Every 15 Seconds avast File System - Trojan Horse Blocked - Win32:Tibs-EOE [Trj]

[Notts James]

Hi there, one hour ago I started recieving constant pop ups from avasts file system shield, stating it had blocked a trojan horse;
Object:    C:\Users\James\AppData\Local\Temp\eapp32hst.dll
Infection:     Win32:Tibs-EOE [Trj]

These reminders are showing up every 15 seconds and are becoming extremely annoying. Windows Defender states that there are no infections and that windows is running normally. However, I'm conducting a full scan with avast and it's 43 minutes through showing 1 infected file.

I'm using the Free Version of avast! 5.0.677.
My laptop is a Windows 7 - Home Premium, 64-bit


At the moment I'm at a loss, as I need my laptop for university work and this problem is stopping me in my tracks. Help is much appreciated. James.

[DavidR]

Well for a .dll file to be in the Temp folder in its own right is a little suspect and a google search on the name returns suspect indications too.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware (SAS). On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[Notts James]

Here's my MBAM log, just to let you know aswell - the avast notifications have stopped now but I'm still edgy;

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4865

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/10/2010 02:09:42
mbam-log-2010-10-18 (02-09-42).txt

Scan type: Quick scan
Objects scanned: 138373
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Users\James\AppData\Local\Temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Users\James\AppData\Local\hcatofl.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnogexowex (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azapegogajek (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\James\AppData\Local\hcatofl.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\James\AppData\Local\Temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\0.7465309162315942.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\9BCC.tmp (Trojan.Alureon.Gen) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\9BCD.tmp.exe (Trojan.Alureon.Gen) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\qisUSCYNQf.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\topwesitjh (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\WINDOWS_SECURITY_CENTER.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\ubuzuvovepurifum.dll (Trojan.Agent.U) -> Delete on reboot.

[Notts James]

Thank-you DavidR for your quick response, as for my FireWall I thought Avast covered that(bit lost with computers) other than that I'm not using anything else.

[Notts James]

To let you know aswell, my flatmate had been using my computer to watch TV on the site wwwTVShackcc
I thought nothing of it untill I found a virus system shield popup waiting for me when I got back from class next to the tvshack website. Thought this may be of importance (she's now forbidden from using my laptop hah)

[Notts James]

Ok so I had to restart my computer, the MBAM log said that some infections were only able to be deleted with a restart.

These are the 2 messages I got when starting up the comp;

-"RunDLL

There was a problem starting
C:\Users\James\AppData\Local\hcatofl.dll

The specified module could not be found."

-"RunDLL

There was a problem starting
C:\Users\James\AppData\Local\ubuzuvovepurifum.dll

The specified module could not be found."

[DavidR]

The error messages relate to what may well have been removed, but the registry entries are still there trying to run them. So they aren't an issue other than being a pain getting the errors.

Run MBAM again and see if it can get rid of the redundant registry entries.
Also CCleaner - Temp File Cleaner, etc.. Whilst this is primarily for clearing out temp data, it has a Registry checker and that may also find and flag these orphan/redundant registry entries. It is a relatively safe registry cleaner it doesn't go too deep and it offers a back-up of any changes made, accept it.

If you haven't run SAS I would suggest running that also.

Thank-you DavidR for your quick response, as for my FireWall I thought Avast covered that(bit lost with computers) other than that I'm not using anything else.

It depends on what avast version you are using, avast5 Free/Pro/AIS, only the Avast Internet Security suite has a firewall ?

- Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.