X-connect; Z-connect; i-connect dialer Malware

[Essexman]

Hi All,

Just a quick hello. Thought I'd call in about the titled 'Dialer Virus' that's kicking out connections in SA at the moment. (This also will give a 631 Error code on 3G)

If you check your network connections dashboard, if the malware is present you will have an extra network connection that does not make sense to you... This is your malware that hijacks your connection and kicks your default dialer off.

I have researched this one and it seems there is not a ready solution available, as it has even broached M-Web's server. If there are any of you who are experiencing complete deletion problems of this dialer malware, let me know as I have the script to remove it (It has the remarkable ability to regenerate, even when attacked for deletion in the registry.)
Its modus operandi leaves a file called aaw2.exe (or variants) in the documents root, and regenerates even if system restore is deactivated.

Mosts infectees have just disabled it by pulling its arms and legs off, but its presence can be annoying.

If I am mistaken about its abundance, then little response will validate a removal of this thread. In the meantime, this contribution may well be of help to those who are experiencing extreme frustration.

Cheers

 

[Smoothman]

Having same problem on my 3G connection, however I have noticed extremely high upload rates. I have also looked around for fixing the dial up and found that changing the phone number of the Z-connect to that of the VMC Lite connection, I now do not have the dropped coonections anymore. This however has not resolved the high upload rate which is a major concern.

 

[Essexman]

Having same problem on my 3G connection, however I have noticed extremely high upload rates. I have also looked around for fixing the dial up and found that changing the phone number of the Z-connect to that of the VMC Lite connection, I now do not have the dropped coonections anymore. This however has not resolved the high upload rate which is a major concern.

This certainly sounds like some malware. The upload is reducing available bandwidth for your personal usage, using a portion of the total bandwidth to get up to its clandestine activities.

If your using XP, check out with a search for the CLSID in the regedit > Find:
"12LOP3S8' the string is longer but there are no other strings starting like this
Obviously it will return a "find" from the 'regedit' directory, but ignore this and >find next.

If it returns a find of "12LOP3S8...." it will contain a "LAX.exe" reference.

This will confirm an infection with this malware.

Deletion of this CLSID will not work as it regens.
NOTE: remember work in the Registry is like brain surgery. Take care and be sensible. It does not hurt to look, but don't play around with the "knobs & switches" LOL
>>E=MC2<<
====================

 

[Fafa]

Hello

I am invected with this and i just deleted the .exe files. Now my internet works but im fairly sure the virus is just dormant somewhere. Please tell me how to remove it completely. Also i cannot find the string in my registry.

 

[Essexman]

Hello

I am invected with this and i just deleted the .exe files. Now my internet works but im fairly sure the virus is just dormant somewhere. Please tell me how to remove it completely. Also i cannot find the string in my registry.

You mention that you have deleted the ".exe" files. Could you be specific and tell me what the name of these files are/were?
Secondly you say you believe you were infected. What were the symptoms that made you believe this? Ie., what was happening/not happening? What investigations did you do to arrive at an action to take?

 

[Fafa]

Hmm.. I was fearing i would need to write a full post

Full story: On Sunday night i came home and turned on my machine. Attempted to connect to the internet. I was connected for about a minute and it disconnected me. I use PPPoE to dial my adsl. Then when trying to reconnect i noticed i now have a z-connect connection. So i noticed it tries to dial a 000 number. So after numerous restarts and googling on another machine that night i gave up trying to delete it. I deleted the z-connect connection and renamed my original ADSL connection to z-connect. This worked well cause the virus wasnt able to kill itself. I knew though that it wasnt "solved" but its only a workaround, because the connection would be hidden and it doesnt even go to the system tray. So there on sunday night my internet worked again. Okay so Monday i was too busy to touch my pc . So Tuesday i saw i had 2 hidden folders on my machine, C: Drive, (cant remem name) which were not supposed to be there. Trying to delete them just gave errors. Then i contemplated to format, but realised that it will be more effort so i gave up on that idea. Then i left the issue again till wednesday. Wednesday i noticed i now have 3 hidden folders. So now i decided well hmm lets now give more attention to it. Throughout this i noticed when i reboot during bootup my explore.exe would "crash" and a script would come and loadup a file called d3g.exe *or something similar, not sure if it was a 3 in the middle but it was something like this :< I know it doenst help at all that i cant remem the right name*. So my explorer.exe would basically be a trojan running in the background. So i hunted down the file to be in one of the hidden folders on my machine. *oh yeah the file had an icon which looked like this (o). with the ( ) being black and the o being red Like spaceship looking like*. Okay so now i decided i need to get rid of this. I downloaded a file unlocker program to delete the files as they were running and could not be deleted. So i then deleted them. I also had some files in documents and settings\ which had the same icon. So i deleted them Then i found out that the virus is being replicated onto my flash drives and memory cards. So i deleted it from there. After deleting everything i rebooted and my machine was working. As in explorer.exe didnt crash and i could dial any connection again.

Kk that was the full story, even though it read like a story book :>

 

[Fafa]

I found the trojan on my one flash
Filenames: c:\nnitedn\lodgi\nintend.exe
C:\ATARIOC\MARIO\Bienven.exe
C:\VIDI\*something*\DRG.exe

 

[Essexman]

I found the trojan on my one flash
Filenames: c:\nnitedn\lodgi\nintend.exe
C:\ATARIOC\MARIO\Bienven.exe
C:\VIDI\*something*\DRG.exe

Ok, your previous posting definitely indicates the z & X dialer malware. As you say you've disabled it, I would say you've injured it and pulled its arms and legs off... .
I'm gonna close off for tonite, but if you PM me I can give you directions and steer you thru a clean up.

The solution I'll give you will enable you to keep all your drives clean 99% of the time.

Incidentally, the malware in your last posting is obviously something you've picked up from someone else's infected system. We'll kill that off at the same time LOL.

 

[chrisjunker]

Same thing

Ok here ive been waiting forever to fix this, i got the x-connect virus about two weeks ago and messed with it somewhat and was able to go on the net again, then about yesterday i got the z-connect virus, i cant do anything, changing the options does nothing, this is the VIRUS im 100%.
Everytime i delete it and the random files it creates in my system, such as b4q9g15r2 and w71y5.

Then only way im able to type this is because i took the dude's advise above and changed my connection name to z-connect.
Shot guys please help i cant take this crap!

 

[Fafa]

Hey Essexman.

I dont mind to PM you about this, but rather post here on the forum? This could help other people with the same issue.

 

[Essexman]

Hey Essexman.

I dont mind to PM you about this, but rather post here on the forum? This could help other people with the same issue.

Ok, I hear what you are saying. The reasoning behind a PM is that it may well be that those that post on the forum have variations or even something totally different affecting their system. In this respect one may compare a quack doctor giving a medicine with the magical abilities of fixing all ailments.

The software and script that I would make available to you has the potential of making your computer inoperable. So like a good doctor, I would diagnose your problem and give you the correct medication and application of such... LOL

Free goodies by way of "HTTP// press button and cure all ills.com" don't ring good with me, either by inadvertently promoting or endorsing products/procedures. BUT I do believe that if I have discovered and solved something, I should SHARE it with others.

Email or PM me your e-mail address and I will forward about 5.5Mb software for you to solve your problem, but I need to ask you some further questions about your OS first. The software is good and legit and freeware.

PS I am totally positive about forum members posting their symptoms because THAT enables others to identify whether they are in the right queue for the "right doctor and medicine"

I'll attend this post for about another week. If the response is small, then I would conclude that the infection is under control and being handled by conventional AV software.

 

[Essexman]

Ok here ive been waiting forever to fix this, i got the x-connect virus about two weeks ago and messed with it somewhat and was able to go on the net again, then about yesterday i got the z-connect virus, i cant do anything, changing the options does nothing, this is the VIRUS im 100%.
Everytime i delete it and the random files it creates in my system, such as b4q9g15r2 and w71y5.

Then only way im able to type this is because i took the dude's advise above and changed my connection name to z-connect.
Shot guys please help i cant take this crap!

Read my response above/below to Fafa and send me a PM with your email address so I can steer you thru the process. You'll need a working OS to put the software onto a FS or CD (A non-rewritable CD is preferable as a secure medium)

UPDATE: 9TH September>>
At this time there have been almost 750 visits on this topic.
I will therefore post the relevant script and guidelines within the next 10 days, business/private time willing

 

[Essexman]

Script for X-connect... removal

The following script is for removal of the x-/z-/I-connect dialer malware. I have tested it and it removes the dialer.
The script contains a reference to a virtual Drive, in this instance its the "E" Drive. You will need to do a registry scan for the lax.exe file to see what the designated drive is. Change the virtual drive letter in the script to correspond accordingly.
In this instance there are no other drives present other than A;C and D. Therefore it has defaulted to "E".
You will need to run the script in scanning software that has the ability to enter custom script. I use a specific software that is specifically used in my business. I adhere to the forums rules in not publicising or promoting software. If you run into difficulties in utilising the script, the only advice I can offer is you e-mail me and I will point you in the right direction. If you read the script text you will find direction.
Script as follows:
begin
SearchRootkit(true, true); SearchRootkit (true, true);
SetAVZGuardStatus(true); SetAVZGuardStatus (true);
DelCLSID('67KLN5J0-4OPM-00WE-AAX5-74CC2A323342'); DelCLSID ('67KLN5J0-4OPM-00WE-AAX5-74CC2A323342 ');
DelCLSID('12LOP3S8-1VRX-81VS-JKL6-61OP5G7774441'); DelCLSID ('12LOP3S8-1VRX-81VS-JKL6-61OP5G7774441 ');
QuarantineFile('E:\WIN\DOWS\LAX.exe',''); QuarantineFile ( 'E: \ WIN \ DOWS \ LAX.exe','');
QuarantineFile('C:\BIN\RECYCLE\Bin.exe',''); QuarantineFile ( 'C: \ BIN \ RECYCLE \ Bin.exe','');
QuarantineFile('C:\WIN\DOWS\LAX.exe',''); QuarantineFile ( 'C: \ WIN \ DOWS \ LAX.exe','');
DeleteFile('C:\WIN\DOWS\LAX.exe'); DeleteFile ( 'C: \ WIN \ DOWS \ LAX.exe');
DeleteFile('C:\BIN\RECYCLE\Bin.exe'); DeleteFile ( 'C: \ BIN \ RECYCLE \ Bin.exe');
DeleteFile('E:\WIN\DOWS\LAX.exe'); DeleteFile ( 'E: \ WIN \ DOWS \ LAX.exe');
DeleteFile('E:\autorun.inf'); DeleteFile ( 'E: \ autorun.inf');
BC_ImportDeletedList; BC_ImportDeletedList;
ExecuteSysclean; ExecuteSysclean;
BC_Activate; BC_Activate;
RebootWindows(true); RebootWindows (true);
end. end.

Good luck

 

[wishblade]

So in all of this time, has anyone bothered to actually run an AV against it?
Oh, so you did...
Did you run a rootkit scan on your machine?
You did... Good.
Still didn't help? Did you send the AV company a sample, so that they may be able to include detection for the thing? And that's the part that doesn't appear to have been done...

Effectively, if you are sure that you have removed the virus on the system, then why would it come back? A number of reasons:
1. You have another machine/drive/whatever infected, and your machine is being reinfected.
2. You haven't removed everything - hidden files are one thing, but super hidden files/folders, files in system32 or driver folders, system restore, etc, may all be working against you, and you have left something behind.
3. The virus is memory resident, meaning that although you scan your machine and remove it's files, you are leaving the memory resident components behind, since your scanning is not picking it up. Oops, the malware now decides to spread/check for specific mutexes, etc, and redrops itself...
4. There is something else on your machine as well, whichdrops this specific malware.

Those are the common types...

 

[souljazk]

Hi All

A Squared free edition seems to remove the malware with a safe mode scan. Put heuristic's on though. Before using this, use C Cleaner to clean your temp folder.

I have had 6 clients with the infection, the 1st was over 2 months ago, and I have phoned him to see how things are going and he has no recurring issue with the malware.

Cheers

 

[Essexman]

So in all of this time, has anyone bothered to actually run an AV against it?
Oh, so you did...
Did you run a rootkit scan on your machine?
You did... Good.
Still didn't help? Did you send the AV company a sample, so that they may be able to include detection for the thing? And that's the part that doesn't appear to have been done...

Effectively, if you are sure that you have removed the virus on the system, then why would it come back? A number of reasons:
1. You have another machine/drive/whatever infected, and your machine is being reinfected.
2. You haven't removed everything - hidden files are one thing, but super hidden files/folders, files in system32 or driver folders, system restore, etc, may all be working against you, and you have left something behind.
3. The virus is memory resident, meaning that although you scan your machine and remove it's files, you are leaving the memory resident components behind, since your scanning is not picking it up. Oops, the malware now decides to spread/check for specific mutexes, etc, and redrops itself...
4. There is something else on your machine as well, whichdrops this specific malware.

Those are the common types...

Ok... spot on

Unfortunately, humans being humans like quick fixes, and don't like waiting.
From my side, LOL, I did find the malware annoying, and I walk in my customers shoes to get the best feel for what they want... and in this case, what they don't want.

It was interesting to leave it for a week and see the callers come and go. 2 stopped to take time out, the others were probably looking for the quick fix. And as I said nought wrong wid dat.

MY angle was to see the numbers, and as a well seasoned gatherer of info from all walks of life, it interested me to see what came up.

No doubt I'll garner some contributions on this thread, and I hope that whatever comes up will be of benefit to other callers who drop by.

Kudos to those who deserve them. After-all, most malware, viruses etc are created by people who seek recognition, have a complex or are just looking to sell the antidote LOL.
Catch-ya
E=MC2
===============

 

[Essexman]

Hi All

A Squared free edition seems to remove the malware with a safe mode scan. Put heuristic's on though. Before using this, use C Cleaner to clean your temp folder.

I have had 6 clients with the infection, the 1st was over 2 months ago, and I have phoned him to see how things are going and he has no recurring issue with the malware.

Cheers

100% here 2. There is the AV ware out there as well as the procedures to solve da problemo. Proper use of AV ware with all the bells and whistles will do the job I'm sure.
From my angle, I like to know what's under the hood when I drive it. So when a problem arises I can pull da spanners and tweak it right. LOL

It's called survival, and I love the challenge. To everyone... whatever rocks ya boat. Good-on-yer.

 

[wishblade]

I hear what you say -it just puzzles me that some people woul rather struggle for weeksw trying to look for some script/fix that works, rather than submitting the sample to their AV vendor for analysis and detection... I work with AV so know the types....

Anyway, just a quick point on the below: malware these days is written for financial gain (for selling the botnets to whoever wants specific info, to dump their own malware, etc) - gone are the days of seeking recognition...

After-all, most malware, viruses etc are created by people who seek recognition, have a complex or are just looking to sell the antidote

 

[Essexman]

I hear what you say -it just puzzles me that some people woul rather struggle for weeksw trying to look for some script/fix that works, rather than submitting the sample to their AV vendor for analysis and detection...

Something to do with the male psyche... not asking for directions when lost??? LOL.
There's definitely something in discovering an answer and knowing your effort was the reason. - again a human nature thingy.

 

[sqa]

z-connect / ras 631 error on 3G connection - Solution

Hi,

I found a solution for this z-connect/RAS631 error that is causing 3G connection to terminate after a few seconds.

Please contact me at SQA@iburst.co.za if you are interested in the solution.

Regards

SQA