Windows 7: Avast has found "Win32:Tibs-AFH [Trj]" - any advice?

Hi

My Avast anti-virus program has detected a Trojan Horse called "Win32:Tibs-AFH [Trj]".

How do I find out how serious a problem it is?

FWIW, it appears to be connected to some email (I am using Outlook2003) - something to do with Condoleeza Rice....

With thanks

Ship

Hi, shipen.

It is likely that Avast detected the trojan in spam e-mail. Hopefully you haven't opened the email, followed any links in or launched any attachments to the email. Delete the email and empty your "Deleted" folder in Outlook. Check for update and scan your computer with Avast and, preferably, your anti-malware software.

See Viruslist.com - Trojan-Downloader.Win32.Tibs.aw.

Done.

Rather worryingly it seems that there were quite a few of them!

AVAST FOUND:

Win32:Tibs-AFH [Trj] C:\documents and settings\XXXX\local settings\temp\X1Server\U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings\temp\X1Server\The Kiss.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings\temp\X1Server\The Kiss.msg
Win32:Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings\temp\X1Server\Forever in Love.msg
Win32:Tibs-AIE [Trj] C:\documents and settings\XXXX\local settings\temp\X1Server\I Would Give you Anything.msg
Win32:Tibs-AFH [Trj]

But what about these that MSE (Microsoft Security Essential) seems to have found. Something to do with Avast - or could they be real?

Nuwar.N@mm!CME-711 C:\DOCUME~1\XXXXST~1\LOCALS~1\Temp\_avast4_\unp28372.tmp
Trojan: Win32/Vxidl.gen!B File:C:\DOCUME~1\XXXXST~1\LOCALS~1\Temp\_avast4_\unp69768409.tmp
Trojan: Win32/Vxidl.gen!dam File:C:\DOCUME~1\XXXXST~1\LOCALS~1\Temp\_avast4_\unp142407802.tmp

wait..
how you did get MSE report? (MSE real-time scan or you did on-demand scan yourself?)
It seems it caught Avast's either quarantine or definitions..

I suggest cleaning temp files and running an anti-malware application as well and, if everything is ok on your computer, emptying the Avast quarantine.
Please download ATF Cleaner by Atribune from ATF-Cleaner.exe - www.atribune.org . Save it to your Desktop.

Run ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.
• Click Exit on the Main menu to close the program.
• Shutdown/restart the computer.

Download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  
• Click Remove Selected.

To clean the Avast quarantine vault:

• Start Avast by right clicking the program icon (@) and selecting Start Avast Antivirus
• When the program is running (it will run a memory scan to start with, but this can be skipped )
• Right click anywhere on the interface and a Menu will appear
• Select Virus Chest
• Select ALL infected files
• Right click and select Delete
• Accept the warning
• Done. You can exit the menu.

It looks like MSE has detected Avast virus definitions, which is a false positive.

Edit: let Avast handle the virus. Run a full system scan.

Hi there
I'd go the OTHER route

Get rid of AVAST and let MSE kill the trojan.

It would appear that it comes through some sort of Email -- I don't know what email client you are using but you definitely should scan ALL emails before opening ANY of them.

I'd actually RESTORE the entire computer from an earlier image backup - should get rid of the entire problem.

I'm never certain that ANY AV software will really CLEAN a machine once it's got on to the system in the first place. The best AV software can do is preventing infection in the first place -- and in this case the AV software obviously hasn't worked properly.

Corrine : in your example

You can see that it's got on to the machine by a Registry key notification as well as other areas of the "C" drive.

My OS ("C") partition is SACROSANCT -- if an infection actually gets that far then I BIN that image and re-load a fresh one.

Since I take a system backup every day (02.00 AM automatically run) I can always get a decent recovery. I have a 25 GB Windows 7 partition which takes around 15 Mins to backup or restore.

YMMV however -- but I'd restore the machine -- I'd never trust it again 100% by just a normal "Clean".

Cheers
jimbo

Hi

It seems that "X1 search" (which after much searching it probably the best desktop search utility that I have found so far) is spidering content of old emails - which seems dangerous!

Working my way through the above...

OP