Cannot remove mdwtha.dll virus

Welcome to Majorgeeks!

We can help you with your problem, but I have to question why you are not screaming at Symantec for the inability of their expensive program to fix what it is finding. If we can fix these problems, why can't they. Afterall you are paying for their product, it should work. Did you even call them and take them to task for the program detecting something but not fixing it? Did you first try running Norton AV after booting in safe mode? Sounds like you probably have what is called winlogonhook or conhook (everyone uses different names though).

In order for us to help you, we require the below procedures to be run.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Did you notice that Bitdefender found exactly what I said your problem would be? Conhook!

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mdwtha.dll once and then click the kill button. After you have killed all of the mdwtha.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
ssqrpmm.dll

Next double click on explorer.exe and again click once on each instance of mdwtha.dlland kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
ssqrpmm.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {9da07244-d5aa-454b-bd7e-48405e422164} - C:\WINDOWS\system32\mdwtha.dll
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\K9EVCPA7\WAS5Scan[1].exe"
O20 - Winlogon Notify: mdwtha - C:\WINDOWS\SYSTEM32\mdwtha.dll



Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
del %windir%\temp\win*.*
exit


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\K9EVCPA7\WAS5Scan[1].exe
C:\WINDOWS\SYSTEM32\mdwtha.dll
C:\WINDOWS\system32\ssqrpmm.dll


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Not yet! We are not finished yet.

Did you miss the below line to fix with HJT or did the error occur while fixing this line?


O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\K9EVCPA7\WAS5Scan[1].exe"


Fix it now. Does it stay fixed? Look for the file and delete it! The file is:

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\K9EVCPA7\WAS5Scan[1].exe

Let me know your results. You have multiple realtime spyware blocking tools running and they could block changes.

Is Spy Sweeper a free trial or paid version?

 

Is Spy Sweeper still in its one year period and are you getting updates?

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

 

First uninstall Windows Defender since you have a paid version of Spy Sweeper.

Then disable Spy Sweeper's active protection or shut the program down.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If this does not fix it, please continue with the below:

Download and install Registrar Lite

Copy and paste the below into the Address box of registrar lit and hit the Enter key.


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run

Then click the Security pull down on the top menu and choose Take Ownership. Click OK in the next window to approve it.

Now locate the below value in the right Window pane and click on it to select it.

NI.UWAS5LP_0001_0811

Now right click on the above key and select delete.

Now exit Registrar Lite

Attach a new HJT log.

 

Looks good other than the Sony rootkit that you have. This is due to Sony Digital Rights Management which you may need to play your Sony CDs. You can read more about this rootkit here: http://www.bleepingcomputer.com/forums/topic34904.html

How are things working now?

 

Yes! If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!