Link to home
Create AccountLog in
Avatar of CluelessNI
CluelessNI

asked on

PC infected with WLCtrl32

I have been cleaning a pc that was heavily infected with a variety of malware. I have got it down to one infection which I am finding impossible to remove. It is WLCtrl.dll located in C:\windows\System32. When it loads in creates an entire folder in : HKLM>Software>Microsoft>WindowsNT>CurrentVersion>WinLogon>Notify
I am able to delete the Registry folder but not the .dll. therefore teh registry entry just recreates itself. I have tried removing it from safe mode but no joy. I can rename the .dll but again no joy. I am using Spyware Terminator sa it seems to pick this Trojan up best.
Any thoughts would be appreciated. If you want either a HJI log or other log (such as WinPFind3U) then I can provide it happily. This pc had previously been infected with Vundo but I had thought it was clean. With thanks.
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Yes, if you have a HJT log that would be great. Vundo is very stubborn. A good tool to use is combofix. Here are the instructions.

Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
Avatar of CluelessNI
CluelessNI

ASKER

OK - Thanks for this. Given the lateness of the hour I will try this tomorrow. In the meantime please find attached a HJT log prior to downloading combofix. I tried to download this previously but when I ran it I got the error 'This is not a valid Win32 application'. However I will download it again from your link and let you know how I get on. Thanks.
CluelessNI-Hijackthis-log030308.txt
Actually now that I've seen the HJT log I would recommend trying this first...it's a bot.

Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open, upload the log.

Please also upload a fresh HijackThis log.
Sorry too late!. I decided to run combofix now but before I saw your last text. It did get rid of a number of annoying trojans although not the WLCtrl32.dll. Combofix gave me a message that a file could not be deleted plus I ran a Spyware Terminator scan after which shows it is still there. I have attached he combofix log plus a new HJT log anyway. I will also try your latest advice and let you know. With thanks.
CluelessNI-Hijackthis-log2-03030.txt
ComboFix.txt
No problem, combofix did some nice work as always...

SDFix will target the 2 020 winlogons...
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
I have now run SDFix and it did show that WLCtrl32.dll had been removed. However a scan with Spyware Terminator shows it is still present. This is borne out by a registry check which shows the WLCtrl32 folder is still there. I have attached the SDfix log and another HJT log taken aftre SDfix had ran. I hope this is of use. With thanks.
Report.txt
CluelessNI-Hijackthis-log3-03030.txt
Well it looks like SDFix got it though, as those entries are gone from HJT. Is file actually still present? And where is reg entry located?
HI - Reg entry is HKLM>Software>Microsoft>WindowsNT>CurrentVersion>WinLogon>Notify. It is an entire folder called WLCtrl32. The file is still present at C:\windows\System32. Is it a case of simply stopping the winlogon process, deleting the file, then restarting the process or is this simplyfying it? Thanks.
Give combofix another run and please post the log.
Hi -  Sorry about the delay but I been trying a number of options. I ran both combofix and sdfix again with identical results. Combofix did not seem to affect WLCtrl32 whilst sdfix says it removes the file. However something is recreating it as the file is still in system32 and the registry entries recreate each time. I have tried to rename the extension to .txt (which it allows me to) and move it out of the system32 folder (which it allows me to). However I still cannot delete it. I have tried this and then deleted teh WLCtrl32 folder in the registry but they are both recreated on boot up. I have attached a copy of both the SDFix log adn Combofix log.

In addition I have attached a copy of the file analysis carried out by Spyware Terminator on WLCtrl.dll. It shows different registry entries although I understand the program cannot be loaded from these locations. Of interest is that, since I ran SDFix, this analysis shows that the .dll is no longer running (consistant with my last HJT log). Also I note that in the system32 folder there is a new file - WLCtrl32.dll.REN. Am I right in assuming that SDFix has neutralised this .dll, having been unable to delete it?
Before I deleted the WLCtrl32 folder from the registry I exported it and saved it as a .txt file. I have also attached this as it may give some clues or be of future use.

I am also getiing a re-occurrence of the BN*. program mentioned at the start of this thread. I had deleted them from the C:\Windows\TEMP folder but they just keep coming back, normally when I first open IE after a reboot. Is this related?


Combofix-log.txt
SDFix-Log.txt
terminator-anaysis-log.txt
WLCtrl32.txt
Ahhh I believe we have a rootkit here. Let's try this.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\system32\Drivers\Jnp57.sys
C:\WINDOWS\system32\WLCtrl32.dll

Driver::
Jnp57

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
 
------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


If you get this in time please modify the above text between the lines to be this...

File::
C:\WINDOWS\system32\Drivers\Jnp57.sys
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\drivers\nkv2.sys

Driver::
Jnp57
USB2_04

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
Hi - Thats Great! I carried out the actions as directed above and Lo and Behold - there is no WLCtrl32.dll in the ...\sys32 folder. Also there is no equivalent folder in the registry. Finally there are no BN* entries in the TEMP folder (as yet - although they have always appeared when using IE after a reboot. I have used IE and nothing as yet - fingers crossed.)

Please find attached the ComboFix log and a new HJT log as requested. Hopefully this has done the trick. For my info - what is a rootkit and how is it different from a trojan et al?
With thanks!
CFScript-Log.txt
CluelessNI-Hijackthis-log4-05030.txt
Yes, looks good!

Here is a general rootkit definition:
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci547279,00.html

In your case the rootkit was seen as this driver file:
nkv2.sys
http://www.bleepingcomputer.com/startups/USB2_04-21671.html

In real basic terms the rootkit is what keeps re-installing the malware. So once we find and stop the rootkit, we stop the malware from re-entering. Rootkits are one of the toughest things to deal with and many experts believe a format and re-install is usually advised. I sometimes agree but in many cases that is not necessary.

I would advise some rootkit scans, along with full system virus and spyware scans to make sure there is nothing else.

The online F-Secure Scanner will do a virus check and also check for rootkits:
http://support.f-secure.com/enu/home/ols.shtml

Here are some other tools:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0

Also, what are you running for a real time Antivirus? I don't see anything in your latest Hijackthis log.

Also, if all is well we should clean up from combofix:

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Hi IndiGenus,

I ran all of the programs suggested in your previous post. The F-Secure scanner still found and deleted entries, interestingly enough there were 9 entries of which 8 were Vundo related. I have attached a F-Secure log (probably more for old times sake!). I have also tidied up after ComboFix and there are still no further problems.

I am now happy to close this call if you are happy as well. I'll hold off until I hear from you.

With many thanks.
F-Secure-Log.txt.txt
Sorry -  I forgot to add that I have installed AVG which is what I use on my own machine. The raeson it did not show in the HJT log was I had uninstalled it prior to running ComboFix/SDFix (I could not see a simple disable option).
ASKER CERTIFIED SOLUTION
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
OK then - thanks very much for your help. As well as being a practical exercise it was very much an education as well. We might well be speaking in the future!!

Until then best wishes

CluelesNI
Only just to re-iterate my last post. Many thanks & best wishes.
You're welcome and thank you for the grade and points.

Regards,
Dave