TechSpot

Generic.WUE and Dialer.BZB

By mz.bhvn
Jul 8, 2006
  1. Within the past week, AVG anti-virus resident shield has popped up with several viruses that have been found. The main ones being Generic.WUE and Dialer.BZB.
    Examples of of these messages are (which appear almost every couple of hrs):

    • "Virus Detected! While opening file: C:\WINDOWS\Temp\win419.tmp.exe Trojan horse dialer.BZB"
    • "Virus Detected! While opening file: C:\WINDOWS\Temp\win482.tmp.exe Trojan horse dialer.BZB"
    • "Virus Detected! While opening file: C:\Documents and Settings\**my user name**\Local Settings\Temporary Internet Files\Content.IE5\VR28WSG1\bgates[1].exe Trojan horse Dialer.BZB"
    There are also similar messages which appear with the Generic.WUE virus and other related Dialer.BZB messages.

    My computer has become extremely sluggish and slow, and random fake virus and porn internet windows pop up also. I have ran all anti-spyware and anti-adware programs, yet the viruses seem to be very stubborn and will not delete from my computer.

    Attached is a HJT and ewido anti-spyware logs.
    If anyone could assist me in deleting these viruses, it'd be very much appreciated :)
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go and download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows Update System Shell

    close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    win419.tmp.exe
    win482.tmp.exe
    bgates[1].exe
    svhostcs32.exe<Not to be confused with svchost.exe, which is legit.

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: (no name) - {00000000-0002-0002-0000-000000000000} - (no file)

    O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

    O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    svhostcs32.exe You will need to search your system for this file and delete all instances of it. <Not to be confused with svchost.exe, which is legit.


    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\Temp\win419.tmp.exe
    C:\WINDOWS\Temp\win482.tmp.exe
    C:\Documents and Settings\**my user name**\Local Settings\Temporary Internet Files\Content.IE5\VR28WSG1\bgates[1].exe

    Once your system has rebooted, turn system restore back on and post a fresh HJT log.

    Regards Howard :wave: :wave:
     
  3. mz.bhvn

    mz.bhvn TS Rookie Topic Starter

    Thankyou for those steps Howard.

    I was able to delete the files you listed from Hijackthis, but when I ran killbox.exe and went to reboot an error message appeared with this:
    "PendingFileRenameOperations Registry Data has been Removed by External Process!" - What does this mean?

    A fresh HJT log is attached.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Killbox message is nothing to worry about. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

    Your HJT log is now clean and the nasty entries are gone.

    How`s your system running?

    Regards Howard :)
     
  5. mz.bhvn

    mz.bhvn TS Rookie Topic Starter

    Ohh hehe, I didn't think it'd be much of a problem, because it asked if I wanted to reboot and I said yes... THEN the error message came up afterwards. So far AVG hasn't popped up with any virus windows and my system seems to be running a little smoother - I'll probably realise if it's become any better during the next day or two. Thankyou so much for your assistance Howard :) Muchly appreciated!
     
  6. mz.bhvn

    mz.bhvn TS Rookie Topic Starter

    Oh no...Just as I thought I got rid of the trojans, new ones have been found by AVG! :( Below are some of the messages I have been getting:

    • "Virus detected! While opening file: C:\WINDOWS\Temp\win8B7.tmp.exe Trojan horse Generic.WUE"

    • "Virus detected! While opening file: C:\WINDOWS\Temp\win8B8.tmp.exe Trojan horse Generic.WUE"

    • "Virus detected! While opening file: C:\WINDOWS\Temp\win8CA.tmp.exe Trojan horse Generic.WUE"

    • "Virus detected! While opening file: C:\WINDOWS\Temp\win8CB.tmp.exe Trojan horse Dialer.BZB"

    • "Virus detected! While closing file: C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files\Content.IE5\HMK06Y2N\srvgqo[1].exe Trojan horse Generic.WUE"

    • "Virus detected! While closing file: C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files\Content.IE5\5NPSQ60D\bgates[2] Trojan horse Dialer.BZB"

    Is there something I'm doing wrong for these trojans to keep infecting my computer? I run spybot search and destroy everday and I have AVG anti-virus installed with the firewall enabled.

    Attached is a HJT log.
     
  7. mz.bhvn

    mz.bhvn TS Rookie Topic Starter

    Oops, the HJT log didn't attach.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean. However, it appears you aren`t running any firewall software.

    Download and install the free Zonealarm firewall from HERE.

    Download and run the ATF-cleaner from HERE.

    Also download and run the Ccleaner programme from HERE.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    win8B7.tmp.exe
    win8B8.tmp.exe
    win8CA.tmp.exe
    win8CB.tmp.exe
    srvgqo[1].exe
    bgates[2].exe

    Close task manager.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    Type all those filepaths into killbox.

    Once your system has rebooted, turn system restore back on.

    Then, reboot into safe mode and go to C:\windows\temp folder and manually delete anything that windows will let you.

    Do the same for this folder as well. C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files and again manually delete anything Windows will let you. Do this for all users.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...