abel Posted December 5, 2008 ID:38233 Share Posted December 5, 2008 Heyyesterday my computer got infected by a trojan that i cant seem to get rid of. My f-secure says ive got a trojan downloader in a file called winctrl32.dll, the trojan(s?) keep coming back after cleaning.any help is appreciatedMalwarebytes' Anti-Malware 1.31Database version: 1460Windows 5.1.2600 Service Pack 32008-12-05 17:03:29mbam-log-2008-12-05 (17-03-29).txtScan type: Quick ScanObjects scanned: 53188Time elapsed: 1 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wineh22 (Rootkit.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wineh22 (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wineh22 (Rootkit.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\Wineh22.sys (Rootkit.Agent) -> Delete on reboot.C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.and here is the hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 17:05:15, on 2008-12-05Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\F-Secure\Common\FSM32.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\progra~1\valve\steam\steam.exeC:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\LimeWire\LimeWire.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\F-Secure\Anti-Virus\fsgk32st.exeC:\Program Files\F-Secure\Anti-Virus\FSGK32.EXEC:\Program Files\F-Secure\Common\FSMA32.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\Program Files\F-Secure\Common\FSMB32.EXEC:\Program Files\F-Secure\Common\FCH32.EXEC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\F-Secure\Anti-Virus\fssm32.exeC:\Program Files\F-Secure\Common\FAMEH32.EXEC:\Program Files\F-Secure\Anti-Virus\fsqh.exeC:\Program Files\F-Secure\Common\FNRB32.EXEC:\Program Files\F-Secure\FSAUA\program\fsaua.exeC:\Program Files\F-Secure\Common\FIH32.EXEC:\Program Files\F-Secure\FSGUI\fsguidll.exeC:\Program Files\F-Secure\Anti-Virus\fsav32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: L Link to post Share on other sites More sharing options...
abel Posted December 5, 2008 Author ID:38281 Share Posted December 5, 2008 a side noteim not noticing any symptoms from the virus. when i first got it my pointer was a bit weird but that got removed when i first tried using mbam. but my f-secure sometimes give me a warning that im infected and when im using mbamb i get some infected files as you could see in my first post Link to post Share on other sites More sharing options...
abel Posted December 6, 2008 Author ID:38376 Share Posted December 6, 2008 am I some sort of a lost cause? just need some confirmation if i need to reformat my computer or if there is some easier solution to my problem.thx in advance Link to post Share on other sites More sharing options...
Raid Posted December 6, 2008 ID:38396 Share Posted December 6, 2008 am I some sort of a lost cause? just need some confirmation if i need to reformat my computer or if there is some easier solution to my problem.thx in advancePlease disable f-prot, run mbam, update it, scan with it, select everything it finds for removal, have it removed everything found. then follow these instructions:Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup EngineMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 3 parts that need to be downloaded from these links:Sysclean PackageVirus Pattern FilesSpyware Pattern FilesAs an example on 2008-10-17 the files to download are: sysclean.com | lpt605.zip | ssapiptn697.zipNOTE! These file names are examples and you must visit Trend Micro for the very latest files which may have different names.Create a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and copy their contents to C:\DCECopy the file sysclean.com to the new folder C:\DCE as well.Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template. This tool supports the following features: o Terminate all detected malware/spyware instances in memory o Remove malware/spyware registry entries o Remove malware/spyware entries from system files o Scan for and delete all detected malware/spyware copies in all local drivesHow To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vistahttp://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow"> Link to post Share on other sites More sharing options...
abel Posted December 6, 2008 Author ID:38413 Share Posted December 6, 2008 HI raidit seems as if i got rid of the virus, none of my protections i reporting about it anymore and mbam didnt find anything either. would you still recommend me to follow your instructions posted? Link to post Share on other sites More sharing options...
Raid Posted December 8, 2008 ID:38789 Share Posted December 8, 2008 HI raidit seems as if i got rid of the virus, none of my protections i reporting about it anymore and mbam didnt find anything either. would you still recommend me to follow your instructions posted?I would recommend we continue, however, it's your computer in the end, and if you feel your alright and don't wish to continue, please let me know and I'll go ahead and closeout this thread. Link to post Share on other sites More sharing options...
Recommended Posts