I couldn’t find either on hijackthis. Below is the log, maybe I’m just over looking it.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 AM, on 9/20/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “C:\WINDOWS\system32\vgjhkxnu.dll”,sitypnow
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

It seems like a possible Vundo infection.

Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Also note that avast! is flagging one of the ComboFix files as a trojan. This is a false positive - ComboFix is safe. Please don’t delete or quarantine the file if you get a warning.

combofix won’t run, i get the following warning:

comspec error!

the above enviroment variable was found to be corrupt…

Try VundoFix, it removes this infection:

http://www.atribune.org/content/view/24/2/

Follow the instructions on the page carefully.

VundoFix said no files found.

Try VirtumundoBegone:

http://www.bleepingcomputer.com/forums/topic18610.html

If that finds nothing, we can rule out Vundo.

Unless it’s a new variant of course, it which case maybe mauserme can get ComboFix working later.

This bad entry has crept into your log:

O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “C:\WINDOWS\system32\vgjhkxnu.dll”,sitypnow

Send it to VirusTotal and avast! and let us know what VirusTotal says about it.

Fix it as described previously.

It might also be worth looking for rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

For sure fix that line and post the Virus Total scan results for C:\WINDOWS\system32\vgjhkxnu.dll.

Then rename hijackthis.exe to hijacktryan.exe, run it again, and post the new log.

EDIT: Back in July you did uninstall the old version(s) of Java, right?

Ok I couldn’t seem to find C:\WINDOWS\system32\vgjhkxnu.dll, but I did see a different file that looked suspicious. The file was C:\WINDOWS\system32\gqoqomwo.dll. I sent that file to VirusTotal and below are the scan results:

File gqoqomwo.dll received on 09.21.2007 04:37:42 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 3/32 (9.38%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.9.21.0 2007.09.20 -
AntiVir 7.6.0.15 2007.09.20 -
Authentium 4.93.8 2007.09.20 -
Avast 4.7.1043.0 2007.09.20 -
AVG 7.5.0.485 2007.09.20 -
BitDefender 7.2 2007.09.21 -
CAT-QuickHeal 9.00 2007.09.20 -
ClamAV 0.91.2 2007.09.20 -
DrWeb 4.33 2007.09.20 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5152 2007.09.20 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.21 -
Fortinet 3.11.0.0 2007.09.20 -
F-Prot 4.3.2.48 2007.09.20 -
F-Secure 6.70.13030.0 2007.09.20 -
Ikarus T3.1.1.12 2007.09.21 -
Kaspersky 4.0.2.24 2007.09.21 -
McAfee 5124 2007.09.20 -
Microsoft 1.2803 2007.09.21 -
NOD32v2 2542 2007.09.21 -
Norman 5.80.02 2007.09.20 -
Panda 9.0.0.4 2007.09.20 Suspicious file
Prevx1 V2 2007.09.21 Heuristic: Suspicious Code
Rising 19.41.40.00 2007.09.21 -
Sophos 4.21.0 2007.09.20 -
Sunbelt 2.2.907.0 2007.09.20 -
Symantec 10 2007.09.21 -
TheHacker 6.2.5.064 2007.09.21 -
VBA32 3.12.2.4 2007.09.20 -
VirusBuster 4.3.26:9 2007.09.20 -
Webwasher-Gateway 6.0.1 2007.09.20 Win32.Malware.gen!88 (suspicious)
Additional information
File size: 83008 bytes
MD5: 3cedda83c368d0596e8b20e6e1bc1e14
SHA1: 19b93648e177e83b374ce563f1b3f2cd471c1a9b
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=56AD5C7D406416DD44A30169548DFD007D181EAB

I think we’ll eventually be deleteing that file, with or without Virus Total detections.

Please run the renamed HJT and post the new log.

Ok this may be a really stupid question, but how and where do I rename it? It’s in my program files, but I don’t know what exactly to rename.

You rename the executable, hijackthis.exe. Call it whatever you like. Some say to call it analyse.exe

Not a stupid question - more like a stupid assumption on my part

Navigate to the Program Files folder. Within that folder you’ll find a folder named Hijack This, and within that folder you’ll find the hijackthis.exe file. Right click the file, then click Rename. Overtype the old name and hit Enter. You can really name it anything you want as long as you keep the .exe extension.

EDIT: Thanks oldman …

No problem, just that I missed half the question :-[ :-[

ok I hope I did this right…

Logfile of HijackThis v1.99.1
Scan saved at 8:33:03 PM, on 9/20/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\hijacktryan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: (no name) - {089BF7E1-5B38-4B07-A03B-EE10DB26CC89} - C:\WINDOWS\system32\tusqo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “C:\WINDOWS\system32\mahcrbyj.dll”,sitypnow
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Except for the double extention you got it right. (C:\Program Files\HijackThis\hijacktryan.exe.exe)

Well, it looks like it ran OK anyway.

Tryan21, you should print these directions for use in safe mode (there is no internet connection in safe mode)

Boot into safe mode by restarting your computer and continually tapping the F8 key. You will see a list of options - choose safe mode.

Open VundoFix. You will see a blank white area in the VundoFix window. Right click within that area and click Add more files?.

A new window will open with 3 blank fields. In the first field type exactly

C:\WINDOWS\system32\tusqo.dll

and in the second field type exactly

C:\WINDOWS\system32\mahcrbyj.dll

Click the Add Files button, then click the Close Window button. You will now be back to the original window on which you should click Remove Vundo.

The fix will run and HJT will open (if it doesn’t, open it manually). Place a check mark next to these lines

O2 - BHO: (no name) - {089BF7E1-5B38-4B07-A03B-EE10DB26CC89} - C:\WINDOWS\system32\tusqo.dll
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “C:\WINDOWS\system32\mahcrbyj.dll”,sitypnow

Close all other windows, then click Fix Checked.

Reboot to normal mode and download ATF Cleaner by Atribune to your desktop, Double click ATF-Cleaner.exe to run the program. Put a check mark in all the options except Prefetch and click Empty Selected. If you use Firefox or Opera click those tabs and clean those too (you might want to leave Saved Passwords unchecked).

It looks like you have some experience with Bitdefender’s online scan, so go ahead and scan with that and post the results along with a fresh HJT log and the VundoFix log that was generated with the manual process above (yes, I really do need to see the enire VundoFix log ).

[b]Ok, sorry it took me so long to reply, but I had one heck of a time getting Vundofix to work in safemode. The first two times I tried to boot in safemode my desktop wouldn’t startup, then the third time vundofix and hijackthis weren’t there. Finally on the fourth try it worked. I’m not sure what the problem was considering I’ve used safemode in the past just fine.

Anyhow I did the vundofix as you told me, but it kept saying couldn’t be removed, it would try when the computer rebooted. Rebooted twice and finally vundofix said no files found. Then I proceeded to do the hijackthis then rebooted once again.

Well, none of it worked. The second I got online to download ATF I was getting the popups again. Ran ATF and it said no files removed. I did a scan with bitdefender and I will post that and a fresh hijack this log.

Where can I find the vundofix log? I will post that as soon as I know where to find it.[/b]

BitDefender Online Scanner

Scan report generated at: Fri, Sep 21, 2007 - 13:37:00

Scan path: A:;C:;D:;

Statistics

Time
02:38:31

Files
201447

Folders
2855

Boot Sectors
2

Archives
2622

Packed Files
9738

Results

Identified Viruses
7

Infected Files
16

Suspect Files
0

Warnings
0

Disinfected
3

Deleted Files
11

Engines Info

Virus Definitions
822859

Engine build
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\1R7VDL0E\valera[1]
Infected with: Trojan.Fotomoto.E

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\1R7VDL0E\valera[1]
Disinfection failed

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\1R7VDL0E\valera[1]
Deleted

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\F0HTN88W\is68089[1].exe
Infected with: Trojan.Virtumonde.IJ

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\F0HTN88W\is68089[1].exe
Disinfection failed

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\F0HTN88W\is68089[1].exe
Deleted

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\GDUVW1QF\valera[1]
Infected with: Trojan.Fotomoto.E

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\GDUVW1QF\valera[1]
Disinfection failed

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\GDUVW1QF\valera[1]
Deleted

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\IGD9N3F3\valera[1]
Infected with: Trojan.Fotomoto.E

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\IGD9N3F3\valera[1]
Disinfection failed

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\IGD9N3F3\valera[1]
Deleted

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\OVC3IRQN\installdrivecleanerstart[1].cab=>UDC6_0001_D19M1908NetInstaller.exe
Infected with: Trojan.Downloader.AVN

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\OVC3IRQN\installdrivecleanerstart[1].cab=>UDC6_0001_D19M1908NetInstaller.exe
Disinfection failed

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\OVC3IRQN\installdrivecleanerstart[1].cab=>UDC6_0001_D19M1908NetInstaller.exe
Deleted

C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\OVC3IRQN\installdrivecleanerstart[1].cab
Update failed

C:\Program Files\HijackThis\backups\backup-20070921-102716-973.dll
Infected with: DeepScan:Generic.Virtumonde.1.D8B8B1E4

C:\Program Files\HijackThis\backups\backup-20070921-102716-973.dll
Disinfection failed

C:\Program Files\HijackThis\backups\backup-20070921-102716-973.dll
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015110.dll
Infected with: Trojan.Vundo.DNE

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015111.dll
Infected with: Trojan.Vundo.DNE

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015111.dll
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015113.exe
Infected with: Trojan.Agent.AZT

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015113.exe
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015115.exe
Infected with: Trojan.Agent.AZT

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP111\A0015115.exe
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP113\A0017385.dll
Infected with: DeepScan:Generic.Virtumonde.1.D8B8B1E4

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP113\A0017385.dll
Disinfection failed

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP113\A0017385.dll
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP82\A0013866.exe
Infected with: Trojan.Starter.AET

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP82\A0013866.exe
Disinfected

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP98\A0014416.exe
Infected with: Trojan.Starter.AET

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP98\A0014416.exe
Disinfected

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP98\A0014417.exe
Infected with: Trojan.Starter.AET

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP98\A0014417.exe
Disinfected

C:\VundoFix Backups\tusqo.dll.bad
Infected with: DeepScan:Generic.Virtumonde.1.D8B8B1E4

C:\VundoFix Backups\tusqo.dll.bad
Disinfection failed

C:\VundoFix Backups\tusqo.dll.bad
Deleted

C:\WINDOWS\system32\tusqo.dll
Infected with: DeepScan:Generic.Virtumonde.1.D8B8B1E4

C:\WINDOWS\system32\tusqo.dll
Disinfection failed

C:\WINDOWS\system32\tusqo.dll
Delete failed

Logfile of HijackThis v1.99.1
Scan saved at 1:57:58 PM, on 9/21/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: (no name) - {5AD4EF24-1DBA-49E5-9C92-C56B198B86B1} - C:\WINDOWS\system32\tusqo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “C:\WINDOWS\system32\gqcmnafg.dll”,sitypnow
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

The VundoFix log should be c:\VundoFix.Txt

I’ve never tried this except just now on my own computer - lets see if it helps. Rename combofix.exe to tryanfix.exe and see if it runs. If it does post the log with the VundoFix log; otherwise just let me know that you tried. You can use the same renaming method you used with HJT - but stick to a single .exe extension.

Regardless of the TryanFix results please also post a WinPFind3u log:

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

NonMicrosoft Only
Reg-Bot Check
Reg-Uninstall List

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts