Removal Of Trojan horse Dialer; File _T.EXE

My AVG detected a Trojan horse Dialer in C:\WINDOWS\SYSTEM _T.EXE through it's Residential Shield but could not pick-up the Trojan during the actual scan. I used Safe Mode in order assist with removing the Trojan Horse Dialer. While in Safe Mode I ran my Ad-Aware software and it picked up 2 Dialers named TIB Browser. I deleted them. Also while in Safe Mode I manually deleted a file that I was suspicious of. This file was named tibs3.exe which was located in C:\WINDOWS\SYSTEM . After deleting tibs3.exe by sending it to my Recycle Bin, I restarted my computer and logged on to the internet, and the repeated warnings that I kept getting from my AVG about the Trojan Horse Dialer stopped. I then restored the deleted tibs3.exe file back to the System File and the AVG warnings started again. I went back to into Safe Mode and deleted it again, and the AVG warnings went away again. Two (2) things made me suspicious of this file: a. it had a very new date of creation to it which was right about the time I picked up the the Trojan horse Dialer, and b. the tibs3.exe file which I had never heard of before had the initials as the Dialer named TIB Browser which was picked up and deleted by Ad-Aware. If restore the tibs3.exe file from my Recycle Bin back to the System File on my computer, and reboot, the very 2 Dialers that my Ad-Aware software picked up for removal reappear, and I have to scan with Ad-Aware again to remove them again. With the tibs3.exe file deleted and in the Recycle Bin, I don't have to delete those 2 Dialers again. Before I delete this file permanently, has anyone ever seen or heard of an .exe file named tibs3? Also, there are 2 other files which are located in my System32 file, and they are named runsrv32.dll, an Application Extension type file, and runsrv32.exe, an Application file. Both of these files have very recent creation dates on them which are exactly the same as the dates on the tibs3.exe file. Does anyone recognize these 2 Application Files. I am not in the habit of just deleting files arbitrarily so I need some other source who does recognize these files as Windows Files or Trojans. Also, why does the file as noted on the repeated AVG Residential Shield warnings say _T.EXE and the file that looks like it's the culprit is tibs3.exe.? I have Windows 98SE and Internet Explorer 6.0 . I would appreciate any assistance. Thank You.

 

Looks like you've got a couple of infections there. Click here to find out more about your trojan. And the other two files you mention come from this. It looks like your best bet would be to follow the comprehensive clean-up instructions here - the fix for ME should work for Win98. Good luck and post again if you're still having problems

 

I did basically everything mentioned on the thread regarding How To Clean Up Your Computer. I did the Hijackthis, CWshredder, Spybot, Ad-Aware SE, Trojan Remover, the DOS edition of F-Prot as my secondary source of security, and of course my main source security, the AVG 7.0. The only thing that detected this Trojan in the beginning was the AVG, and the only thing that help remove most if not all of the malicious parasites was Ad-Aware -in Safe Mode- which is something I plan on keeping around for regular use as it has been invaluable. Without Ad-Aware I would still probably have the hijacking homepage www.makemesearch.com and the toolbar attachment to my Internet Explorer that came along with it. I now have the runsrv32.dll file and the runsrv32.exe file in my Recycle Bin for permanent delete. So, delete or not delete? Also, why did my AVG recognize the suspicious file as _T.EXE when it was the tibs3.exe that was causing the problem? Thanks again.

 

Hi. On the _T.EXE and tibs3.exe stuff, if you follow the first link I gave above and click on the 'Description' tab, it says

So looks like AVG only had a signature for the dialler, not the trojan itself. On runsrv32.dll and runsrv32.exe, this malware:

So I'd delete them. If you're worried they may be essential system files, you could always save them on a floppy before deleting from your hard disk - doesn't hurt to be cautious You could also try running them through Jotti for independent confirmation.

 

Hello Doc77,

It appears to me that your machine needs a 'spyware specialist' as you have not been sucessful in removing it with anti-spyware programs.

Since we no longer do hijackthis log analysis here, post a fresh hijackthis log to any of the forums that are providing spyware/hijack cleaning service listed here: http://a-sap.org/.

 

I was successful in removing the spyware from my computer. I no longer get those AVG warnings since the deleting of those 3 files; thanks to my Ad-Aware, and thanks to you guys. I will post a Hijackthis logfile at one of those sites regardless. Thanks for your patience.

 

That is a wise move Doc77

That is one thing we have in abundance around here

Once you are certain you are all clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

Let us know how you go…

Cheers