[Resolved] Problems following the Win32:Tibs-EOE[Trj] removal

The Win32:Tibs-EOE[Trj] virus caused a lot of unusual problems for me in the last week.

However, after using the Avast Boot Time Scan and 2 full scans with Updated MBAM, I managed to get my Windows Vista Home Premium to boot up (or apparently boot up as normal).

My problem now is that None of my Programs or Browsers will operate.

Although the program links and desktop Icons appear to be trying to load they simply stop and nothing operates.

So although the Bootup appears normal, nothing seems to be operational when Clicked.

This was also the case after the first MBAM scan and I have had to upload everything in the “Safe Mode with Network”.

I’m pleased to note that everything appears to be working in “Safe Mode”, but I need to know what can be done to restore things to normal.

Another thing that I’ve noticed is that although my Avast anti-virus updates automatically as normal, it does not register in my Windows security setting, which now always warn that it is out of date.

Thank you for any help and advice anyone can provide following this nasty and frustrating week.

Regards,
John Williamson

Hello John and welcome to the forum,

Win32:Tibs-EOE[Trj] identified by OP

  1. What is your OS, 32 or 64-bit? - Vista Home Premium __ bit
  2. What version of Avast did you install? 5.0.677 is the latest version
  3. What product of Avast did you install? Free, Pro, AIS?

Did MBAM put anything into quarantine? Can you please cut and paste your MBAM Full log and put it in your next post for analysis? Thank you.

Did Avast put anything in the Virus Chest? If so, can you give a screen shot?

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts.

In the meantime, since we don’t know if your Security Center is accurate in seeing your antivirus (AV) or not, you may want to turn on Windows Defender (if you have it), make it Resident, and update the definitions; it will not conflict with Avast. Thank you.

When you say that the malware you got “caused a lot of unusual problems for me in the last week,” can you tell me what kinds of problems you experienced? Please be as specific as possible so we can help you.

I look forward to your posts with your logs. Please let me know if you have any questions. Thank you.

John,

I am going to contact one of our Certified Malware Removal Experts, named Essexboy, to assist with your malware removal once you post your logs (esp. the OTL log). He will give you further instructions here in this thread. He is on UK time zone, so please check this thread at least daily, even if you have to check from another PC and print the instructions.

In the meantime, please remove all personal data, banking information, passwords, etc. from the affected machine as a “just in case.” I will still be assisting you in the meantime and once Essexboy arrives, I will remain in the background.

What firewall do you use?

Please let me know if you have any questions. Thank you.

Hi Safesurf,
Thank you for your prompt reply.

I am splitting this post into 2 parts, as initially it exceeds the 10000 characters limit.

I will post the “Cut & Paste” copy of the MBAM log in Part Two…

I’m currently using my PC in “Safemode” and hope that I can provide all the correct information and logs to help solve the problem.

I first posted a reply to the post entitled “Win32:Tibs-EOE[Trj]”
stating that I too had been getting continuous Avast Warning messages over 2 days that amounted to many hundreds and wondered how to overcome them.
I followed the instructions on that post and Downloaded the MBAM program and ran a Full Scan - Logs Attached

Unfortunately when I tried to Boot up my PC I was getting a Blue Screen Warning that Quickly Closed down and I was then able to Boot Up using “SafeMode with Networking”.

Currently, My PC does appear to Boot Up to my Windows System, but none of my Program Links or Desktop Icons links are operational, although when clicked on, they do appear to be trying to open up, but simply just stop with no results.

That’s the current situation and I’m using my PC in Safe Mode to reply to your request…

  1. the Vista Home premium is 32-bit
  2. The Avast is Avast - Internet security 5.0 (3 PCs for 1 year)
  • element 5 - order number: 338926985
  1. I think this is Pro version. (paid for)

Here is the Copy of the MBAM Log … (SEE PART 2)

= = = = = = = = = = = = = = = =
Following your reply I have downloaded OTL and ran a Full Scan.

I have attached the 2 OTL Files to this post.

Currently everything is working in “SafeMode”.

Thank you once again for your help and advice. It is much appreciated.

Here is the Copy of the MBAM Log with a considerable amount of Infected Files cut off because the full file exceeds the 10000 character limit considerably.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4727

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18943

2010/10/01 17:07:12
mbam-log-2010-10-01 (17-07-12).txt

Scan type: Full scan (C:|)
Objects scanned: 491595
Time elapsed: 1 hour(s), 12 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 298

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{08c72dd4-19ad-49f1-83da-8542b4d302c5} (Trojan.FakeCodec) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUSPGANC\5-direct[1].ex (Trojan.DNSChanger) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HH392Z7Z\5-direct[1].ex (Trojan.DNSChanger) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\3DEB.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz11A9.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1209.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1362.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz144A.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1513.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz15AF.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz17AF.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1834.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1968.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1A2D.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1AF4.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1B77.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1BA9.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1D6A.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1E78.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1F49.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz1FEE.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz200A.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz232C.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2410.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz25A1.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz25D1.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz269D.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2927.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2988.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz29D2.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2B20.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2C32.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2C84.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2C87.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2D88.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2E38.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2EDA.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz2F24.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz303D.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz3114.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz31C4.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz3246.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz32AA.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz3301.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\trz337D.tmp (Trojan.FakeAV) →

We may not need to do a deep AV scan depending on the results of these two runs. But if we do the scan could take up to 5 hours. So please be prepared for that. Both programmes may be run in safe mode

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - (stbqpfs) -- C:\Windows\System32\drivers\oigglh.sys File not found [2010/09/30 10:16:00 | 000,000,120 | ---- | M] () -- C:\Users\John\AppData\Local\Gyaxab.dat [2010/09/30 10:15:59 | 000,000,000 | ---- | M] () -- C:\Users\John\AppData\Local\Yhacaz.bin

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thank you for your help - It is much appreciated.

I’ve attached the Log Files as requested.

I hope they are in order and will help solve the problem

Kind regards,

John

@ Essexboy, I had instructed the OP in my first post to turn on WD as Resident since Avast was not recognized in the Security Center. I also did not know he had SAS. I see both in his Combofix logs. I’ll let you analyze the logs since you are the expert in this area. :wink:

Thank you John for providing the logs. Essexboy will continue from here.

Hi SafeSurf,

This morning my PC booted up OK and I think everything may be back to normal???

However, one thing I omitted to add to me previous posts was that there is a problem with my Windows Defender.

It does not Turn On Automatically and when I try to start the Program from the Program Icon or try to Open it I get and Error message
“Application Failed to initialize: 0x800106ba. A problem caused this program’s service to stop.”…

See Attached Image file

Thanks again for your help.

I don’t think everything is back to normal yet. Did you have this WD problem prior to the malware problem?

I know Essexboy has other tools to use that I’m sure, and I’m sure he will be giving you further instructions. So stay posted to the thread for his post. Thank you.

I’m honestly not sure whether the problem with WD was there prior to the Virus.
I only became aware of it when trying to follow your instruction to enable WD.

Thanks again for all your help.

John

Infected copy of c:\windows\system32\drivers\nvraid.sys was found and disinfected Restored copy from - Kitty had a snack :p

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Once this is complete we will look at the remaining problems with WD

Here is the Log File from the MBAM Quick Scan…

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4758

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

2010/10/06 21:45:59
mbam-log-2010-10-06 (21-45-59).txt

Scan type: Quick scan
Objects scanned: 153944
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It looks as though there are no infectied files.

Thank you for your help. It is much appreciated.

Kind regards,

John

OK what problems remain before I remove my tools and tidy you up

The only thing that occurred when trying to enable Windows Defender was the error message, but I’m not sure that it had anything to do with the Virus.

I think it has also happened on one of my Laptops.

I’ll attach the Error Message Image to see if it is anything to worry about…

SEE ATTACHED

Thanks again for your help.

Could you do the following

Go to control panel > administrative tools > services
Locate windows defender
Right click windows defender and select properties
Ensure that startup type is automatic (delayed)
Ensure that the service is started, if not try to start it
If it fails note the error generated

I don’t see Windows Defender in the Administrative Tools, so that could be the obvious problem.

I don’t recall ever having used WD.

Is it necessary?

I found a Windows Defender in the Control Panel itself, but when Double-Clicked or Right clicked and “Opened” it always shows the attached Error Message.

From the Start menu, select All Programs > Accesories > Right click Command Prompt and run as Administrator
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Press Enter
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

Thank you so much Essexboy,

Everything now appears to be fine. Sorry for the delay in replying, - I was away from home yesterday evening.

Kind regards,

John Williamson