Winctrl32.dll and bugs on screen

Hello,

A couple of days ago my desktop turned blue and bugs started to crawl all over my screen. I ran avast! and the bugs are gone, but now Avast seems to think I have new trojans/infections every other hour, especially problem with winctrl32.dll Except for that my computer runs normally, not slow nor any pop-ups etc.

I followed the steps from "READ & RUN ME FIRST " except for combofix because it didn't seem to work. I got a blue screen and then nothing happened. I think I might still have some infection on the computer since winctrl32.dll won't disappear, but I'm really not sure and would like some help.

I attach the three logs from SUPERAntiSpyware, MBAM and MGtools.

Thankful for any help!

 

Hi basriff,
Welcome to Major Geeks!

I'll be going through your logs. This takes time, so thanks for your patience. Please don't use your computer or reboot unnecessarily until I can get back to you with a set of instructions. You do have some files that need to be gotten out

While you're waiting, please attach the file you have located directly under C:\ called Bug.txt. I believe this was the result of your bad combofix run. Use the Manage Attachments button.

Thanks.
abri

 

Thank you very much, and please take the time you need.

I attached the bug.txt. I should probably say though that since my computer uses Swedish I had to change "desktop" to "skrivbord" when I ran combofix through Run (since it obviously couldn't find anything under "desktop")

 

Hi basriff,

After you upload the bug.txt to us as per the instructions in my last post, please continue with the following:

1) You have a lot of programs under C:\ which look like setup programs. It's important that your browser allow you to make the decision where your downloads will be stored as some programs have to be downloaded to specific places. It's also useful to make a special folder for installation files which can then be deleted after the installation has been completed. Please make a folder under C:\ or under C:\Program called Downloads or some other name like this and move these files into that folder.

C:\Program\ccsetup208_slim.exe
C:\Program\jre-6u6-windows-i586-p.exe
C:\Program\mbam-setup.exe
C:\Program\MediaMonkey_3.0.2.1134.exe
C:\Program\mp3tagv240setup.exe
C:\Program\PlaylistCreator3_Setup.exe
C:\Program\spybotsd152.exe
C:\Program\xmind2008-setup-nojre-i20080331.exe
C:\Program\octosetup_vESCTV07_l_odd.exe

Additionally, did you install the following programs? There's not a lot of information about them.

C:\Program\KanjiLab.zip
C:\Program\JquickTrans00b7s.exe
C:\Program\Penpen00b10.exe
C:\Program\CravingExplorer-0-19-9.exe
C:\Program\XMIND 2008

2) Next I would like for you to disable your guest account if this hasn't already been done.

3) And now open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll


Does the following program need to load at startup? If not, please fix it as well.


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

6) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Winfo76
WinCtrl32

DIRLOOK::
C:\Documents and Settings\Malin\Application Data\shcajaj0ea1j

FILE::
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\Temp\BN2.tmp
C:\WINDOWS\Temp\BN3.tmp
C:\WINDOWS\Temp\BN4.tmp
C:\WINDOWS\Temp\BN5.tmp
C:\WINDOWS\Temp\BN6.tmp
C:\WINDOWS\Temp\BN7.tmp
C:\WINDOWS\Temp\BN8.tmp
C:\WINDOWS\Temp\BN9.tmp
C:\WINDOWS\Temp\BNA.tmp
C:\WINDOWS\Temp\BNB.tmp
C:\WINDOWS\system32\drivers\Winfo76.sys

REGISTRY::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Hi!

I followed all the steps and combofix worked now, thank you! I've attached the files as you asked.

Yes, I did install those, but I uninstalled the first three when I was doing the "Read and Run..."

I think everything works like it should now! winctrl32.dll is finally gone from my system32 folder so I hope it's gone for good this time. And Avast has stopped saying I have trojans as well. The only thing is my Ad-Aware seems to have stopped working (freezes after loading) but I guess I can just try reinstalling it.

Thank you again for all your help! It's really appreciated!

 

Hi basriff,

You still have some drivers showing up that are worrying me a bit. Please do the following:

1) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Winfo76
Winks10
Winlx65
Winot38
Winow11
Winyi54

FOLDER::
C:\Documents and Settings\Malin\Application Data\shcajaj0ea1j

REGISTRY::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfo76.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winks10.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlx65.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winow11.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyi54.sys]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


2) Now run CCleaner at the default setting with the Windows tab as the top one.

3) Please follow the instructions at Running GMER to detect rootkits and attach the log.


4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Hi!

Combofix isn't working again. I only get the blue window and then nothing happens. Not sure if I should continue with the rest anyway?

 

Nevermind, Combofix worked after a few tries.

Attached all the logs. Everything is still running fine, but I can't understand the logs, so I really have no idea :confused

Thanks again!

 

Hi basriff,

Let's run Combofix one more time and get rid of a driver which GMER found. Please use the same instructions you used in Post 6 Step 1, only this time use the contents of this box:

Code:

KILLALL::

DRIVER::
a9mykh8v

FILE::
System32\Drivers\a9mykh8v.SYS

After you complete the combofix instructions, please run CCleaner again and then attach the new combofix log here.

Thanks.
abri

 

Hi

Okay did the combofix etc and attached the log.

And the computer still seems to be running fine, but when I start my computer I get an error message saying it can't find a file called C:\Program\INSTAL~1\{C191B~1\setup.exe and that I should try and search for it. Not sure what this means, but I'm guessing it's not too good? :confused

 

Hi basriff,

First I want to ask how you ran combofix? The reason I'm asking is because there's no mention in combofix of having attempted to delete the file we gave it called a9mykh8v.SYS

Let's try this again and this time I'll add in the entry which I think is leading to the error message you're getting.


1) First I would like for you to make a backup of your registry using a small tool called Erunt. Just download and install Erunt. Use it to create a backup of your registry.


2) Then please do the following:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
  Code:

  KILLALL::
  
  DRIVER::
  a9mykh8v
  
  FILE::
  System32\Drivers\a9mykh8v.SYS
  
  REGISTRY::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  "InstallShieldSetup"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) And finally, please attach the combofix log and let me know how things are running now.

abri

 

I ran it exactly they way you told me to. It's just that it never seems to work the first few times I try and usually on the 4th or 5th try does combofix start working.

And when I tried it this time, it was the same, though it didn't reboot until after everything was done and then there was no logfile. I can't find it anywhere. Should I run combofix again?

 

Hi basriff,

Did you try doing a search of Windows Explorer for Combofix.txt?

Let's do this now:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Let me know if you get a success message after this.

abri

 

Ah found the latest combofix log and attached it

And I did the Erunt and fixme.reg and I got a success message afterward!

 

Hi basriff,

If the error message you mentioned in post 10 is no longer showing up, I want to post the final cleanup instructions to you. The driver I wanted you to remove was not removed, but I think it will give enough information about it if you rename it by right-clicking on it and adding .zzz to the end. If you have any trouble with any of your programs, you can just rename it back. It's this one:

System32\Drivers\a9mykh8v.SYS ------> a9mykh8v.SYS.zzz

After you do that, please go ahead with the final cleanup instructions in the box:

abri

 

Hi

The error message is still showing up though. And a9mykh8v.SYS isn't in the driver folder. I searched for it as well but it's not there. I guess I should wait with the cleanup?

 

Sorry doublepost

 

Hi basriff,

I haven't forgotten you and sorry for the wrong post. I had a blind moment. I'm waiting for some more information. I appreciate your patience!

abri

 

Hi basriff,

If you still have the MGTools installed, please go to the MGTools folder under C:\ and in it look for analyse.exe. Double-click on it to run the program and select "Do a system scan".

When it finishes, see if the following entry is there:

O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\Program\INSTAL~1\{C191B~1\setup.exe -rebootC:\Program\INSTAL~1\{C191B~1\reboot.ini -l0x1d

If so, put a check in the box. Then close any open browser windows. Then click FIX.

Then reboot and tell me if the problem is still there?

abri

 

Sorry took me so long to reply, didn't have computer access for a while.

I ran analyse.exe and checked that entry and the error message is gone! Thank you so much! That means there's no more malware in my computer right?

 

yes!

All the best with your computer!

 

That's great news Thank you SO much for all you help!!

 

You're welcome

 

Sorry, feel bad bringing this thread up again, but the error message from before has returned now when I turn on my computer I haven't installed or done anything with my computer so I guess it's the file that's the problem?

Anyway, any ideas of how to get rid of it are welcome, though I'm starting to feel it's a lost cause :confused

 

Hi basriff,

Don't feel bad. Computers are not mysterious, just sometimes hard to see inside of. Please go to USING MG TOOLS and follow the instructions for installing and running the tools. After you finish, attach the new set of MGlogs.zip here. I want to see if the entry you deleted is back again and see if it can be tracked down.

Thanks.
abri

 

Thanks for helping me again!

I never actually had a chance to uninstall MGTools and the other programs I installed when trying to get rid of the malware (I was just about to when the error message came back).

Anyway, attached the logfile. Hope it helps!

 

Hi basriff,

This entry is probably attached to a piece of software you use and so it's getting reloaded. We need more information about it. Please see if you can find this:

C:\Program\INSTAL~1\{C191B~1\setup.exe -reboot

It should be in a folder under C:\Program which is in another folder called INSTALxxxx (where the x's are some letters) and then in another folder which starts with C191B. See if the file called setup.exe is in there and if so, right-click on it and see if you can find out more about it by looking at properties. Is there any information about it?

You can also go to Start / Run and type in MSConfig and click on okay. In the window that opens up, select diagnostic mode. Then go to the Start tab and make sure that your antivirus program and anything else needed is checked, and leave the other programs unchecked. Click on accept and okay.

Then go to the MGTools folder under C:\ and find analyse.exe. Double-click on it to start the program and then click on Do a system scan. When the scan is finished, put a checkmark next to the following entry and then close all your open browser windows. Then click on Fix.

O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\Program\INSTAL~1\{C191B~1\setup.exe -rebootC:\Program\INSTAL~1\{C191B~1\reboot.ini -l0x1d

After you click on fix, close HijackThis and then reboot your computer.

If it responds as before, it may take a few reboots to reload. So use your computer for awhile and see if it comes back. If it does not come back, then slowly, put the programs in msconfig back into the startup sequencea by going to Start / Run, typing in msconfig and clicking on okay. Leaving Diagnostic Mode checked, select the start tap and add programs back in one or two at a time with several reboots in between. At one point, this item should start appearing again and by keeping track of the programs that are loading at startup, it should be possible to narrow it down to which program is installing this.

Let me know if you find any information about this in Windows Explorer and let me know how this testing goes.

abri

 

Hi
I couldn't really find any information about the file. In that folder I found this

C:\Program\InstallShield Installation Information\{C191BE7C-8542-4A61-973A-714EF76C5995}\_setup.dll

and that was all. And in the properties it just just said "Copyright (C) 2003 InstallShield Software Corp."

However, the testing went fine. The problem seems to be Ad-Watch, which is probably logical cause it stopped working in the middle of the malware hunt. It opens when I start my computer but then just sort of freezes. I was going to uninstall it, but forgot :/ Shall I go ahead and uninstall it now instead? :confused

 

Hi basriff,

Yes, please uninstall it.

Also, please note the message from Chaslang in post 28. You have two antivirus programs running. Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Then run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis. Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)

After you click fix, just close hijackthis.

After doing the above, run CCleaner.

It would be a good idea to run both of the following. Please note the warning by Symantec in the box below:

Removing Files from Norton Antivirus Quarantine

Norton Removal Tool (SymNRT)

After you've done all of the above, let me know how all this went?
abri