w32dtc.exe wearing out my laptop...

Sirs,
Thanks in advance for all of your help. I have managed to get the w32dtc.exe malware on my laptop. It is currently eating up all of the machine's performance. Here's the rub(s): It is about three years old, and I had NEVER connected it to the internet as I use it for 3D animation and audio recording, and I didn't want to take a chance on infection. Well, about two weeks ago, my PC died and I decided to plug the laptop into the DSL to check my email. Ironically, it is now infected. Anyway, I have run through all of the items on the sticky except those that require an internet connection. I have attached the HijackThis log. The reference to w32dtc.exe is on there plain as day, but I can't find any information in regards to a simple removal. Again, any help would be greatly appeciated.

Thanks,

Rob

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gif In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Sorry about that. I am not able to run Bitdefender or Panda Scan, as I can not get online with my laptop. I have attached the runkeys and newfiles.
Thanks again!

 

And the scans all revealed nothing found...

 

Why can't you get online on the infected computer?

Also, please relocate HJT to a safer location such as C:\Program Files\HJT. Afterwards attach a fresh HJT log from the new location.

 

It just can't find the internet connection, and I don't really want to risk it again. The file I uploaded is from a jump drive that I moved from the laptop to the PC. It is in the C drive on the laptop.

-Rob

 

Okay, just follow the previous post and attach a fresh HJT log.

 

Will do. I'll get it to you as soon as I get home tonight!
(Thanks again.)

-Rob

 

Okay!

 

Here's the new log.

-Rob

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

w32dtc.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

Again, make sure ALL browser windows are closed when you click FIX.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows Data Control (W32DTC)
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteW32DTC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\w32dtc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

After you complete this post, reboot once more and attach a fresh HJT log. Also let me know how things are running and what problems remain.

 

I'll take notes as I proceed:
Saved Killbox to the desktop.
Confirmed viewing of hidden files and folders is enabled
Checked task manager for w32dtc.exe, currently running and using about 17% of the CPU's abilities, svchost.exe is using the remainder.
Selected w32dtc.exe and ended process, it re-appeared, tried again, same result
Clicked analyse.exe, closed all browsers
Scanned with hjt
Cheked boxes for:
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Clicked fix selected, then OK
Clicked start, run, then typed services.msc, clicked OK
Scrolled down to Windows Data Control, right clicked, selected properties, was NOT able to press Stop Service, (no selection boxes were selectable) selected Disabled, closed all browsers
Started HJT, clicked none of the above, just start program
Clicked Config
Clicked misc Tools
Clicked delete NT service
Entered W32DTC, clicked OK
Clicked yes to delete, did not reboot, closed hjt
Started Pocket Killbox, copied and pasted C:\WINDOWS\System32\w32dtc.exe into the box, it showed up in blue, selected delete on reboot, clicked the red x, and yes to reboot.
Laptop rebooted
Start, control panel, internet options, programs, reset web settings, OK
General, reset home page, apply
Delete cookies, OK
Delete files, delete all offline content, OK
OK
Changed all security level to defaults, apply, OK
Noticed laptop was responding MUCH faster
Restarted
Latop booted quickly
Ran hjt, saved log
Checked task manager, CPU was between 90 and 99% in system idle process,
CPU usage history was at about 8% (was previouly 100%)
Removed more programs that I haven't used in forever, rebooted, CPU usage is at 0%

I LOVE YOU GUYS!!!!

 

Your log looks good, are you having any current problems?

 

Not at all!
THANK YOU!!
THANK YOU!!
THANK YOU!!
THANK YOU!!
THANK YOU!!
THANK YOU!!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!