Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Bolenjx And Kus109.dat


  • Please log in to reply
4 replies to this topic

#1 Duduh_Brazil

Duduh_Brazil

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 19 January 2008 - 10:23 AM

Hi! I read here at the forum that somebody got to remove that file with HiJackThis tool. But my problem is that I can't execute HJT, it don't works... I think that is the action of the virus.

These is the files that I found:

- \Windows\kus109.dat
- \Windows\bolenjx.exe
- \Windows\system32\bolenjx.exe

There is a key in the register for the kus109.dat file:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

If I delete bolenjx.exe in \Windows\, then it appears in \Windows\system32\. To each boot, it appears at a different folder. I don't know what to do!!!

Does anybody know how to help me?! Thanks (sorry for the grammar mistakes)
just be happy =]

BC AdBot (Login to Remove)

 


m

#2 Duduh_Brazil

Duduh_Brazil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 19 January 2008 - 03:52 PM

I got it!!! :flowers:

I used two tools: Trojan Remover and Rootkit Detective. Now there isn't virus. And later I executed the HJT. No virus in the log :thumbsup:

Edited by Duduh_Brazil, 19 January 2008 - 03:55 PM.

just be happy =]

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 19 January 2008 - 10:08 PM

Thank you for posting back with the solution. :thumbsup:

To prevent accidentally Restoring the PC to that infected State Please create a NEW Restore Point.

Create a new Restore Point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Then when Restore opens, select Create a new restore point and click Next
Give the the restore point a name like New and clean >Click Create

Then delete old Restore points:
Go to Start > All Programs > Accessories > System Tools > Disk Cleanup > Click Ok.
Click the more options tab > notice System Restore > click clean up >Reboot
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 fred nurk

fred nurk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 22 January 2008 - 10:27 AM

I've just killed off a very similar infection manually, and here's some additional information that might be of help:

Bolenjx is reported to have appeared just last week (Jan 18th, 2008), but curiously it turned up on a donated PC that had been dormant for around a year, appearing within minutes of the machine's connection to the net to obtain windows updates (XP Pro). The PC was thoroughly compromised with prior malware (maybe why the donation) and my gut feel is some of this stuff 'upgraded' itself to bolenjx. File datestamps suggest 9-March-2006 as the likely date of the earlier infection.

Couldn't launch any of the typical tools, although I didn't try too hard as the machine seemed so thoroughly compromised - eventually killed off by booting Ultimate Win Boot CD and manually inspecting the filesystem. Various attempts at scanning from the UWBCD boot didn't find anything, but I may have chosen some lame tools. I've generally had success with a boot-time scan from Avast to kill-off any difficult nasties, and Avast appeared to install OK on the compromised Windows installation, but detected zip in the boot-time scan - clearly one of these vectors was active before Avast kicked in. Didn't try HJT - maybe this would have been smarter.

Had the same two files (bolenjx.exe and kus109.dat), but also:

c:\windows\system32\drivers\beep.sys - clearly the widget suppressing launch of AntiVirus tools - it contained a thorough list of AV exe's.
c:\windows\system32\multikz.exe - (6kb) something related to bolenjx, always turned up with the same create/modification date as bolenjx.exe
There was also a tmp.reg or temp.reg, and a 0.log with exactly same timestamps as bolenjx in system32.
C:\WINNT\system32\wuauclt.exe deleted as suggested (no version info in header, so clearly suspect)

Other suspect files killed off - not totally certain they're all guilty:
c:\windows\system32\26179 - 393kb, and no file extension but clearly executable. mod date of 11-Jan-1999 and create date of 9-Mar-2006.
c:\windows\system32\grwinsthlp.exe - 17kb and from a google search possibly the nasty that installed bolenjx.
c:\windows\system32\csuninst.exe - 4kb - looks like an uninstaller, but has comet reg keys and no version header. Create/mod date 9-Mar-2006.
c:\windows\system32\waitwnd.exe - 85kb - could be a legit installation widget, but it looked like a compressed exe, and no version info in the header.
All of this stuff (including waitwnd.exe) had same creation date of 9-Mar-2006, and this date didn't appear across other system32 files.

Finally, not having any idea how early this thing was getting active, I did a FIXMBR off a Win boot/install disk. FIXMBR reported the MBR as damaged - I'm not familiar enough with this util to know if that's a reliable indicator.

Once this lot was cleared out I finally got Avast to launch along with Windows, and it's now doing a thorough scan with a current db. Can report results tomorrow if that's useful. Some of these files I've renamed rather than deleted (eg 26179 to 26179.vir) so may get more info.

I'm new to this site, so just ping me if this form of info isn't useful or posted in the wrong spot.

FN

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:08 PM

Posted 22 January 2008 - 12:24 PM

Welcome to BC fred nurk

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users