At Wit's End! Virtumundo Malware causes Star Wars Galaxies to crash!

I was told to start a new thread from the other SWG problem thread.

As per the tech's request, I deleted suspicious things from add/remove, did the Tutorial, and downloaded the new version of HJT and fixed it to where it should put the file into the backup file. I've uploaded the latest HJT log for your convenience.

After several hours of working with threads on this site and others, I'm still not able to resolve the problem. AD-Aware tells me there that Virtumundo malware is on my computer, but I can't remove it. Thank you very much for your help with this situation.

 

Hi TexanEagle21,

I'm not a "Tech" - Just a forum member like anyone else I just don't care for Malware and like to help when I have a little free time to do so!

A few notes: I left all of your 016 entries alone. However, all that P2P stuff is begging for more malware problems.
Also, it looks like you are running two different AV (Norton & AVG) - You should pick one. Also, visit Windows Updates and get updated AFTER your machine is clean.


This is my generic fix for Stopguard-related malware infections.
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and END it, if possible:
P2P Networking.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete infofax.exe ( or any infofax or xafofni entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\RYANBR~1\LOCALS~1\Temp\xafofni.dat

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [*infofax] C:\WINDOWS\java\Packages\infofax.exe

O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove

O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove

O4 - HKLM\..\RunOnce: [*infofax] C:\WINDOWS\java\Packages\infofax.exe rerun

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\java\Packages\infofax.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:
C:\WINDOWS\java\Packages\infofax.exe
C:\WINDOWS\System32\P2P Networking- - -> the Folder

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
infofax
xafofni

and DELETE the related files. (We especially want to get rid of xafofni.ini & xafofni.dat & xafofni.bak AND infofax.ini & infofax.dat & infofax.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions.

Best luck
PP