bolenja/bolenjx removal questions

A couple weeks ago malware infected my XP Home Edition laptop computer. I lost my control panel and my Panda Internet Security software will not enable. Panda suggested smitfraudfix but it did not help. I've been through a number of procedures but they have not corrected the problem. The HJT log showed bolenja.exe and bolenjx.exe files; which come back upon reboot. I found this site through a Google search. I've downloaded, ran MGTools, and attached the zip file. The only problem I saw while MGTools was running was a message early on about the lack of permission to edit the registry.

Thank you very much for any help you can provide. Gary

 

Hi Gary WY!
Welcome to Major Geeks!

The MGTools will be helpful in setting up a set of instructions specific to your computer. It takes some time to read through the logs and do this. It would be helpful if you would go ahead and run the rest of the instructions in the READ & RUN ME FIRST including disabling Teatimer, running Combofix and running AVG Antispyware. I think the reason for the message you got when you ran the MGTools is because your regedit has been disabled. You may be able to fix that by doing the following:

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Just close HijackThis when you're finished. This may or may not work, but we'll need to come back to it anyway.

Please attach the results of the Combofix and if there's a log for AVG Antispyware, attach that too with your next post. Also, it would be useful to post a fresh set of MGlogs after you run the other two scans by going to the MGTools folder under C and running the file called GetLogs.bat which can be run by double clicking on the file. This will produce a new set of MGlogs.zip. Please attach that with your next post as well.

abri

 

Hi Gary,
If you haven't done the instructions in step 2 yet, please skip them and begin here:

It's very important that you get rid of your temporary files. To do this, please run CCleaner as per the instructions in the READ & RUN ME FIRST. After you finish, please continues as follows:


1) If your Guest account hasn't been disabled, please do this.

2) Do you have both Symantec and Panda installed? If so, please uninstall one of them. If you uninstall Symantec, please use the Norton Removal Tool (SymNRT)

3) Right click on the following file on your desktop and tell me where the link points to? Do not delete it.

C:\Documents and Settings\All Users\Desktop\ad.lnk


4) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 4
Java(TM) 6 Update 3
WildTangent Web Driver

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKLM\..\Run: [bolenjx] bolenjx.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: kus109.dat

After you click fix, just close hijackthis.


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Install the current version of Sun Java from: Sun Java Runtime Environment

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now? It may still be necessary to run Combofix and AVG Antispyware. If you have them, the logs for those would also be useful.

abri

 

I was just finishing up the procedure outlined in your initial reply when I received the email that you had posted again(Thank you!)

Initially when I got part way through, I believe it was Combo Fix, my computer rebooted; Panda antivirsus started (it would not before) and also Spybot S&D that I had installed a few days ago started (it would not run before). This interupted the Combo Fix. I checked and also had the Control Panel back. I went in and removed all the programs that I could not remove before, installed the latest "Sun Java Runtime Environment" and followed thru the entire procedure. AVG AntiSpyware did delete 3 files that had created 2XX problems but it did not create a log, even though I checked the proper "boxes". I may be able to copy/paste those entries if they still reside in the program - but they probably do not??

When I received your second reply I went through those procedures also. I was surprised to see that hjt did show bolenja & x still present; I removed them and the other entries recommended.

I did not find the Desktop file "C:\Documents and Settings\All Users\Desktop\ad.lnk." I do not use Windows Messenger but did not delete it as I don't know which program the other team members use. I deleted Norton files when I purchased this computer a couple years ago but was told at that time that it was difficult to get them all. (I have PC Anywhere installed on one computer but apparently not this one.) I went through the Norton removal procedure. I have been using Panda exclusively but this problem slipped past them.

If I need to run Combofix and AVG Antispyware again, please let me know. Thank you very much! Gary

 

Hi Gary,

It looks like your logs are clean. There are still some Symantec entries which you can try removing with HijackThis. Please do the following:

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

After you click fix, just close hijackthis.

Run CCleaner at the default setting with the Windows tab as the one on top. It's useful to run this whenever you've finished using the computer for the day or when you finish with the internet.

If you have further symptoms, it would be useful for you to run ComboFix and then post the combofix log along with a new one from the GetLogs.bat program in the MGtools folder under C. The log itself is found under C.

See if your computer is running well for a day or so and a couple of reboots. If you don't have any further symptoms, then do the final cleanup instructions in the box:

abri