Corporate Zombie » sdfix http://faolain.net/corporate_zombie Welcome to the world of Beige! Thu, 08 Dec 2011 17:31:54 +0000 en hourly 1 http://wordpress.org/?v=3.1.3 wlctrl32 – nasty little bugger of a rootkit virus http://faolain.net/corporate_zombie/2008/05/01/wlctrl32-nasty-little-bugger-of-a-rootkit-virus http://faolain.net/corporate_zombie/2008/05/01/wlctrl32-nasty-little-bugger-of-a-rootkit-virus#comments Thu, 01 May 2008 15:42:33 +0000 admin http://faolain.net/corporate_zombie/?p=28 I had a nasty encounter with wlctrl32 in aq clients office.

First, Symantec Corporate would not detect the virus. I had to install the trial of PrevX to detect the malware.

once that was done the issue of removal came up.

Luckily someone has had the issue before me, Experts Exchange

The two main applications that helped with this issue were ComboFix and SDFix

In addition to their main download locations (http://download.bleepingcomputer.com/sUBs/ComboFix.exe, http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) i have added them here: ComboFix and SDFix

To use these, disable System Restore first.

I am not in anyway supporting these tools, however

SDFix:

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :

  • Open the SDFix folder and double click on RunThis.bat to start the script.
  • Type Y and press Enter to begin the script.
  • It will start cleaning your PC and then prompt you to press any key to Reboot.
  • Press any key to restart the PC.

Your system will take longer than normal to restart as the fixtool will be removing files.

  • When the desktop loads the Fixtool will complete the removal and display Finished.
  • Press any key to end the script and to load your desktop icons.

A text file should automatically open.

On ExpertsExchange the expert used this log file to create a script of files and drivers for Combo Fix to remove. I have not yet figured out where they pulled the content from, but here is what they suggest they put into a file called CFScript.txt. This file is then dragged over onto the ComboFix exe. It will try and remove them

File::
C:\WINDOWS\system32\Drivers\Jnp57.sy

s
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\drivers\nkv2.sys

Driver::
Jnp57
USB2_04

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]

Combo Fix: Disable your AntiVirus and any real-time Anti-spyware monitors that are running.

Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you.

Note 1: Do not mouseclick combofix’s window while it’s running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

There is a recommended cleanup method as well after this has been run
Click START then Run…
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

This worked first time for me. No issue at all.

]]> http://faolain.net/corporate_zombie/2008/05/01/wlctrl32-nasty-little-bugger-of-a-rootkit-virus/feed 0