I have been cleaning a pc that was heavily infected with a variety of malware. I have got it down to one infection which I am finding impossible to remove. It is WLCtrl.dll located in C:\windows\System32. When it loads in creates an entire folder in : HKLM>Software>Microsoft>Wi
I am able to delete the Registry folder but not the .dll. therefore teh registry entry just recreates itself. I have tried removing it from safe mode but no joy. I can rename the .dll but again no joy. I am using Spyware Terminator sa it seems to pick this Trojan up best.
Any thoughts would be appreciated. If you want either a HJI log or other log (such as WinPFind3U) then I can provide it happily. This pc had previously been infected with Vundo but I had thought it was clean. With thanks.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
OK - Thanks for this. Given the lateness of the hour I will try this tomorrow. In the meantime please find attached a HJT log prior to downloading combofix. I tried to download this previously but when I ran it I got the error 'This is not a valid Win32 application'. However I will download it again from your link and let you know how I get on. Thanks.
Actually now that I've seen the HJT log I would recommend trying this first...it's a bot.
Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanch
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, upload the log.
Please also upload a fresh HijackThis log.
Sorry too late!. I decided to run combofix now but before I saw your last text. It did get rid of a number of annoying trojans although not the WLCtrl32.dll. Combofix gave me a message that a file could not be deleted plus I ran a Spyware Terminator scan after which shows it is still there. I have attached he combofix log plus a new HJT log anyway. I will also try your latest advice and let you know. With thanks.
I have now run SDFix and it did show that WLCtrl32.dll had been removed. However a scan with Spyware Terminator shows it is still present. This is borne out by a registry check which shows the WLCtrl32 folder is still there. I have attached the SDfix log and another HJT log taken aftre SDfix had ran. I hope this is of use. With thanks.
HI - Reg entry is HKLM>Software>Microsoft>Wi
Hi - Sorry about the delay but I been trying a number of options. I ran both combofix and sdfix again with identical results. Combofix did not seem to affect WLCtrl32 whilst sdfix says it removes the file. However something is recreating it as the file is still in system32 and the registry entries recreate each time. I have tried to rename the extension to .txt (which it allows me to) and move it out of the system32 folder (which it allows me to). However I still cannot delete it. I have tried this and then deleted teh WLCtrl32 folder in the registry but they are both recreated on boot up. I have attached a copy of both the SDFix log adn Combofix log.
In addition I have attached a copy of the file analysis carried out by Spyware Terminator on WLCtrl.dll. It shows different registry entries although I understand the program cannot be loaded from these locations. Of interest is that, since I ran SDFix, this analysis shows that the .dll is no longer running (consistant with my last HJT log). Also I note that in the system32 folder there is a new file - WLCtrl32.dll.REN. Am I right in assuming that SDFix has neutralised this .dll, having been unable to delete it?
Before I deleted the WLCtrl32 folder from the registry I exported it and saved it as a .txt file. I have also attached this as it may give some clues or be of future use.
I am also getiing a re-occurrence of the BN*. program mentioned at the start of this thread. I had deleted them from the C:\Windows\TEMP folder but they just keep coming back, normally when I first open IE after a reboot. Is this related?
Ahhh I believe we have a rootkit here. Let's try this.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
C:\WINDOWS\system32\Driver
C:\WINDOWS\system32\WLCtrl
Driver::
Jnp57
Registry::
[-HKEY_LOCAL_MACHINE\softw
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
If you get this in time please modify the above text between the lines to be this...
File::
C:\WINDOWS\system32\Driver
C:\WINDOWS\system32\WLCtrl
C:\WINDOWS\system32\driver
Driver::
Jnp57
USB2_04
Registry::
[-HKEY_LOCAL_MACHINE\softw
Hi - Thats Great! I carried out the actions as directed above and Lo and Behold - there is no WLCtrl32.dll in the ...\sys32 folder. Also there is no equivalent folder in the registry. Finally there are no BN* entries in the TEMP folder (as yet - although they have always appeared when using IE after a reboot. I have used IE and nothing as yet - fingers crossed.)
Please find attached the ComboFix log and a new HJT log as requested. Hopefully this has done the trick. For my info - what is a rootkit and how is it different from a trojan et al?
With thanks!
Yes, looks good!
Here is a general rootkit definition:
http://searchsecurity.tech
In your case the rootkit was seen as this driver file:
nkv2.sys
http://www.bleepingcompute
In real basic terms the rootkit is what keeps re-installing the malware. So once we find and stop the rootkit, we stop the malware from re-entering. Rootkits are one of the toughest things to deal with and many experts believe a format and re-install is usually advised. I sometimes agree but in many cases that is not necessary.
I would advise some rootkit scans, along with full system virus and spyware scans to make sure there is nothing else.
The online F-Secure Scanner will do a virus check and also check for rootkits:
http://support.f-secure.co
Here are some other tools:
http://www.sophos.com/prod
http://free.grisoft.com/do
Also, what are you running for a real time Antivirus? I don't see anything in your latest Hijackthis log.
Also, if all is well we should clean up from combofix:
Click START then Run...
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Hi IndiGenus,
I ran all of the programs suggested in your previous post. The F-Secure scanner still found and deleted entries, interestingly enough there were 9 entries of which 8 were Vundo related. I have attached a F-Secure log (probably more for old times sake!). I have also tidied up after ComboFix and there are still no further problems.
I am now happy to close this call if you are happy as well. I'll hold off until I hear from you.
With many thanks.
Business Accounts
Answer for Membership
by: IndiGenusPosted on 2008-03-03 at 13:41:07ID: 21035975
Yes, if you have a HJT log that would be great. Vundo is very stubborn. A good tool to use is combofix. Here are the instructions.
Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.
http://download.bleepingco
Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.
NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.