What is sbubeper.dll?

MilkyJoe

Just turned on my computer and got an error loading, access denied message. AntiVir is blocking it.

A Google search found nothing.

All I did was turn on the PC, didn't do anything from turning it on to getting the message.

RussJK

No clue, what does Antivir say it is? Where is is located?

Do the usual checks with Malwarebytes Anti-Malware (install, update, then quick scan, post log) + Hijackthis! log (run as administrator, i.e. actually right click on the program file and select 'run as administrator'):
http://www.users.on.net/~russ/mb.exe
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Afterwards, see if you can upload the DLL to www.virustotal.com - you may have to allow access to it through Avira, so best to do all the scans first so whatever is trying to use the .dll isn't active otherwise you'll be in a worse position.

MilkyJoe

AntiVir says: Object: sbubeper.dll; Detection:TR/Hiloti.2.224

Location is: G:\WINDOWS\sbubeper.dll

G is my main drive.

Going to do a Malwarebytes scan after it's updated.

MilkyJoe

Antivir isn't applauding.
The detection is: TR/Hiloti.2.224.

MilkyJoe

Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 6424

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

23/04/2011 14:25:47
mbam-log-2011-04-23 (14-25-40).txt

Scan type: Quick scan
Objects scanned: 136427
Time elapsed: 9 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
g:\WINDOWS\uzumicunojagiq.dll (Trojan.Hiloti) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jyaciviyiyimev (Trojan.Hiloti) -> Value: Jyaciviyiyimev -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qyebapeqikod (Trojan.Hiloti) -> Value: Qyebapeqikod -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
g:\WINDOWS\uzumicunojagiq.dll (Trojan.Hiloti) -> No action taken.
g:\WINDOWS\sbubeper.dll (Trojan.Hiloti) -> No action taken.
g:\documents and settings\pd\local settings\Temp\praljybd.exe (Trojan.Hiloti) -> No action taken.

MilkyJoe

What's www.virustotal.com?

If I upload the dll what will it tell me?

RussJK

MilkyJoe wrote: »

Antivir isn't applauding.
The detection is: TR/Hiloti.2.224.

It took me a moment to realise what you meant by that, made me burst out laughing

In that case don't worry about uploading it. Hiloti is a trojan, and randomly names the dll file which is why there is no information on that particular filename. VirusTotal is a website that runs a virus scan on files you upload using multiple antivirus software but there's no need now that you've said it's Hiloti.

By blocking the .dll, then Avira has probably disabled it from functioning properly, but it may be a good idea to stick a host file in there to block the trojan from phoning home to one of the servers. There is a storm coming so I'm going to have to get off, so I'll leave you with some instructions and come back in a minute.

1. Run a FULL scan with Malwarebytes, and clean anything it finds
2. While that is running, install hostsman (http://www.abelhadigital.com/hostsman) but uncheck anything it suggests like the hostman server or hosts optimiser
3. Run hostman in administrator mode
4. In hostman do Tools > Manage update sources, and add MalwareDomainList to it (http://www.malwaredomainlist.com/hostslist/hosts.txt)
5. Do 'check for updates' and make sure its set to Overwrite the hosts, then update it with MVPS and Malwaredomainlist that you added.

After the Malwarebytes full scan is done, and you have cleaned what it suggests (and posted a log),
then Avira suggest the following:

'In order to make sure that your system is clean, please do the following:
- disable System restore: right-click on My computer -> choose Properties -> go to System restore tab and check "Turn off System restore..."
- restart the computer in safe mode
- perform a full scan (all files) and clean all infections
- restart the computer normally and enable back System restore'
http://forum.avira.com/wbb/index.php?page=Thread&threadID=105481

MilkyJoe

RussJK wrote: »

1. Run a FULL scan with Malwarebytes, and clean anything it finds

Should I not check first?

RussJK

MilkyJoe wrote: »

Should I not check first?

There is no chance that the following are anything but malware, and need to be deleted as your computer is compromised. Both Avira and Malwarebytes are saying you have Hiloti, so you really need to act.

Memory Modules Infected:
g:\WINDOWS\uzumicunojagiq.dll (Trojan.Hiloti) -> No action taken.

A randomly named dll file that Malwarebytes thinks is a trojan - is going to be a trojan.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Jyaciviyiyimev (Trojan.Hiloti) -> Value: Jyaciviyiyimev -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qyebapeqikod (Trojan.Hiloti) -> Value: Qyebapeqikod -> No action taken.

A randomly named autorun that Malwarebytes thinks is a trojan - is going to be a trojan. I don't even need to check any database of valid autoruns to know this.

MilkyJoe

I'll do a full Malwarebytes scan and post the result before I do anything. How do I stick a host file in there (where?)? Also, what is a host file?

RussJK

MilkyJoe wrote: »

I'll do a full Malwarebytes scan and post the result before I do anything. How do I stick a host file in there (where?)? Also, what is a host file?

Seriously, just clean everything that Malwarebytes finds and then post the log after. There is very little chance of a false positive, and at worst you can just restore the file anyway, since Malwarebytes puts them in quarantine.

A 'hosts' file is intended for something else, but it can be used as a webfilter as well to block bad web addresses. Hostsman is just a program that does it all for you - it keeps track of lists of bad web addresses, and inserts those lists into your hosts file. I already gave instructions on how to do it:

1. install hostsman (http://www.abelhadigital.com/hostsman) but uncheck anything it suggests like the hostman server or hosts optimiser
2. Run hostman in administrator mode (it should be in admin mode first time you run it, the buttons appear green when it is)
3. In hostman do Tools > Manage update sources, and add MalwareDomainList to it (http://www.malwaredomainlist.com/hostslist/hosts.txt)
4. Do 'check for updates' and make sure its set to Overwrite the hosts, then update it with MVPS and Malwaredomainlist that you added.

If you do the above, you'll have less chance of getting another infection like this again.