HELP!!! ( Win32:Tibs-ADO [Trj] )

[eXa]

OK ... I have your Home version of Avast, it found a Virus called Win32:Tibs-ADO [Trj] (it's what Avast says)

it copy all my .exe and add a .exe to it ... like : D:\Dwnl Apps\Spybot S&D 1.4\spybotsd14.exe.Exe

And I noticed that all infected files appear in all my Share Folder (on my PC) of my LAN

Avast detect this, BUT it doesn't seem to be able to find the source that I guess is Win32:Tibs-ADO [Trj]

I've search on your site and found nothing! It pissing me off! I Scan my WHOLE Computer 3x with different Softwares : SpyHunter, Avast, Spybot, WinTask Pro.... none of them can found the virus!

HELP PLEASE! Before it really make me sick and I Format my drive!

thanks!

[galooma]

Hi and welcome
                         Download and run this little program
http://www.majorgeeks.com/download3155.html
. Let it generate a log which you should paste into your next reply .
This will give us a look at whats going on and enable people to help.
ask questions if you have any?

[DavidR]

HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2

SpyHunter has a bit of history/form.
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

Note on Enigma SpyHunter:  Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising (1, 2, 3, 4, 5). The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.

Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the "spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).

While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize (1). Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection. 

Domains: enigmasoftwaregroup.com, spywareremove.com, uninstallxupiter.com

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

[eXa]

This is the hijackthis.log :

Logfile of HijackThis v1.99.1
Scan saved at 4:50:17 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\WindowBlinds\wbload.exe
C:\Apps\Avast4\aswUpdSv.exe
C:\Apps\Avast4\ashServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Apps\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Avast4\ashMaiSv.exe
C:\Apps\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Apps\Avast4\ashDisp.exe
C:\Apps\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\IRC\AARDKORR crypte\mirc.exe
C:\Apps\Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Documents and Settings\heckza\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Apps\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Apps\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\Apps\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Apps\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Apps\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Apps\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{79357C45-EEB9-4DEA-AA5B-3CD16016C48D}: NameServer = 206.47.244.88 206.47.244.60
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Apps\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Apps\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Apps\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Apps\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Apps\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[galooma]

On line analysis didnt see too much wrong with your log.
I would FIX this item O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
from your log it appears that Spyhunter is gone and thats a good thing.

It also appears you have Norton products on your system along with Avast!. Can you confirm that you only have one AV running? This is critical

Have you downloaded the free Antispyware products David recommended?
If so then give one or both a whirl and see what they find

One other thing you might want to do is put HJT in its own folder on your C drive as it saves copies of logs you generate (useful if you ever need to backtrack) and if its on your desktop they are harder to keep track of.

Lastly you might benifit from updating your Java as its currently running at 1.5.09 or 10 so you are a couple behind.
be sure to uninstall from add-remove programs the older installations of java when you update.

good luck

[DavidR]

Whilst there doesn't seem to be any thing major in you log file and on-line analysis highlights 'firewall' issues.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

Windows XP's firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn't provide outbound protection.
I would however, say you need to look at a third party firewall to protect against unauthorised outbound connections,
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

Have you run either of the other two programs in safe mode ?

[mauserme]

Here's a link for the Java update Clousou mentioned (currently at Update 10)

http://www.java.com/en/download/manual.jsp

You should also update your Acrobat Reader to version 8

http://www.adobe.com/products/acrobat/readstep2.html

[eXa]

I don't have any Symantech products and Only Avast is runny as a anti-virus!

For the firewall, I use the one provide by Windows (I Know its not very good) but everytime I install a Software Firewall my LAN is Blocked! Maybe now ZoneAlarm can manage a Lan, if not is there any Free Firewall I can get that will not make my Lan blocked!?

I have download Ewido AVG and update Java! For Acrobat Reader, it's gone now, i'm not using it very much, if I need to, i'll redownload it!

I Have move HJT in my C (C:\hijackthis)

For this : O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
I'm not using IE at all!

And I have Unshare all my Folder (6) and the virus doesn't reappear yet! But I know the virus is still there cause I haven't found a way to remove it!

thx for your help! I'll post a new hijackthis log!

[DavidR]

Your HJT log shows several Symantec products and more importantly one relates to Symantec Internet Security.

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/symlcsvc/

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/ccsetmgr/

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/ccevtmgr/

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/ccPwdSvc/

So it would appear you still have remnants on your system, since you say you are only using the windows firewall there shouldn't be any symantec internet security products as I assume you uninstalled this ?

[eXa]

Logfile of HijackThis v1.99.1
Scan saved at 3:43:54 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Apps\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Avast4\ashServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Apps\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\Norton Ghost\Agent\GhostTray.exe
C:\Apps\Avast4\ashDisp.exe
C:\Apps\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Apps\Avast4\ashMaiSv.exe
C:\Apps\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Apps\AVG Anti-Spyware 7.5\guard.exe
C:\Apps\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Apps\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Apps\FlashFXP\IEFlash.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Apps\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [avast!] C:\Apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Apps\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Apps\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Apps\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{79357C45-EEB9-4DEA-AA5B-3CD16016C48D}: NameServer = 206.47.244.88 206.47.244.60
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Apps\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Apps\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Apps\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Apps\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Apps\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Apps\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[eXa]

hoo yeah right David, I had a symantech products and removed it! don't remember why but it's gone now!

I have to leave now, New Year Supper! I'll be back around 10 or 11 (GMT -5, Quebec\Canada)

Happy New years guys! and thx again!

[DavidR]

Then fix the entries I mentioned, that should remove the registry reference to them.

Also these which also seem to be related to symantec internet security:
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

http://www.liutilities.com/products/wintaskspro/processlibrary/ccapp/

[Lisandro]

hoo yeah right David, I had a symantech products and removed it! don't remember why but it's gone now!

Just to be sure...

1) Remove NAV through Add/Remove programs from Control Panel. Boot.
2) Use Symantec removal tool following the three steps defined in the SymNRT tool info or here.
3) Boot. 

[eXa]

I forgot, I have one Symantec product : Norton Ghost!

[DavidR]

Although it is a symantec (Norton) product there shouldn't be impact on an AV, which is why I didn't mention it