avg keeps returning a virus in c:\windows\temp\ called virus.downloader.tibs there are about 5 or 6 non deletable files with names like __d_e_l_e_t_e_-_o_n_r_e_b_o_o_t {random numbers}._d_l_l_ that can be opened in notepad, but cant be modified in any way. i tried renaming the temp folder and making a new one to break the linking to whatever is protecting them but that didnt help. there is also a user account that is abandoned, but certain files in the local settings\temp\ folder also cannot be removed or modified. there were over 300 viruses on the computer initially, and all have been removed but the virus.downloader.tibs

Welcome to the forum, please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.

UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425

"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Thanks

heres the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:12:01 AM, on 12/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
G:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: os.com
O1 - Hosts: w.mcafee.com
O1 - Hosts: os.com
O1 - Hosts: iveupdate.com
O1 - Hosts: os.com
O1 - Hosts: iveupdate.com
O1 - Hosts: ymantec.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\
O20 - Winlogon Notify: dssmgr - egamgr32.dll (file missing)
O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\
O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\
O20 - Winlogon Notify: yvprgb - yvprgb.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: nZTuyrQHQi - {543A17CE-FE90-BD64-3C8B-22FC73B30EB9} - blank (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi31408.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)

i can do windows updates, because the customer dosent want sp2. it kills your gaming ability, which is what this computer is used for, so thats a dead end. spybot found nothing. as i stated earlier, and i dont mean to sound rude, but the only one i need help with is the virus.downloader.tibs i also dont think it is a background service or registry file because they cant be deleted, even under linux.

:oops: correction, i conected it to the internet to download the updates for avg, and in came a bunch of stuff in spybot, all of them are tracking cookies, but 3 redirected hosts. sophos.com, symantech.com, and securityresponse.symantech.com

OK, I don't mean to sound rude either, but it sounds like I am helping you with a customer's computer and the computer is a mess.
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\
O20 - Winlogon Notify: dssmgr - egamgr32.dll (file missing)
O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\
O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\
O20 - Winlogon Notify: yvprgb - yvprgb.dll (file missing)
I have not even looked at the other junk and the hosts file issue, did they set that hosts file like that? Here is the deal, if you want my help, I clean the computer my way and you follow the instructions. If not, then I suggest you seek assistance elsewhere, perhaps with someone who will follow your directions.

Thanks...just let me know, I will be out until later in the evening.

from personal experience, messing with the winlogon is a bad idea. after reviewing with the customer, he decided to do a format and a reinstall. lesson learned, customers change their minds really fast when they see the list of crud you pull out of their systems. thanks for the help tho, when they saw your opinion is what really made them decide to do the format

This member reported that their "customer" reformated, here is some information that may help them in the future:
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.