Removing Trojan horse Dialer ; File _T.EXE

My AVG detected a Trojan horse dialer in C:\WINDOWS\SYSTEM_T.EXE through it's Residential Shield but could not pick it up during the actual AVG scan. I used Safe Mode in order assist with removing the Trojan Horse Dialer. While in Safe Mode I ran my Ad-Aware software and it picked up 2 Dialers named TIB Browser. I deleted them. Also while in Safe Mode I manually deleted a file that I was suspicious of. This file was named tibs3.exe which was located in C:\WINDOWS\SYSTEM . After deleting tibs3.exe by sending it to my Recycle Bin, I restarted my computer and logged on to the internet, and the repeated warnings that I kept getting from my AVG about the Trojan Horse Dialer stopped. I then restored the deleted tibs3.exe file back to the System File and the AVG warnings started again. I went back to into Safe Mode and deleted it again, and the AVG warnings went away again. Two (2) things made me suspicious of this file: a. it had a very new date of creation to it which was right about the time I picked up the the Trojan horse Dialer, and b. the tibs3.exe file which I had never heard of before had the initials as the Dialer named TIB Browser which was picked up and deleted by Ad-Aware. If restore the tibs3.exe file from my Recycle Bin back to the System File on my computer, and reboot, the very 2 Dialers that my Ad-Aware software picked up for removal reappear, and I have to scan with Ad-Aware again to remove them again. With the tibs3.exe file deleted and in the Recycle Bin, I don't have to delete those 2 Dialers again. Before I delete this file permanently, has anyone ever seen or heard of an .exe file named tibs3? Also, there are 2 other files which are located in my System32 file, and they are named runsrv32.dll, an Application Extension type file, and runsrv32.exe, an Application file. Both of these files have very recent creation dates on them which are exactly the same as the dates on the tibs3.exe file. Does anyone recognize these 2 Application Files. I am not in the habit of just deleting files arbitrarily so I need some other source who does recognize these files as Windows Files or Trojans. Also, why does the file as noted on the repeated AVG Residential Shield warnings say _T.EXE and the file that looks like it's the culprit is tibs3.exe.? I have Windows 98SE with Internet Explorer 6.0 . I would appreciate any assistance. Thank You.

 

runsrv32 is an valid executable that allows programs to manipulate the registry file. I believe there is also a .dll that comes with it. However if those files have a recent date, it seems possible that the dialer/virus changed or replaced the files. This could be where your virus keeps returning from. Just my $.02

 

I have been doing perhaps too much reading on the subject of Trojans and Viruses to the point where I don't know if I'm coming or going. I found a webpage http://www.spydetails.com/threat-159.html that eludes to the fact the runsrv32.dll file and the runsrv32.exe file are both Adware and both were created by a malicious parasite. You say that runsrv32.dll and runsrv32.exe are valid files. I have both of these of files in my Recycle Bin for permanent delete, and I still need definitive proof of their purpose. Delete or not Delete.

 

I deleted the suspicious tibs3.exe file, and will delete these two files as well. I appreciate everyone's help. Thanks.

 

DOH! I thought it said regsvr32. My bad....need more sleep.

Glad everything worked out in the end.

 

they do that. tricky bastards eh? We look at these logs all the time and you have to look REALLY closely because are often one letter off and it you give it a cursory look, you're likely to miss it.