HELP!!! ( Win32:Tibs-ADO [Trj] )

[eXa]

Is it better to use a software to remove the symantec files or I can delete the files directly ?

and ... I know all this is good for my system, but the Virus ?! what can I do to remove it from my PC 

If avast detect it (the .exe.exe files), why it's not able to remove the virus that cause this ?! It must have a Removal Tool somewhere!

[galooma]

its reasonable to expect that Avast! removed the trojan if it identified it . There doesnt seem to be any evidence of it in the HJT list. Maybe you could find a clue in the virus chest of Avast or in a log of events.

Have you done any investigation into the trojan on Avasts web site or Google perhaps?

Perhaps an alternative scan at an online service like KAV http://www.kaspersky.com/scanforvirus
It might take a while to load but its very thorough.

Good luck

[eXa]

I have only move 2 or 3 files in the Avast Chest, all the other files that avast has detect, I choose "delete" (the infected file, not the virus itself)! every 2 to 5minutes a new file was infected!

This is one file in the Avast Chest :

Original File Name : KilpFolio-Install.exe.Exe
Original Folder : D:\Dwnl Apps\KlipFolio 3.0
Size of the file : 59566
Last Modification time : 12/31/2006 9:48:08 PM
Time of transfer to chest : 12/31/2006 5:48:31 PM
Category : Infected files
Virus Description : Win32:Tibs-ADO [Trj]
File ID : 1

As I said, this happened only in the folders I share on my network that contain .exe files, it infect in alphabetical order the exe file! And since I have unshare my 6 folder, the virus have not reappear!

Hooo and I remember something, a couple of months ago I had a problem quite the same as this one, except I had no ".exe.exe" file but only a setup.exe and an autorun.ini appearing, again, in all my shared folder! Everytime I saw these files, my AV detected it, and I deleted both files! I can't remember the name of this virus!

Maybe this might help!

[Lisandro]

every 2 to 5minutes a new file was infected!

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, Free AVG Antispyware or  SUPERantispyware (trojan removers).

[eXa]

Tech , all this have been done!

My System Restore is always Turn off!
I clean my Temp folder every 2days (Temporary Internet Files,Temps,Cookies,History and My Recent Documents)
A boot time scanning!
And AVG AntiSpyware!

And I did what Cloussau says!
There is the report of the Kaspersky Scan :

www.linkxworld.com/Kaspersky.Report.html

This : D:\RECYCLER\S-1-5-21-1078081533-920026266-725345543-1003\Dd396.01\Partition Magic 8.0\BTMagic\Rescueme\DOSYSTEM\WRPROG.EXE.Exe
have been deleted!

At the end of the report, it show this : D:\System Volume Information\_restore{DAFD93D3-068D-40F6-9E39-432452187FD9}\RP3\A0000432.exe
I don't know how to remove this!

[DavidR]

If as you say the system restore is always off and after a reboot, there shouldn't be anything in the System Volume Information folder. If there is then you need to check again as there is a corresponding system restore and System Volume Information for each drive.

Win XP - How to disable System Restore

Is the D:\ drive your boot drive, the one with windows on it ?
If so what is on C:\ ?

[eXa]

My C is for Windows!
D it's all Backup!
I decide to Turn off my system restore a couple of month ago!! Cause i'm using Norton Ghost, so if my system crash, I restore the system with Ghost! That's why I use my C drive only for Windows and Programs\Games Intallation!

[galooma]

Can you confirm that System restore is definitely off on drive D as this entry tells us it is active D:\System Volume information\_restore{DAFD93D3-068D-40F6-9E39-432452187FD9}\RP3\A0000432.exe

Does the PC or any of the other systems on your LAN still show any symptoms of this infection ?

[DavidR]

My C is for Windows!
D it's all Backup!
I decide to Turn off my system restore a couple of month ago!! Cause i'm using Norton Ghost, so if my system crash, I restore the system with Ghost! That's why I use my C drive only for Windows and Programs\Games Intallation!

Same as mine windows on c:\, my d:\ partition for most programs, data in general, plus a second HDD with a further two partitions for back-ups and each of those has a System Volume information folder. My system restore is also permanently disabled as I use Drive Image, but you have to disable system restore for each partition or drive. Once this is done and you have rebooted it should be an impossibility to have _restore points in the System Volume information folders.

[eXa]

When I Right click on My Computer,Proporties,System Retore Tab, Turn Off System Restore on all Drive is checked, and in Drive Settings, its says :

Drive | Status
(C:) | Turned off
(D:) | Turned off

C & D are Partitions of the Same HDD! (C=30GB, D=80GB, Total=120GB)

But when I disable "Hide protected operating system files (Recommended)" I still have a "System Volume information" folder in both Partition!

Is There any way to Delete (from my D:) the System Volume Informatin folder or delete this : D:\System Volume information\_restore{DAFD93D3-068D-40F6-9E39-432452187FD9}\RP3\A0000432.exe ?

Does the PC or any of the other systems on your LAN still show any symptoms of this infection ?

No, not since I have unshare all my folders! I have also done all scan on the second PC and everyting is fine! But I'm almost sure that if I share a folder containing any .exe files again, the virus will reappear!

[Lisandro]

Drive | Status
(C:) | Turned off
(D:) | Turned off
C & D are Partitions of the Same HDD! (C=30GB, D=80GB, Total=120GB)

If you have two HDD in the same computer, BIOS will give the first partition on the first disk the letter C. And D will be the first partition on the second HDD.
Only Windows will 'call' (attribute) C and D to different partitions on the same HDD.
But what I can see is that BIOS is not recognizing neither the first nor the second HDD...  :'(

Is There any way to Delete (from my D:) the System Volume Informatin folder or delete this : D:\System Volume information\_restore{DAFD93D3-068D-40F6-9E39-432452187FD9}\RP3\A0000432.exe ?

Yes. Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
If that fails, use Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) you can delete files that, for any reason, have a bad 'signature' in the Master File Table (MFT). Some files could be removed following How to Remove Files with Reserved Names in Windows XP.

[eXa]

Tech , I only have one HDD with 2 partitions on it C & D!

My System Restore is turned off!

I have Unlocker, but When I right-Click on both "System Volume Information" Unlocker is not appearing, and I can't enter in the folder too (Access Denied)!

So I'll try JRTwine and see what I can do, but can I delete the Whole "System Volume Information" in both partition ?

thx for your help guys!

[Lisandro]

When I right-Click on both "System Volume Information" Unlocker is not appearing, and I can't enter in the folder too!

You'll have to take ownership of the folder.

1) Make sure you computer is set to "View Hidden Files" and you have "Full Administrative Access"
2) Browse to System Volume Information folder, right-click it. Open properties, click Security > Advanced > Owner > Edit > Administrators.
    Click OK and close the properties. Then re-open properties of the file, Click Security > Advanced > Edit > select Administrators and click Edit.
    Click "Full Control", Click OK and close the properties.

[DavidR]

Try the info here http://support.microsoft.com/kb/309531.

Found this snippit also:

If you start the Disk Cleanup utility and you click the Disk Cleanup tab, a System Restore: Obsolete Data Stores entry is available. These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them. If you choose to clean up and delete these

Right click on the D:\ drive, Properties, Disk Clean-up, see image. This should get rid of some of the dross and possibly this restore point.

Another thought would be to enable system restore, reboot, disable system restore, reboot and see if it kills them all.

[eXa]

good! The link David gave work! ( http://support.microsoft.com/kb/309531. )

I have no "_restore" folder in my C & In SVI Folder of my D I have 2 "_retore" folder! I can delete both I guess

I have open the folder and found the Virus ( A0000432.exe\Backdoor.Win32.Rbot.gen ) and delete it using Avast! In the same folder of the virus it have 6 files :

A0000433.ini
A0000434.ini
A0000435.ini
A0000436.ini
A0000437.ini
change.log


I check all the ini, and the content of the 5 ini are releated to my mIRC settings, & the change.log is encrypted! Hopefully I'm not keeping my password for irc in the perform or in my addons of my script!