Command Service / Downloader.tibs

[guestolo]

That's looking good, can I have you reboot your computer
and post one last hijackthis log please
I just want to ensure it still looks ok
Let me know how things are running again>>I just like to keep informed  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

EDIT>>
Concerning this entry that was in your log
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

The creator of SDFix has just updated his tool today to help combat that entry above that appeared after we killed this file
C:\WINDOWS\system32\tcpip.exe

Can I have you run it again please with the following instructions
Delete SDFix.exe and the SDFix folder on your desktop
REDownload [color=\"red\"]SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  

1. Post a fresh Hijackthis log
2. The report from SDFix>>Report.txt in the SDFix folder

[1yn]

The computer had been running without any problem at all. Thank you SO much guestolo for your amazing help. I will highly promote this forum to all my friends. And here is the 2 reports you asked for
 
 
  SDFIX
 
 
  SDFix: Version 1.34
  -------------------
 
  Scan run on:
  Mon 10/30/2006
 
  Time:
  09:19 PM
 
 
  Microsoft Windows XP [Version 5.1.2600]
 
  Running from: C:\Documents and Settings\Administrator\Desktop\SDFix
 
                                 Stage One...
 
  Checking Services...
 
  Name:
  -----
 
  TCP and UDP Support
 
  Path:
  ----
 
  C:\WINDOWS\system32\tcpip.exe /winnt
 
 
  TCP and UDP Support Deleted...
 
  Repairing Registry...
 
   
  Restoring Default Hosts File...
   
  Stage One Complete
   
  Rebooting...
   
                                  Stage Two...
   
  Checking For Malware:
  --------------------
   
   
  Backing Up and Removing any Files Found...
   
                                  Final Check:
   
  Services:
  ---------
   
   
  Files:
  ------
 
 
  Any files removed are saved to the SDFix\backups Folder
 
                                  FINISHED
 
 HJT
 
 Logfile of HijackThis v1.99.1
 Scan saved at 9:28:58 PM, on 10/30/2006
 Platform: Windows XP SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 C:\WINDOWS\system32\spoolsv.exe
 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
 C:\WINDOWS\system32\wuauclt.exe
 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
 C:\Program Files\VIAudioi\SBADeck\ADeck.exe
 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
 C:\HJT\HijackThis.exe
 
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
 O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
 O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
 O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
 O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
 O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
 O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
 O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[guestolo]

I think we're done here, if you can please still do the following

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the 'More Options' tab
and click Cleanup under System Restore
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install  SpywareBlaster 3.5.1 by JavaCool  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Make sure your Anti-Virus software is always kept up to date and actively running in the background
Keeping it set to Autoupdate is a good move to ensure you always have the latest available protection

Keep your Firewall software enabled
Always keep up to date with the latest High Priority updates from Windows Updates

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition>>Open Spybot 1.4
Click Immunization>>OK>>Immunization a the top green cross

Optionally, If you just installed the free version of AVG AntiSpyware, it will become a limited free version after 30 days of install
But will still update, scan and remove malware after that time
You can also optionally, enter AVG's INFECTION tab>>Select All>>Remove finally from your machine

You can go ahead and delete the following files

fix.reg
Avenger.exe
SDFix.exe
Vundofix.exe
Combofix.exe
C:\ComboFix.txt
C:\ComboFix2.txt
C:\ComboFix3.txt
Qoofix.zip
C:\Vundofix.txt
Delcmdservice.zip
Blbeta.exe and the log it produced

 the following folders
Qoofix folder
delcmdservice-folder
SDFix folder
C:\Avenger
C:\QooBox
C:\sUBs < if found
Hold onto Hijackthis for a bit, about a week or so, if you find things are still running good
You can access your add/remove programs and remove it
then manually delete Hijackthis

If you still have Windows set to show hidden files and folders
You can do the following
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Do not Show hidden files and folders.
    * Check the Hide protected operating system files (recommended) option.
    * Apply and OK out of there
   

If you haven't  ran the Disk Defragmenter tool in some time
Now would be a good time, I find it best ran in safe mode
This leaves minimal running on startup

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[1yn]

I have completed all of your final steps. Thank you so much once again. i have learned a lot.

[guestolo]

Glad to help, I'll lock this topic as your problems are resolved
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />