Horse-search and Tibs infested

Hi All,
Seem to have 2 major probs, Horse-search.net and Tib.dialer with a coolweb side salad ! Norton brings up Trojan.Downloader and Trojan.Startpage.I "Spybot" finds Haxdoor.H and Tibs.
So far tried the following as per your great instruction.

Restore off
Following Norton instructions for trojan.startpage.I removal tried to remove register keys using regedit but not present.

Run symantec online evaluation
In safe mode
Run Mcafee Stinger
Norton anti-virus
Cwshredder
Kill2me
About:Buster
Ad-Aware found Tib (HKEY_USERS.......website viewers)
Spy-bot found Haxdoor.H (Klogin.dll + HKEY_LOCAL.....impersonate)
Ccleaner removed temporary files
Set up Spyware Blaster
Return to normal mode
Run Hijackthis
Analyzed and Removed all files I was sure about.
On reboot Tibs and Horse-net started up
Installed and run Trojan Hunter
On reboot still present.

That`s the story so far.
Could you help?

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser and e-mail. Please close these before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

In addition to the steps BJ has mentioned above, you will need to do the following:

FIRST:
Please download this tool: HSFix.zip Tool

Please Extract the files from the ZIP to your Desktop.

THEN:
Please boot to Safe Mode and DoubleClick hsfix.bat to run the tool.

Allow it as long as it takes to run, then Reboot to Normal Windows and look for a log at C:/hslog.txt . Please attach that log + a fresh HijackThis log.

PP

 

Thanks !!
HsFix found loads.
Sorry I made a small mistake, ran Hsfix.bat in normal mode, this is the file submitted. So then ran again in safe mode which found in addition
w32tm.exe


Horse-server.net has not popped up over the last 30 mins online.

 

Minors

I am sure BJ will tell u to

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Thx, was just about to address this. Am creating a fix now!

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.


The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Please be patient while I create a fix for you.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://uk.yahoo.com/"); (C:\Documents and Settings\ˆî–Ø\Application Data\Mozilla\Profiles\default\dyq946f7.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_0 1.src"); (C:\Documents and Settings\ˆî–Ø\Application Data\Mozilla\Profiles\default\dyq946f7.slt\prefs.js)

O4 - HKLM\..\RunServices: [Message] mpsvc.exe

O4 - HKLM\..\RunServices: [Microsoft Servc] iOpenGL.exe

O4 - HKLM\..\RunServices: [window2] ieupdate.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.vaio.sony.co.jp/

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O23 - Service: Microsoft Secure Messenger.NET Service - Unknown owner - C:\WINDOWS\System32\securitychk.exe" -netsvcs (file missing)

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)

O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)



Again, make sure All Browser Windows are Closed when you Click FIX.



NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\System32\securitychk.exe

ieupdate.exe <--- Search and delete if found!

iOpenGL.exe <--- Search and delete if found!

mpsvc.exe <--- Search and delete if found!



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Now do a search for the following files and delete when found!

klogini.dll

p2.ini

ps.a3d

vdmt16.sys

klo5.sys

drct16.dll

mszx23.exe

cz.dll

hz.dll

tmp*.exe

WebSiteViewer

tmp*.tmp

dload.exe.tcf

dload.exe*.tcf

w32tm.exe

open32.exe


Reboot to Normal Windows , Scan with HijackThis and attach the new log. Also, run HSfix and attach this log as well. Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Rather than searching for all those files, run HSFix again in SAFE MODE and attach the new log! No sense looking for those files manually if BJ is going to have you run the tool again anyway

PP

 

I thought about that but wasnt sure if it would clean in safe mode as it didnt clean in normal mode. Anyway, thanks pp

 

Well, since you asked them to run it again anyway, I figured we might as well wait and see whether the tool finds remaining baddies and whether it cleans them this time

 

Hi all,
Did all as instructed.
After Hijackthis fix Spybot found and destroyed:
"sex.lnk" in start menu
"sex.lnk" in desktop

I was doing the job when you posted about using Hsfix so manually found and deleted:
MSZX23.exe
OPEN32.exe

On reboot Hsfix had nothing to report in log.
Please find Hijackthis log attached.

I had Norton dialogue box saying found and deleted "download trojan"
in system32/pif
but no other weirdness
Thanks for your great help so far people.

 

You still have some trojan infections I see.

First:

Before we continue, please move your HJT.

C:\Documents and Settings\ˆî–Ø\Local Settings\Temp\hijackthis 1.zip ‚̈ꎞƒfƒBƒŒƒNƒgƒŠ 1\HijackThis.exe

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


DO THIS BEFORE WE CONTINUE!

Let me know when you complete this!

 

Ok,
Job done,
Im running it from c:hijackthis

Sorry for the screw up

 

Ok, Now we can continue! Please allow me a moment to post a fix.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\System32\conime.exe

bfghost.exe <--- Search for this file and delete if found!

editmm.exe <--- Search for this file and delete if found!

read it.txt <--- Search for this file and delete if found!

regsys.vxd <--- Search for this file and delete if found!

service.dll <--- Search for this file and delete if found!



NEXT:
Run CCleaner

Now, Reboot to Normal Windows , Scan with HijackThis and attach the new log. Also, are you currently experiencing any problems?

 

BJ,

Nothing found on system32.
No observed weirdness (Norton/spyware blaster dialogues boxes etc)
Please find log attached

 

Your log is clean! The trojan file that was running conime.exe appears to be gone.

Just as a precaution I would download the latest Definitions for TrojanHunter. Save this to your desktop, once complete Extract to this directory:

C:\Program Files\TrojanHunter 4.2


Now run a Full Scan!


After the scan is complete and you have removed all found infections please visit this article on How to Protect yourself from malware!

Happy Computing

 

Well, Trojan Hunter found "web site viewer" which I previously couldn`t find
but alls been quite since then . Booted up a few times and been on line for an hour with no weirdness.
So here`s hoping.

Much deep felt thanks to you and phillie, have yourself a virtual reality cocktail of your chose on me.

 

Your Welcome!

Happy Computing!