t RW’s. I have a 1gig flash drive, and a 4gig one as well if that works better instead.
You can backup the data on the CDs or the Flash drive.
How much data do you have that needs to be backed up?
Uh, way more than is practical via flash drive or CD. It’s like a couple hundred gigs.
Hi friends, For the last 15 days I suffered badly due to "Win32:Alureon-EC[Rtk] which continued to pop up every 30 minutes or so and was detected by Avast. Everytime I moved it to Avast Virus Chest assuming that the problem was solved for ever, but it simply was not happening. I even scanned my computer during boot but Avast reported it as clean. But the problem persisted.
I found “malwarebytes” and used it, but that too reported everything to be clean. Then I came across “ComboFix” at http://www.webuser.co.uk/ and from there downloaded the latest version of “ComboFix” and take my chance. At the forum they ask you to post HijackThis log etc but I consciously chose to ignore it as I couldnot afford to waste more time. I followed all instructions after running ComboFix.
I am happy to tell you that after that my problem has been solved and there has been no pop up ever since. However, after the scan my Avast home stopped working properly and was unable to load the main screen from which I could control the virus scan etc. I immediately uninstalled the existing version and did a fresh install of the latest Avast version. And ever since everything appears to be working well. I just love Avsat as it has saved me numerous times from virus and spyware attacks. However, this is the first time it was unable to remove this rootkit.
I sincerely hope someone at Avast notices this post and takes some positive action to improve Avast. Thank you Avast and Thank you ComboFix.
Hi again friends.
Sorry… forgot to mention. CoboFix is a powerful program so it’s important to use it properly. Here is a link that will lead you to a tutorial: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please use your own judgment befor using CoboFix to solve your problem. I took a risk… it helped me, but all computers are configured different.
Have fun