Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Delete Winctrl32.dll


  • Please log in to reply
9 replies to this topic

#1 gharkam

gharkam

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 15 September 2008 - 07:22 AM

Hi,

i have tried MBAM as dowloaded from this site. It seems to mark the bad dlls/sys files for deletion on reboot. However all these files/reg entries still shows up after reboot. It seems to collect more bad applications in my C:\windows\system32 directory.

My system details are:
Microsoft Windows XP Home Edition Version 2002 Service Pack 2.

The MBAM log looks like this:
Malwarebytes' Anti-Malware 1.28
Database version: 1154
Windows 5.1.2600 Service Pack 2

15/09/2008 17:13:14
mbam-log-2008-09-15 (17-13-14).txt

Scan type: Quick Scan
Objects scanned: 46967
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windl86 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windl86 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windl86 (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcv1cj0er1q.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcv1cj0er1q.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcv1cj0er1q.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Windl86.sys (Rootkit.Agent) -> Delete on reboot.
--------------------------------------------------

It also seems to slow the computer a lot as shutdown takes almost 2 minutes!

Another issue i have noticed i increase in number of SVCHOST processes - not sure if these two are linked?
Please help !

Regards,
gk

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 15 September 2008 - 10:44 AM

Your MBAM log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and check all items found for removal. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 gharkam

gharkam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 16 September 2008 - 05:14 AM

Hi "Quiteman7"

Thanks for your quick response.
Seems like my worst fears regarding this PC infection came true. i have rebooted/re-scanned using MBAM atleast 4 times. Both Winctrl32.dll and windl86.sys seem indestructible. i have even tried locked file remover tool (file assassin). It comes back saying it can't delete the file and asks for reboot. Both files remain intact after reboot.

re-format/Restore could be the only options left. However my concern is how can i make sure my pc doesnt get infected again with this same malware? i already have mcafee suit guarding my pc. This along with host of malware removal tools/online guards seem to be ineffective against this particular malware.

Another thing i am wondering is how come other users infected were able to delete these very files from their machines? What could be so unique in my case?

Regards,
bhupen.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 16 September 2008 - 07:02 AM

i am wondering is how come other users infected were able to delete these very files from their machines?

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is a hidden piece of malware which has not been detected that protects files (which have been detected) and registry keys so they cannot be permanently deleted.

It comes back saying it can't delete the file and asks for reboot. Both files remain intact after reboot.

Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you. If you choose to reformat, instead of posting a hijackthis log, reply back here for instructions on how to do that and tips to avoid reinfection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 gharkam

gharkam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 17 September 2008 - 02:21 AM

While trying some combinations yesterday finally i was able to delete Windl86.sys !
However, i am not sure exatcly what might have worked. i had 3 windows open - regedit, taskmgr and dos (cmd). Initially i was desperately trying to delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\Windl86 - it didn't allow that. At the same time i was also terminating some process which i thought were not essential for the session. Then i tried "del Windl86.sys" in drivers directory. To my surprise it actually worked !!
Then on i ran MBAM again - as ususal it marked WinCtrl32.dll fro deletion on reboot. Upon reboot these files along with their registry entries was gone. i seem to have got rid of that rootkit finally !
The bad part is i did not make a note of exactly which processes i terminated.

After that i have run MBAM in fast scan and full scan modes. It came back clean. i ran spybot s&d and it found two malicious registry entries related to windows setup. After deleteing those entries i ran full scan using Mcafee.
Things seem to be OK now. i have created a new system restore point as well.

There are couple of doubts regarding a process - maybe you can clarify.
1) CTFMON - According to spybot s&d this is a potential gateway for malwares. Is this true? What precautions we can take?
2) Taskmgr shows some processes in caps and some in lower case. i have noticed most executable file names in WINDOWs directory are in lower case. Is this an indication that malware may still be hidden behind some valid looking process? (e.g. EXPLORER.EXE or LSASS.EXE etc). The modification timestamp for these files is couple of months/years back.

gk-

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 17 September 2008 - 08:13 AM

Ctfmon.exe is a file that installs with Windows when you configure the language options. It also is installed with Office XP applications and activates the "Alternative User Input Text Input Processor" and the "Language Bar". This program monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. If you do not use these features, then this process does not need to be running. However, if disabled in MSConfig or with a startup manager, Ctfmon.exe will re-appear on the next bootup. In order to prevent it from running, follow the steps provided in "What is ctfmon.exe And Why Is It Running?". ALso see "How to turn off the speech recognition in Office".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

Most of the processes in Task Manager will be legitimate as shown in these links.
List of common system processes found in XP's Task Manager
Common Processes found in XP's Task Manager
How To Determine what Services are running in Windows XP

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 gharkam

gharkam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 19 September 2008 - 01:13 AM

Thaks a lot for your help. It was really useful. :thumbsup:

gk-

#8 Noypi_to_its

Noypi_to_its

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 19 September 2008 - 04:30 AM

if a certain file is identified as a virus and it can't be deleted, the quickest way to remove it is to remove its permissions for all users using this command...

cacls filename /t /c /p everyone:n

after removing its permission from everyone, just restart your computer and files that are processed wont be running anymore.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 19 September 2008 - 06:27 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 gharkam

gharkam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 19 September 2008 - 10:23 AM

Thanks "Noypi_to_its", this will be very useful.
i think "/c" switch is the key here.

Hmm, i just tried it on a test file on my D drive. It came back with an error:
"The Cacls command can be run only on disk drives that use the NTFS file system."

gk-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users