Generic.WUE / Dialer.BZB

Discussion in 'Malware Help (A Specialist Will Reply)' started by SeanBerg, Jul 16, 2006.

  1. SeanBerg

    SeanBerg Private E-2

    Hi all,
    I must've got infected with the Dialer.BZB and Generic.WUE viruses when I downloaded some keygen (I know, I know...but it was a matter of life/death!).

    Since my AVG Free v. 7.1.394 (updated on the 11th of july) detected the virus on friday, I've been searching the web looking for answers, but most of the problems I've googled were inconclusive, non-suficient answers or particular cases.

    I'm runing under Windows XP SP2, with a ZoneLabs Firewall installed, AVG Free Edition and SpyBot S&D and I use only Mozilla Firefox (in an attempt to avoid these kind of problems). I don't have the windows xp firewall up.

    So, since I've been searching, I've read the READ & RUN ME FIRST post, I also installed CCleaner and Ad-Aware.
    Ran my AVG, CCleaner, Ad-Aware and Spybot (Teatimer disabled) in the Windows Safe-Mode (without network support). Removed all malware that they could detect. I also deleted two files from the system32 folder: ishost.exe and ismon.exe because the appeared on the ctrl+alt+del list (I searched all files that reported there, and googled them and those were the only ones that were harmfull).
    Rebooted to normal mode, and re-did all the scanings (just to make sure). Only AVG now pointed the virus (still Dialer.BZB and Generic.WUE, always acusing to be in the documents and settings/user/temp folder).

    Disabled system restore.
    Reboot in safe mode.
    Scan with all programs all over again (this time, all files clean).
    Rebooted in normal mode.
    Thought the problem was gone, but about 15 min later, AVG pops up a msg indicating that both viruses were there.
    Rebooted in safe mode with net access.
    Ran online scan (only BitDefender.com as the Panda one wasn't oppening here). Returned the viruses listed on attachement (as required). I've noticed that bitdefender showed viruses that Avg didn't detect (or at least other names for those viruses). Deleted the files.
    Rebooted to normal mode.
    Same thing - a while later, virus message appears.

    So I installed HJT, ran it and posted the log here.

    If anybody could help me, it would be greatly appreciated. I've slept little over the past few days just trying to solve this on my own.

    Best regards,

    Sean Berg

    EDIT: Forgot to mention: As I don't use IExplorer, no popups or anything appear (like indicated by other people who had the same problem as I do). Nothing really looks like has happened to my computer, apart from the bloody avg keep poping up the virus warning message.
     

    Attached Files:

    SeanBerg, Jul 16, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow the directions in step 6 properly next time. What you posted for Bitdefender is not the log that we rquested and is not useful? Why couldn't you run PandActiveScan? What happens?

    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winnll32.dll once and then click the kill button. After you have killed all of the winnll32.dll under winlogon click ok. (If you do not find the dll, just continue on.)


    Next double click on explorer.exe and again click once on each instance of winnll32.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080
    O20 - Winlogon Notify: winnll32 - C:\WINDOWS\SYSTEM32\winnll32.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
    del %windir%\temp\win*.*
    exit


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\SYSTEM32\winnll32.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
    chaslang, Jul 17, 2006
    #2
  3. SeanBerg

    SeanBerg Private E-2

    chaslang,

    Sorry about the BitDefender log. I don't know what I did wrong. Maybe it's because I did the scan in IE and when the log opened, it opened in Firefox.
    About the PandaActiveScan, when I tried to access it the other day, it just acused "Server not found".

    So, I downloaded Process Explorer and Pocket Killbox. Ran PE, and I found in winlogon.exe the winnll32.dll file. Killed it.
    Didn't find the dll file under explorer.exe though.

    Ran HJT and excluded both lines you mentioned. No problem here either.

    Created and ran the self-created fixme.reg file.

    Thru cmd, deleted the temp\win*.* files.

    Ran Killbox, deleted the temp files, and deleted the winnll32.dll file (on reboot).

    Rebooted fine, no problem at all.


    Ran AVG to see if I could find anything, and it came up blank. So, just for precaution, I kept an eye on the screen the whole day to see if any virus message appeared. So far, so good.
    I just finished running AVG again, just to make sure.


    Seems like the virus has been removed sucessfully. I can't express how gratefull I am.

    Thank you ever so much, chaslang!

    *Edited* Sorry, forgot the hjt log file.
     

    Attached Files:

    Last edited: Jul 17, 2006
    SeanBerg, Jul 17, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome.

    Just have HJT fix the below left over from the cleanup:

    O20 - Winlogon Notify: winnll32 - winnll32.dll (file missing)

    After that, if you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 18, 2006
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds