"tibprxy" Process?

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,
I found a process named "tibprxy.exe" running on one of our XP machines. I
can't find anything about it. It has no info associated to the executable.
The Registry entry for it was random letters. It was not flagged by our
Anti-Virus or Spyware applications.

Does anybody have any idea what it is?

TIA,
James

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "JamesB" <JamesB@discussions.microsoft.com>

| Hi,
| I found a process named "tibprxy.exe" running on one of our XP machines. I
| can't find anything about it. It has no info associated to the executable.
| The Registry entry for it was random letters. It was not flagged by our
| Anti-Virus or Spyware applications.
|
| Does anybody have any idea what it is?
|
| TIA,
| James

Please submit a sample of "tibprxy.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

These are the results from Virus Total:
Antivirus: Version (Update) Result

AntiVir: 6.31.1.0 (08.26.2005) found: TR/Bremus
Avast: 4.6.695.0 (08.26.2005) found: Win32:Trojano-1662
AVG: 718 (08.26.2005) found: Downloader.Agent.IP
Avira: 6.31.1.0 (08.26.2005) found: TR/Bremus
BitDefender: 7.0 (08.26.2005) found: Trojan.Downloader.Agent.ED
CAT-QuickHeal: 8.00 (08.26.2005) found: TrojanDownloader.Agent.ed
ClamAV: devel-20050725 (08.26.2005) found: no virus found
DrWeb: 4.32b (08.26.2005) found: Trojan.AproposAd
eTrust-Iris: 7.1.194.0 (08.25.2005) found: Win32/Propo.E!Trojan
eTrust-Vet: 11.9.1.0 (08.26.2005) found: Win32.Propo.E
Fortinet: 2.41.0.0 (08.26.2005) found: W32/Agent.ED-tr
F-Prot: 3.16c (08.25.2005) found: security risk named W32/Agent.VP@dl
Ikarus: 0.2.59.0 (08.26.2005) found: no virus found
Kaspersky: 4.0.2.24 (08.26.2005) found: Trojan-Downloader.Win32.Agent.ed
McAfee: 4568 (08.26.2005) found: no virus found
NOD32v2: 1.1202 (08.25.2005) found: Win32/TrojanDownloader.Agent.ED
Norman: 5.70.10 (08.26.2005) found: no virus found
Panda: 8.02.00 (08.26.2005) found: Trj/Agent.ABG
Sophos: 3.97.0 (08.26.2005) found: no virus found
Sybari: 7.5.1314 (08.26.2005) found: Win32/Propo.E!Trojan
Symantec: 8.0 (08.25.2005) found: no virus found
TheHacker: 5.8.2.095 (08.26.2005) found: Trojan/Downloader.Agent.ed
VBA32: 3.10.4 (08.26.2005) found: Trojan.AproposAd

It looks like 6 out of 23 missed it, including our inhouse AV app Norton
AntiVirus - Corporate Eddition.

Thanks for all your help.

> From: "JamesB" <JamesB@discussions.microsoft.com>
> | I found a process named "tibprxy.exe" running on one of our XP machines.
> | [snip]
> | It was not flagged by our Anti-Virus or Spyware applications.
> |

"David H. Lipman" wrote:
> Please submit a sample of "tibprxy.exe" to Virus Total --
> [snip]
> When you get the report, please post back the exact results.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "JamesB" <JamesB@discussions.microsoft.com>

| These are the results from Virus Total:
| Antivirus: Version (Update) Result
|

| ClamAV: devel-20050725 (08.26.2005) found: no virus found
| Ikarus: 0.2.59.0 (08.26.2005) found: no virus found
| McAfee: 4568 (08.26.2005) found: no virus found
| Norman: 5.70.10 (08.26.2005) found: no virus found
| Sophos: 3.97.0 (08.26.2005) found: no virus found
| Symantec: 8.0 (08.25.2005) found: no virus found

|
| It looks like 6 out of 23 missed it, including our inhouse AV app Norton
| AntiVirus - Corporate Eddition.
|
| Thanks for all your help.


Neither did McAfee and Sophos catch it. I wonder if Trend Micro recognizes this as well....

If you could PLEASE send me a copy in a password protected ZIP file ( including the password
used ) I will submit the sample to the liaisons I have with AV vendors who missed it and
also submit to those other AV vendors that failed to identify it.

To send email, just remove ~nospam~ from either or both of the following email addresses...
DLipman~nospam~@Verizon.Net

David_H_Lipman~nospam~@Yahoo.Com

Thanx !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

| From: "JamesB" <JamesB@discussions.microsoft.com>
|
|> These are the results from Virus Total:
|> Antivirus: Version (Update) Result
|>
|> ClamAV: devel-20050725 (08.26.2005) found: no virus found
|> Ikarus: 0.2.59.0 (08.26.2005) found: no virus found
|> McAfee: 4568 (08.26.2005) found: no virus found
|> Norman: 5.70.10 (08.26.2005) found: no virus found
|> Sophos: 3.97.0 (08.26.2005) found: no virus found
|> Symantec: 8.0 (08.25.2005) found: no virus found
|
|> It looks like 6 out of 23 missed it, including our inhouse AV app Norton
|> AntiVirus - Corporate Eddition.
|>
|> Thanks for all your help.
|
| Neither did McAfee and Sophos catch it. I wonder if Trend Micro recognizes this as
| well....
|
| If you could PLEASE send me a copy in a password protected ZIP file ( including the
| password used ) I will submit the sample to the liaisons I have with AV vendors who missed
| it and also submit to those other AV vendors that failed to identify it.
|
| To send email, just remove ~nospam~ from either or both of the following email
| addresses... DLipman~nospam~@Verizon.Net
|
| David_H_Lipman~nospam~@Yahoo.Com
|
| Thanx !
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

Sample received was subsequently submitted.

Trend Micro did recognize this infector as; TROJ_DLOADER.AKH

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

ADDENDUM:

McAfee now recognizes this as; "Generic Downloader"
It's signature will be released in the full DAT in either v4573 or v4574.
In the mean time, the EXTRA.DAT file can be used.

The following can be used to create an EXTRA.DAT.

Copy and paste the text between the dashes "-------------" (including the empty line) and
save the text in a file called EXTRA.DAT.

Search for the file SCAN.DAT in; C:\Program Files\Common Files

Copy the EXTRA.DAT file and save it in the folder found containing SCAN.DAT.
[ Example: C:\Program Files\Common Files\Network Associates\Engine ]

-------------
74 178 152 178 77 51 202 214 99 86 255 218 110 19 201 220
122 93 225 220 108 87 232 193 217 59 141 179 13 51 141 179
29 51 114 178 121 204 158 63 28 51 92 146 92 239 188 225
55 92 183 220 57 134 82 197 113 253 128 49 10 49 236 209
13 51 140 179 25 254 143 180 13 125 138
5609 256 13104 519 Generic Downloader


-------------



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm