PDA

View Full Version : Is there hope??? winctrl32.dll



Mono Loco
2008-06-07, 15:40
Greetings, Great Gurus!
You folks saved me once before (my Mom's neighbor's PC) and now my buddy's sister's PC is infected! Can we go 2-0 ?

She was getting error messages and bought and installed Windows LiveOne software. It crashed while trying to remove win32/cutwail.s
Winctrl32.dll is on the system, too ... I've tried to get rid of winctrl32.dll with Killbox and Avenger, but no go. :-(

When attempting to boot into normal mode, BSOD appears, with message "Page_Fault_In_Nonpaged_Area"

A) I can only boot into Safe Mode... not even w/ networking!
B) installed and Ran HJT ... I checked "020 WinLogon Notify:WinCtrl32 ..." but it comes back.
C) I ran Malwarebytes and its LOG showed that it deleted several items, but the PC still would not start afterwar running it.
D) I tried to install "SuperSpywareKiller", but a pop-up message "The System Administrator Has Seno surprise theret Policies to Prevent this installation"
E) The patient (infected PC) does not see my thumbdrive in Safe Mode, so I cannot copy the HJT and Malwarebytes LOG files. I will remove the Hard Drive and retrieve them and post them later.
F) As I have no internet capability, I cannot do Kaspersky Online Scanner :sad:

My friend's sister called DELL support - they advised backing up all DATA and reformatting ... no surprise there!

Is there hope? Might we defeat the bad guys without having to re-install Windows?

Thanks!

Mono Loco
2008-06-07, 15:47
oops ... I forgot to mention that I installed Spybot (I was in Safe Mode) and the "spybotsd_includes.exe". When trying to "immunize", (6) files remianed Unprotected. Spybot found and removed several entries, but it was unable to get rid of AltNet. I'm gonna try to pull the Hard drive to grab the LOG files.
See you soon.

Mono Loco
2008-06-07, 16:48
Here we go - sorry for the delay.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:55, on 2008-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Scotty\SPYwarez\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 3104 bytes

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Malwarebytes' Anti-Malware 1.14
Database version: 800

05:11:57 2008-06-07
mbam-log-6-7-2008 (05-11-57).txt

Scan type: Quick Scan
Objects scanned: 39635
Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAIME BUITRAGO\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\Install (Rogue.Multiple) -> Quarantined and deleted successfully.

Mono Loco
2008-06-07, 20:23
Forgive my impatience, but I had to keep going ... I was at it all night before I submitted a plea for help. It occured to me that, while I had the Hard Drive slaved on a 2nd PC, I should try to delete winctrl32.dll ... as it was no longer part of the "Operating System" of the 2nd PC. I was able to delete it. I also deleted all the TEMP files in Local Settings for all users. I also deleted Altnet program folder.

When I reinstalled the problem Hard Drive into the patient, I booted into Safe Mode (intentionally) and deleted the stubborn Registry entries that were "Access Denied" by changing permissions.

I tried to reboot normally and ... Windows loaded OK ... with her Windows Live Care One program running! It was able to finish the job it started days ago!? It removed the problem. (I hope)

Windows appears to be working, but - since I am able to access the internet - I am now scanning with Kaspersky. I will update and post the resulting log.

Thanks!

Mono Loco
2008-06-08, 07:29
Kaspersky found viruses in the Restore folder only. I turned-off System Restore and later re-enabled it. System is clean and working normally.
Thanks - you were my "backup", but I muddled through it ... it just took HOURS and HOURS, but it's done.
Cheers!