OK … I have your Home version of Avast, it found a Virus called Win32:Tibs-ADO [Trj] (it’s what Avast says)
it copy all my .exe and add a .exe to it … like : D:\Dwnl Apps\Spybot S&D 1.4\spybotsd14.exe.Exe
And I noticed that all infected files appear in all my Share Folder (on my PC) of my LAN
Avast detect this, BUT it doesn’t seem to be able to find the source that I guess is Win32:Tibs-ADO [Trj]
I’ve search on your site and found nothing! It pissing me off! I Scan my WHOLE Computer 3x with different Softwares : SpyHunter, Avast, Spybot, WinTask Pro… none of them can found the virus!
HELP PLEASE! Before it really make me sick and I Format my drive!
Hi and welcome
Download and run this little program http://www.majorgeeks.com/download3155.html
. Let it generate a log which you should paste into your next reply .
This will give us a look at whats going on and enable people to help.
ask questions if you have any?
Note on Enigma SpyHunter: Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising (1, 2, 3, 4, 5). The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.
Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the “spybot” domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).
While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users’ PCs (1), we can no longer classify this application as “rogue/suspect.” Nonetheless, SpyHunter – at least in its current state – cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize (1). Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.
Logfile of HijackThis v1.99.1
Scan saved at 4:50:17 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
On line analysis didnt see too much wrong with your log.
I would FIX this item O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
from your log it appears that Spyhunter is gone and thats a good thing.
It also appears you have Norton products on your system along with Avast!. Can you confirm that you only have one AV running? This is critical
Have you downloaded the free Antispyware products David recommended?
If so then give one or both a whirl and see what they find
One other thing you might want to do is put HJT in its own folder on your C drive as it saves copies of logs you generate (useful if you ever need to backtrack) and if its on your desktop they are harder to keep track of.
Lastly you might benifit from updating your Java as its currently running at 1.5.09 or 10 so you are a couple behind.
be sure to uninstall from add-remove programs the older installations of java when you update.
Whilst there doesn’t seem to be any thing major in you log file and on-line analysis highlights ‘firewall’ issues.
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection.
I would however, say you need to look at a third party firewall to protect against unauthorised outbound connections,
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
I don’t have any Symantech products and Only Avast is runny as a anti-virus!
For the firewall, I use the one provide by Windows (I Know its not very good) but everytime I install a Software Firewall my LAN is Blocked! Maybe now ZoneAlarm can manage a Lan, if not is there any Free Firewall I can get that will not make my Lan blocked!?
I have download Ewido AVG and update Java! For Acrobat Reader, it’s gone now, i’m not using it very much, if I need to, i’ll redownload it!
I Have move HJT in my C (C:\hijackthis)
For this : O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
I’m not using IE at all!
And I have Unshare all my Folder (6) and the virus doesn’t reappear yet! But I know the virus is still there cause I haven’t found a way to remove it!
thx for your help! I’ll post a new hijackthis log!
So it would appear you still have remnants on your system, since you say you are only using the windows firewall there shouldn’t be any symantec internet security products as I assume you uninstalled this ?
Logfile of HijackThis v1.99.1
Scan saved at 3:43:54 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Then fix the entries I mentioned, that should remove the registry reference to them.
Also these which also seem to be related to symantec internet security:
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
its reasonable to expect that Avast! removed the trojan if it identified it . There doesnt seem to be any evidence of it in the HJT list. Maybe you could find a clue in the virus chest of Avast or in a log of events.
Have you done any investigation into the trojan on Avasts web site or Google perhaps?
Perhaps an alternative scan at an online service like KAV http://www.kaspersky.com/scanforvirus
It might take a while to load but its very thorough.
I have only move 2 or 3 files in the Avast Chest, all the other files that avast has detect, I choose “delete” (the infected file, not the virus itself)! every 2 to 5minutes a new file was infected!
This is one file in the Avast Chest :
Original File Name : KilpFolio-Install.exe.Exe
Original Folder : D:\Dwnl Apps\KlipFolio 3.0
Size of the file : 59566
Last Modification time : 12/31/2006 9:48:08 PM
Time of transfer to chest : 12/31/2006 5:48:31 PM
Category : Infected files
Virus Description : Win32:Tibs-ADO [Trj]
File ID : 1
As I said, this happened only in the folders I share on my network that contain .exe files, it infect in alphabetical order the exe file! And since I have unshare my 6 folder, the virus have not reappear!
Hooo and I remember something, a couple of months ago I had a problem quite the same as this one, except I had no “.exe.exe” file but only a setup.exe and an autorun.ini appearing, again, in all my shared folder! Everytime I saw these files, my AV detected it, and I deleted both files! I can’t remember the name of this virus!
My System Restore is always Turn off!
I clean my Temp folder every 2days (Temporary Internet Files,Temps,Cookies,History and My Recent Documents)
A boot time scanning!
And AVG AntiSpyware!
And I did what Cloussau says!
There is the report of the Kaspersky Scan :
This : D:\RECYCLER\S-1-5-21-1078081533-920026266-725345543-1003\Dd396.01\Partition Magic 8.0\BTMagic\Rescueme\DOSYSTEM\WRPROG.EXE.Exe
have been deleted!
At the end of the report, it show this : D:\System Volume Information_restore{DAFD93D3-068D-40F6-9E39-432452187FD9}\RP3\A0000432.exe
I don’t know how to remove this!
