BleepingComputer.com: tdlwsp.dll is my nemesis - AVG can't seem to remove

My anti-virus software (AVG) keeps informing me that I have a virus called tdlwsp.dll

It will ask if I want to remove the file, but an hour later it will tell me again.
All of my google searches end up sending me to various sites for advertisers.

I looked at your site and I've seen you guys help a person out with this error before but I certainly didn't want to just run the same fix as it might not give me the same result (there was a lot of text and scans first, it seemed specific).

I'm not a complete computer idiot but this lil virus has been putting up a fight. I believe its a rootkit and from what I've read, malwarebytes wasn't removing it either.

Any help would be MUCH appreciated!

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
    
    
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

=======================


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report
  
• Double-click on Win32kDiag.exe to run and let it finish.
  
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  
• A file called Win32kDiag.txt should be created on your Desktop.
  
• Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------


Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Thanks so much for your help Garmanma, its been driving me nuts and AVG is blocking stuff really frequently now. Just had 'trojan horse generic 15.BKQQ ' pop up about 5 times while doing these scans.

RootRepeal Report
"
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 16:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9C6B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B76000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA808B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\0db0251c-e470-4386-8919-54cf87d6b620.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\e7bd8d14-c941-465d-91ba-62ad33ded6f8.tmp
Status: Locked to the Windows API!

Path: c:\windows\temp\19238ee3-9131-465c-903e-4143898227ba.tmp
Status: Allocation size mismatch (API: 24, Raw: 0)

Path: C:\WINDOWS\Temp\970e1334-f537-4401-9dd2-0b06d2263360.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\c2ff0000-62c9-41e3-b0be-e27ff94a0fc5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\6d5f097b-0440-46c3-bc26-5721e0c26f5d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\c572dbbf-6861-4425-98ed-949c3a300abb.tmp
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86312f68

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86314b88

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x862f1dc0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8633a898

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86311fd0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x862f5cc0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaa235350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8630a2c8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x863123d8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86312b90

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8636c6f0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86330bd8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf79b7470

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x863331b8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86317f68

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x862af180

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85f4c678

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x863166a0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86319b60

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x863162c8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaa235580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86325cc0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86315360

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf79b7520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf79b75c0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8631a760

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf79b7660

==EOF==
"

I received an error with the Win32kDiag.txt program... it couldn't access backup? Text below...
"
Running from: C:\Documents and Settings\mwetzl\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\mwetzl\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
"

And finally the code you gave me put this into the log file...
"
Volume in drive C has no label.
Volume Serial Number is 00B7-1775

Directory of C:\WINDOWS\system32

02/28/2006 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/28/2006 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

02/28/2006 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

02/28/2006 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

02/28/2006 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

02/28/2006 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
6 File(s) 1,286,144 bytes
0 Dir(s) 20,580,782,080 bytes free
"

Does this help? I'm assuming Win32KDiag didn't run correctly, any idea how to change it? I have only AVG running.

Hooked by "<unknown>" at address 0x8630a2c8
02/28/2006 07:00 AM 55,808 eventlog.dll
Indicate some sort of rootkit infection
Using the logs I had you run, please follow these instructions

Now that you were successful in creating those logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/topic34773.html

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/forum22.html

The HJT team is extremely busy, so be patient and good luck

Thanks a ton, I appreciate it and I'll head over there to see if I can get this thing off my computer. Baby steps.