X-connect; Z-connect; i-connect dialer Malware

[Essexman]

Feedback

As this has continued to run as a hot thread for more than 10 days now, I would be interested to know if there is any feedback on the subject.

As the originator of the thread, please remember that hijacking a thread is viewed as "unethical". I am sure that the moderators will take appropriate action in this regard.

 

[Essexman]

Hi All

A Squared free edition seems to remove the malware with a safe mode scan. Put heuristic's on though. Before using this, use C Cleaner to clean your temp folder.

I have had 6 clients with the infection, the 1st was over 2 months ago, and I have phoned him to see how things are going and he has no recurring issue with the malware.

Cheers

Thank you for your input

 

[Essexman]

LAX.exe, x-connect etc dialer malware update

The following script is for removal of the x-/z-/I-connect dialer malware. I have tested it and it removes the dialer.
The script contains a reference to a virtual Drive, in this instance its the "E" Drive. You will need to do a registry scan for the lax.exe file to see what the designated drive is. Change the virtual drive letter in the script to correspond accordingly.
In this instance there are no other drives present other than A;C and D. Therefore it has defaulted to "E".
You will need to run the script in scanning software that has the ability to enter custom script. I use a specific software that is specifically used in my business. I adhere to the forums rules in not publicising or promoting software. If you run into difficulties in utilising the script, the only advice I can offer is you e-mail me and I will point you in the right direction. If you read the script text you will find direction.
Script as follows:
begin
SearchRootkit(true, true); SearchRootkit (true, true);
SetAVZGuardStatus(true); SetAVZGuardStatus (true);
DelCLSID('67KLN5J0-4OPM-00WE-AAX5-74CC2A323342'); DelCLSID ('67KLN5J0-4OPM-00WE-AAX5-74CC2A323342 ');
DelCLSID('12LOP3S8-1VRX-81VS-JKL6-61OP5G7774441'); DelCLSID ('12LOP3S8-1VRX-81VS-JKL6-61OP5G7774441 ');
QuarantineFile('E:\WIN\DOWS\LAX.exe',''); QuarantineFile ( 'E: \ WIN \ DOWS \ LAX.exe','');
QuarantineFile('C:\BIN\RECYCLE\Bin.exe',''); QuarantineFile ( 'C: \ BIN \ RECYCLE \ Bin.exe','');
QuarantineFile('C:\WIN\DOWS\LAX.exe',''); QuarantineFile ( 'C: \ WIN \ DOWS \ LAX.exe','');
DeleteFile('C:\WIN\DOWS\LAX.exe'); DeleteFile ( 'C: \ WIN \ DOWS \ LAX.exe');
DeleteFile('C:\BIN\RECYCLE\Bin.exe'); DeleteFile ( 'C: \ BIN \ RECYCLE \ Bin.exe');
DeleteFile('E:\WIN\DOWS\LAX.exe'); DeleteFile ( 'E: \ WIN \ DOWS \ LAX.exe');
DeleteFile('E:\autorun.inf'); DeleteFile ( 'E: \ autorun.inf');
BC_ImportDeletedList; BC_ImportDeletedList;
ExecuteSysclean; ExecuteSysclean;
BC_Activate; BC_Activate;
RebootWindows(true); RebootWindows (true);
end. end.

Good luck

Update:
You will have to do a registry scan for "LAX.exe" and take down the CLSID number it appears in. Then copy the previous original CLSID line completely and paste it into a new next line in the script (After the previous CLSID line.)
Highlight the copied CLSID no. and type in the one you wrote down. Copy this new ID and paste it over the highlighted duplicate in the same copied line.
Run the script in the custom script dashboard of a good AV toolkit.
The system should reboot automatically.
Then do a fresh search for LAX.exe. The CLSID may reappear in the reg editor name dashboard. Right click that CLSID and delete.
Exit regedit.
I have discovered that this malware is now generating its own fresh CLSID in new outbreaks.
Good luck!!

 

[jplizzle]

z-connect

Ok i know this is in an old thread so dont know if anyone is still paying attention but here goes... I had the z-connect issue... i deleted the connection through one of my browsers internet options screen. following that i tried searching for lax.exe in the registry and did not find it... now although this should be good news from previous posts i have read it is clear that a simple deletion does not work for this virus so i'm nervous about what i should do from this point on... any help will be appreciated

 

[jennan33]

Same here

I can't get the frigging thing cleared off one of the laptops in my office, either.

Firstly I can't update A2 - won't find the network connection even though it's a LAN; UCT has some draconian measures in place to keep our bandwidth from being pilfered, but it makes this sort of thing very difficult. Eventually tried the command line scanner with deep mode on and heuristics as well and it came up clean.

ThreatFire came up clean as well.

Anyone else got ideas?

-Dale
UCT

 

[rabbiddog]

There is a new version out not the lex.exe but as update.exe. In Kaspersky comes up as:
trojan-downloader.win32.agent.dkkk
net-worm.win32.kido.ih

they reside in folders like this:
http://mybroadband.co.za/photos/showphoto.php?photo=15489&cat=500

I will check more tonight as I am dealing with it later tonight.

There are some work around options to get your connection up. On the laptop I had in two days ago we backed up the data and reloaded windows, and a new anti virus, and cleaned up the backup.

Edit-

It also infects the autorun.inf file on usb devices. The 2 I have delt with were on 3G and Neotel.

 

[jennan33]

Winner!

Yeah, turns out we had the Update version as well. One of our post-docs suggested the Russian antivirus, which killed it stone dead on the first go, as well as finding a couple of other things hiding in there. So for now we're clean, thank goodness.

-Dale

 

[rabbiddog]

Glad to hear.

You should post which antvirus you used. It will help others who get this new version.

 

[antonbest]

Hi I have used Kaspersky but am not sure if it has been removed
Please forward patch to completely remove
Thanks
Regards