Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinCtrl32.dll - Trojan-Downloader.Win32.Mutant.bqb


  • Please log in to reply
6 replies to this topic

#1 JesseD

JesseD

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 15 December 2008 - 07:31 PM

K I cannot seem to delete this file. C:\Windows\System32\WinCtrl32.dll

I have (in safe mode) ran Autoruns.exe and disable the WinCtrl32.dll
Deleted the file.
Emptied the recycle bin.
Restarted computer and it is back.

Went back into safemode.
Ran Autoruns.exe redisabled WinCtrl32.dll (were two there now one checked one unchecked)
Disabled both.
Try to delete the file now and it says that access is denied.
Ran Autoruns.exe again enabled both.
Closed it reopened it, only one again disabled it ... still will not let me delete it.

Bought a program Registrybooster (http://www.liutilities.com/products/campaigns/affiliate/cb/offer/bleeping/rb/) Ran it and still did not work.

I don't know what else to do :thumbsup:

I have gone though the Whole freakin list and disabled a few trojans and other unnesessary files all of them came off no problem, only this file stays.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:50 AM

Posted 15 December 2008 - 08:08 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 JesseD

JesseD
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 15 December 2008 - 09:47 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 5.1.2600 Service Pack 3

12/15/2008 8:46:34 PM
mbam-log-2008-12-15 (20-46-34).txt

Scan type: Quick Scan
Objects scanned: 57870
Time elapsed: 9 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winwd45 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winwd45 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winwd45 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\Winwd45.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

#4 JesseD

JesseD
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 15 December 2008 - 10:15 PM

Ran again in Safe mode - & it's still there.
Also when i try to check the Winwd45.sys file in Autoruns.exe it tells "error changing item state: Access is denied"

Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 5.1.2600 Service Pack 3

12/15/2008 9:10:24 PM
mbam-log-2008-12-15 (21-10-24).txt

Scan type: Quick Scan
Objects scanned: 56942
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winwd45 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winwd45 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winwd45 (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\Winwd45.sys (Rootkit.Agent) -> Delete on reboot.

Edited by JesseD, 15 December 2008 - 10:17 PM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 16 December 2008 - 01:17 AM

Hello JesseD.

Let's see if OTMoveIt can remove this.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    winwd45
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

With Regards,
The Panda

#6 JesseD

JesseD
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 16 December 2008 - 06:20 PM

I got it I used:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/16/2008 at 02:51 PM
Application Version : 4.23.1006
Core Rules Database Version : 3676
Trace Rules Database Version: 1655
Scan type : Complete Scan
Total Scan Time : 00:22:48
Memory items scanned : 369
Memory threats detected : 0
Registry items scanned : 5904
Registry threats detected : 7
File items scanned : 23953
File threats detected : 27
Rootkit.RunTime3/WinCtrl32
HKLM\system\controlset001\services\Winwd45
C:\WINDOWS\SYSTEM32\DRIVERS\WINWD45.SYS
HKLM\system\controlset002\services\Winwd45
Adware.Tracking Cookie
C:\Documents and Settings\User_1\Cookies\user_1@tacoda[2].txt
C:\Documents and Settings\User_1\Cookies\user_1@server.iad.liveperson[3].txt
C:\Documents and Settings\User_1\Cookies\user_1@specificmedia[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@advertising[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@adopt.specificclick[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@stats.adbrite[2].txt
C:\Documents and Settings\User_1\Cookies\user_1@casalemedia[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@server.iad.liveperson[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@ad.yieldmanager[2].txt
C:\Documents and Settings\User_1\Cookies\user_1@doubleclick[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@tribalfusion[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@armstrong.112.2o7[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@leveragemarketing.112.2o7[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@uniblue.112.2o7[1].txt
C:\Documents and Settings\User_1\Cookies\user_1@specificclick[2].txt
C:\Documents and Settings\User_1\Cookies\user_1@atdmt[2].txt
C:\Documents and Settings\User_1\Cookies\user_1@at.atwola[2].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@ads.loudsocial[1].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@specificmedia[1].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@adopt.specificclick[1].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@media6degrees[1].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@richmedia.yahoo[2].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@apmebf[2].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@specificclick[2].txt
C:\Documents and Settings\User_1\Local Settings\Temp\Cookies\user_1@imrworldwide[2].txt
Rogue.AntiSpywareExpert
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#DLLName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#StartShell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#Asynchronous
Trojan.Unclassified/Dropper-WinNT32
C:\WINDOWS\SYSTEM32\WINCTRL32.DLL
.
And it actually removed it finaly!
I can't find anything else now
.
Thank you very much!!!

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 17 December 2008 - 02:19 AM

Glad you got that fixed.

I'm surprised SAS was able to remove the infection when MBAM wasn't.

If you think you are now clean..

Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users