Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bn* Tmp Programs Accessing Internet


  • This topic is locked This topic is locked
14 replies to this topic

#1 CluelessNI

CluelessNI

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 March 2008 - 11:22 AM

Hi,

I recently works on a friends computer (with the aid on bleepingcomputer.com) which appeared to have a VUNDO infection. I had thought this had been sucessfully removed but the pc is still not working correctly. Essentially whenever the pc is booted IE returns an error 'cannot find page'. This can be corrected by using Winsockfix but obviously this cannot go on indefinately. In addition they get a large number of Trojan alerts. These are of a variety but the common ones are LogCrypt.dll and WLCtrl.dll. Although they can be healed (not removed) this is also extremely annoying. Finally I have recently noticed that a program BN*.tmp is constantly trying to access theinternet. The * represents any number from 1 to 6. I tried deleting them from C:\Windows\Temp but they keep recreating. I understand they can be associated with VUNDO so I am guessing I had not fully removed it as previously thought. I have run WinPFind and have a log but I am not sure if you want it posted here. Another aspect, which may be totally spurious, is that whenever I go to a new page for teh first time IE always returns 'page cannot be found'. However if I back arrow then try again the page always loads on the second attempt. This may have nothing to do with my problem but I thougt I would mention it anyway as re-direction of pages had been a problem previosly. Other tools that I used on the previous occasion were HJT and a number of VUNDO tools. Any thoughts/advice/comment are welcome. With thanks.

BC AdBot (Login to Remove)

 


#2 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 03 March 2008 - 11:54 AM

I just delt with this infection yesterday morning. I'm not sure that they have been completely removed yet from my comp even. First of all, end the tasks with your task manager so you can delete the BN* files from the temp folder. Then delete the temp folder so they can't load.

I would also suggest searching the registry for BN(number) and then deleting those keys.
Also search the registry for WLCtrl.dll and delete the key that it is under (there is a whole folder).

Use Spyware Terminator's analyze file tool on WLCtrl.dll. It will show what .exe it's running uder.

I've been able to remove the WLCtrl.dll from my computer (yesterday as well), though I didn't take note of which registry file it used.

Logs of any kind are always helpful (can't hurt right?).

Edited by Da.One, 03 March 2008 - 11:57 AM.


#3 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 March 2008 - 04:36 PM

Hi Da.One.
Thanks for this. I have tried all of the above and have been generally successful. With regard to BN1 et al I have deleted the Temp folder and it seemed OK. I have had one re-appearance (I deleted the folder again) and touch wood seems OK. Spyware terminator was extremely useful in identifying the problem areas and removing most of them. My one remaining problem is WLCtrl32.dll. I cannot delete this from my C:\windows\system32 folder. Even booting into safe mode does not allow it and Terminator does not remove even on reboot. I can delete the folder in the registry but this just gets recreated. I also tried renaming the .dll which it allowed me to do. However it just created another copy of the .dll. If you have any further thoughts I would love to hear them. With thanks.

#4 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 03 March 2008 - 05:40 PM

Could you please run your Spyware Terminitor's analyze utility on WLCtrl32.dll? This would help identify what .exe it's running under. Do this by going to the Spyware Scan tab and selecting Utilities, then Analyze File. It will also find all registry keys that point to it.

Copy the analysis and post it in your next post.

Edited by Da.One, 03 March 2008 - 05:41 PM.


#5 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 March 2008 - 06:02 PM

OK - please find below a copy of the analysis:


Analyzing file C:\WINDOWS\system32\WLCtrl32.dll

File size: 11,776
File MD5: 546DDEE826A612E0D0F5189FA07D0781


Scanning Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d C:\WINDOWS\system32\WLCtrl32.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll\a C:\WINDOWS\system32\WLCtrl32.dll
Done

I hope this is of use. With thanks,

#6 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 03 March 2008 - 06:34 PM

Regarding when you renamed the extension of WLCtrl32.dll: did the file get restored instantly (including apon refreshing the folder), or did it only get restored after you restarted your computer?

----------------------------------------
Before we try the next step, I would like to ask which registry keys you deleted previously that were automatically restored. It definately was not

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d C:\WINDOWS\system32\WLCtrl32.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll\a C:\WINDOWS\system32\WLCtrl32.dll

, as those are not keys that run files and it would not make sense for the virus to restore those.

Please open regedit, and search ctrl+f (checking only the Keys box). Copy the name of the key(s) you find. If there are no keys, the check Values and Data and search again.
------------------------------------------------------------
This actually was not as useful as I would have thought, though it does help as now I know that this is the same version I had. The log did not show what process it ran under.

We will find which process it runs under using HijackThis then.

Download HTJ here: http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe
(no install needed)
Save onto your desktop for ease of use.

Run HJT. Select Misc Tools. Select Process manager. Check the box "show dlls". Select the process winlogon.exe. Look in the dll list and see if you find WLCtrl32.dll. If not, repeat for the other system services.

DO NOT USE OTHER FUNCTIONS OF HTJ! It could serious damage your computer.

Sorry about fitting a lot of stuff into one post.

Edited by Da.One, 03 March 2008 - 06:35 PM.


#7 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 March 2008 - 07:48 PM

Thats great - its not as much as it seems as I know these are not the keys I deleted. I found and deleted the WLCtrl32 folder at HKLM>Software>Microsoft>WindowsNT>CurrentVersion>Netlogon>Notify.
I have HJT installed and have used it considerably of late. I will run the dll check and come back to you.
Thanks.

#8 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 March 2008 - 07:58 PM

OK - I did what you said and HJT confirms that it is running under the netlogon process as stated previously. With thanks.

#9 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 03 March 2008 - 08:07 PM

Netlogon.exe and not winlogon.exe?! Please confirm this as misidentification could cause problems.

This is very very bad news. Netlogon.exe is identified as malware.
Please read this article: http://www.bleepingcomputer.com/startups/n...n.exe-8095.html

I would have expected for the WLCtrl32.dll to run under a legit windows process.

It is likely that these programs restore each other: Delete one, it's restored. Delete all but one, that restores another, which restores another and then another.

We need to take this step by step to kill all parts of the infection at once.

Please run analysis on Netlogon.exe after finding the file with search. Again, post the report back here.


----------------------------------------------------------
Also after identifying the file, follow the removal instructions for netlogon.exe here. http://www.symantec.com/security_response/...-99&tabid=3

*You may have to end task the process first, or change the extension to end the task etc.

This may also be good news because since WLCtrl32.dll runs under, netlogon, we might just be able to get two evil virus birds with one stone.

Edited by Da.One, 03 March 2008 - 08:11 PM.


#10 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 March 2008 - 04:00 AM

Sorry - my mistake. it must be the late hour at which we were working. WLCtrl32 is running under the Winlogon process. I seaarched the registry and there was no Netlogon.exe (although there is a Netlogon.dll running under the Lsass.exe process - I assume this is legit and seperate from the .exe with the same name). Sorry for the confusion. Thanks.

#11 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 04 March 2008 - 11:50 AM

No big problem at all.

Ok WLCtrl32 will restore the registry keys if deleted instantly. But WLCtrl32 will only be restored by the registry keys on bootup. So first change the extension of WLCtrl32 to .txt to stop it from running. Try to delete the file or move it etc. To make sure it's not longer running, analyze it with Spyware Terminator (if it was running, the analysis log will say RUNNING.

Then proceed to deleting the keys HKLM>Software>Microsoft>WindowsNT>CurrentVersion>Netlogon>Notify>WLCtrl32

Before deleting, please right click on the folder WLCtrl32 and select export. Export it to your desktop for now. Change the extension of the .reg file to .txt. Open the .txt file and copy the contents here in your next post. This will help us determine where WLCtrl32 is being loaded from at startup. It would greatly benifit future removals (and this one too if the registry key somehow is restored.

Thank you for your patience between replies. I will probably only be able to poast again at around 4:00pm EST.

Edited by Da.One, 04 March 2008 - 11:52 AM.


#12 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 March 2008 - 06:43 PM

Hi - I am sorry about the delay but I have been trying a number of options. Firstly I tried your previous suggestion. I was able to both rename and move the WLCtrl32.dll but it does not allow me to delete it. I then deleted the WLCtrl32 folder in teh registry. I tried this a number of times but everytime they both recreated. I have attached a copy of this folder saved as a .txt file at the end of this entry.

I have tried runnning both ComboFix and SDFix (which I had read elsewhere on the web could be of use) with mixed results. The ComboFix removed other stuff but did not seem to touch WLCtrl32.dll, although it could clearly see it (as the log shows). SDFix did better - it claimed to have removed WLCtrl32.dll. However it is clearly there but there is now another file - WLCtrl32.dll.REN. I am assuming that although SDFix did not remove this file it has neutralised it. This may be borne out by the fact that Spyware Terminator Analysis tool does not show the file as RUNNING.

I don't want to burden you with log files but I can provide the following if you want (please let me know):

HJT (also indicates that WLCtrl32.dll is no longer running).
ComboFix
SDFix
Spyware Terminator Analysis Log.

For now here is a copy of the registry folder:

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32
Class Name: <NO CLASS>
Last Write Time: 2008-03-04 - 00:31
Value 0
Name: DLLName
Type: REG_SZ
Data: WLCtrl32.dll

Value 1
Name: StartShell
Type: REG_SZ
Data: WLEventStartShell

Value 2
Name: Impersonate
Type: REG_DWORD
Data: 0x0

Value 3
Name: Asynchronous
Type: REG_DWORD
Data: 0x0

With thanks.

#13 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 04 March 2008 - 06:57 PM

Log files are always welcome.:thumbsup:

It seems that though the traces in the registry are still present, this threat, as you said, has been nuetralized. It will probably be there forever... rotting to death slowly not being used :flowers:. To check, replace the temp folder in system32 and see it the BN* files get recreated.

There is another part of the infection that is restoring the registry values. However, it would be impossible to delete them until the malware scanner dudes find out what files they are.

I was wondering if LogCrypt.dll is still on your computer? SDfix should have taken care of it (the log would help).

Are the symptoms still present on the computer? If so then there is other malware that we have to take care of. If not, then I would simply advise you to delete the previouis restore points to prevent the infection from being restored.

Edited by Da.One, 04 March 2008 - 06:58 PM.


#14 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 05 March 2008 - 12:11 PM

This virus seems to have returned on my computer on a USB Stick. I was able to remove it from my stick with Flash_disinfect but now it's on my comp again...

#15 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:08 AM

Posted 05 March 2008 - 12:27 PM

Hello CluelessNI,

I've moved your HijackThis log to the appropriate forum.
Here is the link:
http://www.bleepingcomputer.com/forums/t/134691/cluelessni-hjt-log/

Now that you have a HJT log posted in the Misplaced HijackThis Logs forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users