Please help remove z-connect virus!

[Synthesis]

I've been battling my butt off for a few days now. Everytime I connect with a 3G dialup then open internet explorer a new connnection appears in network connections called "z-connect" (also ben seen as x-connect) then it disconnects my 3G connection.

I have scanned with Nod32, AVG, AVAST, Malwarebytes, Spywaredoctor and Combofix. All the latest versions and up to date. It's not working.
I can't track the process or even find the process as it doesnt appear in task-manager when it activates. It also seems to have a random filename.
Last thing I can tell you is it's spreading through USB drives. Every time I put my drive in it creates 2 hidden system folders: "Win" and "RE" and inside those folders are recycle bin icons with random files inside from the PC.

Please help me out if anyone knows of a tool or manual way to remove this thing.

[Anakha56]

Um Spybot S&D? Never heard of this thing before...

[rustypup]

sounds familiar... but... nope... never encountered it personally...

waledac.z?

check the reg for confirmation...

otherwise, have you run hijackthis?

[Synthesis]

I've run hijackthis and eliminated all standard processes. All thats basically running is explorer. The virus still activates itself when I connect and it doesnt open a new process to do it with. So I can't find the source.

Busy downloading Sybot S&S. maybe there's hope there...

[Anakha56]

Tried uninstalling IE?

[Synthesis]

I've used firefox and it does the same. But opening a browser just seems to speed it up. Just connecting and leaving it for a minutes stays connected then after a while it activates. Opening a browser activates the virus immediately. It's as if it's running on a schedule.

I've just infected my own PC with a flash disc on ADSL and although the network stays connected my network icon in the system tray gets a yellow exclamation and doesn't see the internet. It stays this way for a few minutes then comes right. This is on windows 7. It infects Vista the same and XP.

[doo_much]

Hope you find the solution. Have the same damn thing.

NOD32 didn't pick it up.

[rustypup]

NOD32 didn't pick it up.

have you opened a ticket?

[Synthesis]

doo_much, Here's a quick guide that seems to be working for me. no disconnection for the last hour. Virus is still active but at least I can browse: http://www.catonett.com/blog/archives/194

[doo_much]

NOD32 didn't pick it up.

have you opened a ticket?

Nope - in my case it is a mild irritation only. I've stuffed up the virus's connection so it never does.

doo_much, Here's a quick guide that seems to be working for me. no disconnection for the last hour. Virus is still active but at least I can browse: http://www.catonett.com/blog/archives/194

I'll have a look thanks.

*edit. I'm running XP Home

*edit again. Fix seems rather generic. Will do when I get home

[Synthesis]

Ok, it seems to be cleared. I ran PCtools Threatfire which picked up a file "lax.exe" hidden in a hidden/system folder "win" on the root of C:\
Ran unlocker to unlock all the used processes so that I could manually delete it. Under the root of each user of documents and settings there were also a few dodgy .exe files. Deleted those too.

Nothing jumps over to the flash disc anymore. Connection is stable and stays connected for the last 2 hours without problems.

Hopefully this is sorted, but I still got that "unfinished" feeling. It was too easy in the end to just delete an exe file. Where's the process or "schedule" that tells this exe file to run? Nothing in the registry is linked to any files I deleted. No AV scans these files as malicous. But hey, for now I conclude I have won.

[rustypup]

No AV scans these files as malicous.

please tell me you submitted it?

[Synthesis]

lol, yea. I submitted all the dodgy files to Eset and Avast. I don't thinkit's a new virus as I also have vague rcollection of coming across something similar before. I am just amazed how little I could find on google, and absolutely no positive fixes.

I did however see prevx had some good info and I was on the vurge of purchasing Prevx to sort this one out. Luckily I didn't have to. $15 for a 1 month license isn't justifiable to me. A once ff purchase would've been ok.

[abevege]

Hi, thanks for typing that fix

It would be nice if someone can find an antivirus software to clean it for those of us who aren't technical - I was searching for fix on google and found this page. I don't dare fool with registry key etc.

In Kenya (where i am) all the Safaricom customers are getting this virus (i got it 12 hours after connecting safaricom modem)

Safaricom shop didn't know how to kill the virus. They instructed me to take the following steps:

1) In network connections, change to z-connect.
In General settings change phone number to *99#

2) In browser -> Internet Options ->connections
choose z-connect
-> settings
user name: saf
password: data

Then i found it still didn't work until i dialed up through z-connect by double clicking on it in network connections.

Does anyone know what that does? I'm online but is it keylogging me and stealing my passwords? Or stealing all my credit? I have 1gb of credit at least still on my modem (2 days old, comes with 2gb on it)

note: Kaspersky couldn't catch it either. But then, Kaspersky is useless....

[abevege]

kaspersky didn't pick it up
running xp on a little hp mini, in kenya, safaricom customer - bought safaricom 3g modem 2 days ago. already infected.

thanks for posting fix. got an easy one for non technical people scared to touch registry?

In kenya, safaricom customers all getting it. Safaricom shop gave me following directions:

1) -> network connections -> z-connect -> general -> phone number *99#

2) open browser -> internet options -> connections -> pick z-connect
-> settings
user name: SAF
password: data

It still didn't work until I double clicked on z-connect in network settings and hit dial so it dialed that *99# number.

I don't know if it is stealing all my credit now i've connected through it
I don't know if it is keylogging me

I just know internet works now and i am too scared to play with registry key.

Does anybody know what it does if you connect through z-connect?

[Prime]

Ok, it seems to be cleared. I ran PCtools Threatfire which picked up a file "lax.exe" hidden in a hidden/system folder "win" on the root of C:\
Ran unlocker to unlock all the used processes so that I could manually delete it. Under the root of each user of documents and settings there were also a few dodgy .exe files. Deleted those too.

Nothing jumps over to the flash disc anymore. Connection is stable and stays connected for the last 2 hours without problems.

Hopefully this is sorted, but I still got that "unfinished" feeling. It was too easy in the end to just delete an exe file. Where's the process or "schedule" that tells this exe file to run? Nothing in the registry is linked to any files I deleted. No AV scans these files as malicous. But hey, for now I conclude I have won.

run a root kit revealer?

[qwiksilva666]

Guys! I work for Eset. Can someone please email me the "lax.exe" and any other Z-connect samples to support@eset.co.za so I can analyse them and get definitions made for you guys who run Eset
This is a really irritating infection and no-one seems to send us samples as most detections are signature based so there is not much we can do. Eset version 4 threatsense unfortunately doesnt detect its process as malicious so we need the samples.

Edit: sorry for thread semi-resurection