trojan downloader.tibser & backdoor.small

We have been hit with a troika:
Trojan Horse Backdoor.Small.5.BT (puts temp25.exe in temp directory)
Trojan Horse Downloader.Tibser.E (puts sbar[1] into Temp. Inet Files
Trojan Horse Downloader.Tibser.E (puts t.exe into windows\system32)

a bunch of dll's also appeared in system32: msdrs.dll, syfqwpaa.dll, lxossfaa.dll, dsmanager.dll, ntrsh.dll (they reappear after delete, that is, IF they can be deleted); other suspicious(?) ones are: open32.exe, open32.conf and open32_uninstall.exe

There is a BHO in the registry --> B72F75B8 etc. that is not legitimate.

During normal startup (I have XP, but have not yet gone to SP2), I notice a quick flash on the screen after which the Microsoft message comes up saying that IE encountered a problem and do I want to send the error report. Of course, when you check out the details, Microsoft indicates that it can't determine the problem. The latest manifestation is that my Google searches get hijacked and sometimes IE just comes up on its own with http://horseserver.net/etc...and some stupid page.

Grisoft AVG does find the trojans, and I put them in the vault and then deleted them. They have reappeared when I start up. Also, when you try a Google search, you get a different looking page of results with the first page always showing the same results no matter what the search. And then, to add insult to injury, even if you do not have an IE window open, up pops one with address of http://horseserver.net/etc . I tried to put this site as Restricted, but IE Tools says it is already in another site category (even though I do not see it).

In safe mode, it appears that I am OK, but when I boot up normally,
I have downloaded and run: Spybot S&D (and the DSO Exploit Fix - it found 1 item to delete);
Ad-Aware (+ the VX2 cleaner) - found CoolWeb items (including 5 registry keys)
Grisoft AVG (now just finds 2 Tibser.E items, not the Backdoor.Small downloader though)
CWShredder
SpywareBlaster
CCleaner
Stinger

Also, while in Safe Mode, performed Trend Micro's scan (nothing), and Symantec Security check (said I was OK).

BUT, as soon as I reboot normally, AVG alerts me of the trojans. Please help get rid of them and turn my son's frown (and mine) to a smile. Thanks.

(It is 8:45 PM now; I will stay on for an hour, and then return tomorrow)

 

I also found snim.dll in windows\system32.

 

Grisoft doesnt work properly i used to use there software. When u detect the trojan it tells you the location of the file and delete it manually. Then delete it from recycle bin and it should be gone.

 

Whether I delete manually or delete from the vault, they return when when I startup in normal mode.

 

I see if i can find anything to help you. Can you tell me the location of the trojan?

 

Trojan Horse Backdoor.Small.5.BT (puts temp25.exe in temp directory)
Trojan Horse Downloader.Tibser.E (puts sbar[1] into Temp. Inet Files)
Trojan Horse Downloader.Tibser.E (puts t.exe into windows\system32)

system32 has the bogus dll's also

 

Check out this link, it is about the same trojans maby it can help

http://forums.skads.org/index.php?showtopic=127&st=0

 

well, thx for the link; it does seem similar to my problem, although there seemed to be a lot of trial and error I will check in again tomorrow.

 

Hi Buzz,

These can be a real pain to remove depending on which variant of Haxdoor you are afflicted with. I've had some success against it - See this thread: Wierd search and dialer proggy..think im hijacked

I have been really busy lately and not sure I can find the time to stick with another long thread like that one. I'm willing to try, but be warned - It may drag out for a while!

If you want to go ahead and try to remove this baddie (and any others), please send me a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll try to take a look when I get some free time!

PP

 

Here is the HJT log as requested. I ran the scan while still in safe mode.

 

ok, i will boot normally; what do i do when my AVG finds the trojans shortly after bootup? put them in vault and then run HJT? or do i run HJT immediately upon startup?

 

OK, attached is the HJT log; after I booted up normally I got the AVG trojan messages, sent them to the vault, closed the 2 items in tray (AVG and MSN Messenger, and then quickly ran HJT. I am now back in Safe mode.

 

i think open32.exe is associated with the evilness; the other one is probably from an install i did a while ago (i think it is OK, but will remove)

 

when I booted up normally, AVG still found the trojans.
I ran HJT again and found [shell]open32.exe, so fixed that and ran the scan.
The item 04 - Startup: winupdate36305678[1].exe reappears even after i "fixed" it.
also, got errors when trying to "fix" these 2 items: "error 62, input past end of file (send email to merijn@spyware.info.com)"
O21 - SSODL: NTWSMON - {08A0B935-4450-4151-B227-6867D49C5DDD} - C:\WINDOWS\System32\attrls31.dll
O21 - SSODL: MSMserv - {E195B0C9-A591-4F4D-BD01-5E3E961347A1} - C:\WINDOWS\System32\msdtqasf.dll

 

btw, r_server is part of the RAdmin install (Remote Administrator which I sometimes use to connect to my machine at the office; the radmin server service is turned off.

 

All who read this: I think it has solved. I downloaded HsFix (probably stands for Horseserver Fix) and this has seemed to finally take care of this. My AVG no longer sees trojans upon startup, and IE seems to behave now. (There are still some stray dll's I need to delete). I have attached the latest HJT log and also the log from HsFix. Thank you for your help, and I hope others can benefit from this. Here is what I did:
got HsFix from here: http://www.atribune.org/downloads/hsfix.zip

First, download HSFix.
After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
A log will be produced which you can close out of.
Restart your computer and post a new HijackThis log, as well as the HSFix log which is located in C:/hslog.txt

 

After all that went on before, I ran eScan AntiVirus Toolkit Utility (mwav) and it found the following: (do I need to do something about these?)

File C:\WINDOWS\System32\attrls31.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dplaalg.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msdtqasf.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvwrbios.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\osconfig.dll tagged as not-a-virus:RiskWare.Proxy.MarketScode.c. No Action Taken.
File C:\WINDOWS\System32\rasdockx.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.

 

Hi Buzz,

Those DLLs should probably be deleted. If you'll notice, a couple of those DLLs are in those 021 HJT lines that gave you trouble.

I see you found Atribune's HSFix - Good deal! It seems to work more often than not. Still, if you'd like to doublecheck manually for Haxdoor remnants, look for the files and registry entries I listed in Post # 28 of this thread I linked earlier:Wierd search and dialer proggy..think im hijacked

You can use regedit to look for the registry entries (or do the same as in Post #21 of that thread), but don't delete anything without backing up first with ERUNT (or Similar).

Probably a good idea to post a fresh set of logs for Chas to peruse, as well.

PP

 

I went through the list you mentioned in that other post, and did not find those items. However, in the registry in HKEY_CURRENT_USER\Software\Search Assistant\ACMru I found 2 subfolders (5603 which hasdsmana and temp.exe as Data; 5604 which has snim.dll and sbar*.* as Data). I am going to delete these 2 subfolders from the registry. Should I also delete folder ACMru?

 

Here is the latest HJT log. It does appear as if the boogeyman has left the building.

A question re: HKEY_CURRENT_USER\Software\Windows\Current Version\Internet Settings\ZoneMap\Domains (all the entries have " * " for Name and 0x00000004 (4) for data). These also appear in HKEY_USERS\S-1-5-21-286....\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains [Are these the ones that SpywareBlaster prevents from getting on your machine?]

 

done thx, merci, gracias, danke

 

Actually, Chas, that is a different tool - It is just removes a few registry entries and is not very thoruogh. For Atribune's tool, try the link I gave you.

PP

 

One more item on this topic: There were 2 files that seemed leftover in system32. One was a .rrh file which I have deleted; the other is a .dll which will not go away, no matter what I do. When I tried Killbox, C:\WINDOWS\System32\lxossfaa.dll "This file could not be deleted". I tried Click "Standard File Kill" and check the "End Explorer Shell While Killing File" box; also tried "Delete on Reboot" setting, and "Replace on Reboot" and "Use Dummy". The file is still there, unchanged.

I seem to recall that when I was having problems, I was able to delete it, but it reappeared with the others. While in Safe mode I had changed the properties to Deny all permissions, but later changed it back. It says it is Read-only, then I renamed it to _lxossfaa.dll and tried to delete it both manually ("access denied") and with Killbox, but no luck.

Any thoughts?

 

Hopefully this is the last installment on this: there are 3 user accounts on this machine, and I had previously denied access to that file to all users, and later I thought I had reset the privs for all 3, but I had left user Owner w/out privs to delete that file. Now I have finally expunged that sucker from system32. Thus, another happy ending. Thx much chaslang and PhilliePhan!

 

Cool! We're happy to help!

PP