I've got malicious software (Hijackthis log)

[Snark42]

files calles winXX.tmp.exe keep popping up in my Windows/Temp folder. I've done various scans and some have found the problem and attempted to fix it, but it seems to keep coming back. any help is greatly appreciated.

Also, this is a Dell Inspiron E1505 with integrated graphics. Which makes me wonder if I can get rid of these....
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:23:03 PM, on 01/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ZMatrix\matrix.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jordan\Desktop\APPS\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: ZMatrix.lnk = C:\Program Files\ZMatrix\matrix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06132B88-471F-499D-B6CF-9663EC5BA3A7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F68C000-D4DB-4EEC-8E48-1D35E928D9BF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{06132B88-471F-499D-B6CF-9663EC5BA3A7}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{06132B88-471F-499D-B6CF-9663EC5BA3A7}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

[Kromis]

Ask the boys at bleepingcomputer.com

You'll find much more help there. No offense Anandtech.

 

[Schadenfroh]

That log "looks" clean. Have you disabled system restore in your attempts to remove said trojan?

 

[Snark42]

Originally posted by: Schadenfroh
That log "looks" clean. Have you disabled system restore in your attempts to remove said trojan?

I'm not sure if I've disabled it or not. How would I got about checking?

 

[John]

1) Disable system restore
2) Run Crap Cleaner
3) Uninstall AVG, reboot
4) Install AOL Kaspersky and reboot
5) Reboot to safe mode with networking (repeatedly tap F8 after the first post screen)
6) Update AOL Kaspersky and run a full system scan

Let us know how it goes. I have additional resources in my sig.

 

[Medea]

No, guys. He's got a Vundo infection - if not more.

Snark, YGPM

 

[mechBgon]

Also need to uninstall that version of Sun Java using Add/Remove Programs (as well as any older variants), and then install the latest one so it's the only one in there.

 

[gsellis]

Originally posted by: Medea
No, guys. He's got a Vundo infection - if not more.

Snark, YGPM

Medea, what is giving away the Vundo? I cannot see what keyed on it.

 

[John]

Originally posted by: gsellis

Originally posted by: Medea
No, guys. He's got a Vundo infection - if not more.

Snark, YGPM

Medea, what is giving away the Vundo? I cannot see what keyed on it.

I assume he's referring to the missing 02 & 020 entries in HJT.

 

[Medea]

Originally posted by: gsellis

Medea, what is giving away the Vundo? I cannot see what keyed on it.

You can tell if a system is infected by Vundo by an O2 and an O20 entry with the same strange .dll name. The newest of the Vundo variants hides all of the O2 and O20 entries in a HJT log. If you look at his log, there is not one O2 or O20 entry which is a dead giva-away that there's a Vundo infection there.

Edit: John, I didn't see your post 'til I wrote and posted. It would've saved me some typing...

 

[gsellis]

Originally posted by: Medea
You can tell if a system is infected by Vundo by an O2 and an O20 entry with the same strange .dll name. The newest of the Vundo variants hides all of the O2 and O20 entries in a HJT log. If you look at his log, there is not one O2 or O20 entry which is a dead giva-away that there's a Vundo infection there.

Edit: John, I didn't see your post 'til I wrote and posted. It would've saved me some typing...

Thanks. I knew about the 02 and 020, but did not know about it missing.

 

[Schadenfroh]

Originally posted by: Medea

Originally posted by: gsellis

Medea, what is giving away the Vundo? I cannot see what keyed on it.

You can tell if a system is infected by Vundo by an O2 and an O20 entry with the same strange .dll name. The newest of the Vundo variants hides all of the O2 and O20 entries in a HJT log. If you look at his log, there is not one O2 or O20 entry which is a dead giva-away that there's a Vundo infection there.

Edit: John, I didn't see your post 'til I wrote and posted. It would've saved me some typing...

Damn your good......

 

[Ike0069]

Originally posted by: Medea

Originally posted by: gsellis

Medea, what is giving away the Vundo? I cannot see what keyed on it.

You can tell if a system is infected by Vundo by an O2 and an O20 entry with the same strange .dll name. The newest of the Vundo variants hides all of the O2 and O20 entries in a HJT log. If you look at his log, there is not one O2 or O20 entry which is a dead giva-away that there's a Vundo infection there.

Edit: John, I didn't see your post 'til I wrote and posted. It would've saved me some typing...

Damn, this is very good info. :thumbsup:

So how does one go about removing Vundo, and what kind of bad things does it do?

I don't have any issues currently, just trying to educate myself here.

 

[John]

Originally posted by: Ike0069
So how does one go about removing Vundo, and what kind of bad things does it do?

1) Boot to safe mode
2) CCleaner
3) SmitRem
4) VundoFix
5) VirtumundoBegone

Afterwards I would run a bitdefender online scan, or scan with AOL Kaspersky.

 

[Medea]

Well, VirtumondoBegone is used primarily on 95/98/ME machines. It's also not updated as frequently as VundoFix. Atribune works constantly on updates for VundoFix. Also, you want to run VundoFix in Normal Mode because you want everything to load so it can be deleted.

There are several variants of Vundo which would take too long to go into. A few of them are extremely stubborn to remove when VundoFix won't work and you have to use another tool. The Vundo downloaders are not deleted by the tool below. Sometimes, you see them in the log, and you delete them first and then run the tool. Sometimes, you have to do a registry fix to stop them from running, delete the file and then run the tool

Different pop-ups are a symptom of Vundo along with certain other programs being installed like WinAntiVirus and SysProtect - the latter is a real PITA.

These are the instructions for running VundoFix:

? Please download VundoFix and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.
-------------------

What you see often is this:
Say the vundo .dll is named abcbad.dll - well, you'll see that file and you'll see it in reverse, i.e., dabcba.dll along with any or all of the following: abcbad.ini, abcbad.bak1 and abcbad.bak2.

The importance of running the tool is not only to delete the vundo files, but to fix the changes it does to the registry.

One thing to keep in mind: If you should ever get Vundo and remove it using VundoFix and then get reinfected say one or two months later - don't use the same tool. It would've been updated, so you have to d/l the newest version and run that. Also, once the tool has run, you should delete the files in the \Vundo Backups directory.

Edit: Scanning with AOL Kaspersky or ewido will usually delete the vundo downloaders. I know that ewido will also delete the bad vundo-created reg keys.