Generic.WUE and Dialer.BZB

[mz.bhvn]

Within the past week, AVG anti-virus resident shield has popped up with several viruses that have been found. The main ones being Generic.WUE and Dialer.BZB.
Examples of of these messages are (which appear almost every couple of hrs):

• "Virus Detected! While opening file: C:\WINDOWS\Temp\win419.tmp.exe Trojan horse dialer.BZB"

• "Virus Detected! While opening file: C:\WINDOWS\Temp\win482.tmp.exe Trojan horse dialer.BZB"

• "Virus Detected! While opening file: C:\Documents and Settings\**my user name**\Local Settings\Temporary Internet Files\Content.IE5\VR28WSG1\bgates[1].exe Trojan horse Dialer.BZB"

There are also similar messages which appear with the Generic.WUE virus and other related Dialer.BZB messages.

My computer has become extremely sluggish and slow, and random fake virus and porn internet windows pop up also. I have ran all anti-spyware and anti-adware programs, yet the viruses seem to be very stubborn and will not delete from my computer.

Attached is a HJT and ewido anti-spyware logs.
If anyone could assist me in deleting these viruses, it'd be very much appreciated

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go and download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Windows Update System Shell

close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

win419.tmp.exe
win482.tmp.exe
bgates[1].exe
svhostcs32.exe<Not to be confused with svchost.exe, which is legit.

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {00000000-0002-0002-0000-000000000000} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

svhostcs32.exe You will need to search your system for this file and delete all instances of it. <Not to be confused with svchost.exe, which is legit.


Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\Temp\win419.tmp.exe
C:\WINDOWS\Temp\win482.tmp.exe
C:\Documents and Settings\**my user name**\Local Settings\Temporary Internet Files\Content.IE5\VR28WSG1\bgates[1].exe

Once your system has rebooted, turn system restore back on and post a fresh HJT log.

Regards Howard :wave: :wave:

 

[mz.bhvn]

Thankyou for those steps Howard.

I was able to delete the files you listed from Hijackthis, but when I ran killbox.exe and went to reboot an error message appeared with this:
"PendingFileRenameOperations Registry Data has been Removed by External Process!" - What does this mean?

A fresh HJT log is attached.

 

[howard_hopkinso]

The Killbox message is nothing to worry about. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your HJT log is now clean and the nasty entries are gone.

How`s your system running?

Regards Howard

 

[mz.bhvn]

Ohh hehe, I didn't think it'd be much of a problem, because it asked if I wanted to reboot and I said yes... THEN the error message came up afterwards. So far AVG hasn't popped up with any virus windows and my system seems to be running a little smoother - I'll probably realise if it's become any better during the next day or two. Thankyou so much for your assistance Howard Muchly appreciated!

 

[mz.bhvn]

Oh no...Just as I thought I got rid of the trojans, new ones have been found by AVG! Below are some of the messages I have been getting:

• "Virus detected! While opening file: C:\WINDOWS\Temp\win8B7.tmp.exe Trojan horse Generic.WUE"

• "Virus detected! While opening file: C:\WINDOWS\Temp\win8B8.tmp.exe Trojan horse Generic.WUE"

• "Virus detected! While opening file: C:\WINDOWS\Temp\win8CA.tmp.exe Trojan horse Generic.WUE"

• "Virus detected! While opening file: C:\WINDOWS\Temp\win8CB.tmp.exe Trojan horse Dialer.BZB"

• "Virus detected! While closing file: C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files\Content.IE5\HMK06Y2N\srvgqo[1].exe Trojan horse Generic.WUE"

• "Virus detected! While closing file: C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files\Content.IE5\5NPSQ60D\bgates[2] Trojan horse Dialer.BZB"

Is there something I'm doing wrong for these trojans to keep infecting my computer? I run spybot search and destroy everday and I have AVG anti-virus installed with the firewall enabled.

Attached is a HJT log.

 

[mz.bhvn]

Oops, the HJT log didn't attach.

 

[howard_hopkinso]

Your HJT log is clean. However, it appears you aren`t running any firewall software.

Download and install the free Zonealarm firewall from HERE.

Download and run the ATF-cleaner from HERE.

Also download and run the Ccleaner programme from HERE.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

win8B7.tmp.exe
win8B8.tmp.exe
win8CA.tmp.exe
win8CB.tmp.exe
srvgqo[1].exe
bgates[2].exe

Close task manager.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

Type all those filepaths into killbox.

Once your system has rebooted, turn system restore back on.

Then, reboot into safe mode and go to C:\windows\temp folder and manually delete anything that windows will let you.

Do the same for this folder as well. C:\Documents and Settings\**username**\Local Settings\Temporary Internet Files and again manually delete anything Windows will let you. Do this for all users.

Regards Howard