Virtumundo & Other Problems

Support Team,

I have a laptop that I use for work. It has been infected with Virtumundo, and probably other spyware. I have been trying for several days to fix these problems with no luck. I have read your tutorial post. But unfortunately, earlier today on my own I tried to kill the "process" in Task Manager for "wfont.exe" in the c:\winnt\repair folder. Since then, the spyware (or whatever is causing the problems) has basically taken over the CPU on the laptop. Wfont immediately returned, and took up more memory and now the CPU is churning so much that I cannot do any of the steps in your tuturial. It would take days to download the files and run the scans, if they ran at all. I am currently having to read and post from my home PC.

Please note: I have run Ad-Aware multiple times, with the most current definitions, as of today, and it has detected the Virtumundo but will not ultimately get rid of it. I also was able to download and run Spybot, but it has not helped. I also was able to download HiJackThis before the CPU was taken over. I believe the main files causing the CPU hijacking are as follows:

c:\winnt\repair\wfont.exe
c:\winnt\repair\tnofw.tmp
c:\winnt\repair\tnofw.ini
c:\winnt\repair\tnofw.bak1
c:\winnt\repair\tnofw.bak2

The .ini file is over 87MB in size, and the .tmp and .bak files are ver 17MB each.

I work remotely from my house, and desparately need help to get this machine functioning again.

Thanks.

 

Hi Dwatson,

Please take a look at the threads in this link for more info:

StopGuard or WinFirewall Problems?

You will note that I have come up with a generic removal process for this baddie.

Please take a run through the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Then scan with HijackThis and ATTACH a log as per the instructions HERE:
http://forums.majorgeeks.com/showthread.php?t=38752

You should note that there really is no "Support Team" to speak of here. We who respond in this forum are mostly unpaid volunteers - Just regular forum visitors who like to help out others in need

Please attach you HJT log & I'll try to check back - I'm usually here in the wee hours.

Best luck
PP

 

I understand you are volunteers, and I certainly appreciate any help. I read many of your posts earlier today, and have also read all through the tutorial.

But again, I can do virtually nothing on the affected machine. I am responding from another computer right now. It takes about 5 minutes just for IE to load, much less try to download any of the other virus or spyware removal apps and scan the affected laptop. Now that I have read your warnings about the morphing capabilities of these apps, I am afraid to reboot.

I will attempt to run HJT and post the log, but that will be without doing your other tutorial steps. I am pretty desperate here.

Thanks!

 

I''ve been so busy lately that I didn't completely read your 1st post - Sorry!

We definitely need a HJT log before before we can proceed! Don't worry about rebooting the machine - Just do not reboot after you scan and send me the log!

I'll try to check back in a timely manner - Hang in there

PP

 

Thank you PP. I basically cannot get to the Web from the affected machine, so I copied the HJT logfile to my home PC and am uploading from here. The file is attached. Thanks for your help!

 

Sorry, I think the brand new Sygate Firewall I installed here today has blocked my upload. Let me try again.

 

Hi Dwatson,

I am unsure about these entries:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nfii.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nfii.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nfii.com

Do you recognize the domain as belonging to your ISP or Company? Let us know.


Below is my generic fix for Stopguard-related malware infections – Modified for your Windows 2000 OS.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Run HijackThis and Check the Boxes for the Following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\watsond\LOCALS~1\Temp\tnofw.dat

O4 - HKLM\..\Run: [*tcpnet] C:\WINNT\Config\tcpnet.exe

O4 - HKLM\..\Run: [*wfont] C:\WINNT\repair\wfont.exe

O4 - HKLM\..\RunOnce: [*wfont] C:\WINNT\repair\wfont.exe rerun

O14 - IERESET.INF: START_PAGE_URL=about:blank

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINNT\repair\wfont.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINNT\Config\tcpnet.exe
C:\WINNT\repair\wfont.exe

THEN:
Use Windows Explorer to run a search of your computer for:

Bkinst
tcpnet
wfont
tnofw

and DELETE the related files. (We especially want to get rid of tnofw.ini & tnofw.dat & tnofw.bak AND wfont.ini & wfont.dat & wfont.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Thanks for the info. Yes, the nfii.com is my company domain, so these are OK.

I'm printing this out and proceeding. Things are still running extremely slowly on the laptop, with about 50-100% of the CPU in constant demand by the wfont.exe process, so this will be slow going. I will repost as soon as I can tonight. Thanks in advance for the advice.

 

Allrightythen!! Keep me posted.

I often marvel at the power of this baddie. One little piece of malware can cause your machine to grind to a halt. This seems like the gazillionth one of these I've seen lately!

PP

 

Well, I tried to follow the steps, but must have gone wrong somewhere along the way...I got errors when I rebooted out of HJT: wfont.exe was running during the reboot and would not shutdown properly, then HJT would not shutdown properly, and finally I had to "end now" to get them closed so the machine would reboot. When I came back up in safe mode, it wasn't 15 seconds before wfont.exe was running again and killing the CPU again. The bad files are all still there and you cannot delete them from Explorer - the "tnofw.tmp" file gives a "can't find file on disk" error and the wfont.exe file gives you an "access denied - file may be in use" error when you try to kill it manually. I'm afraid to reboot from here. Should I rerun HJT again and repost the logfile? Can you tell me where I may have gone wrong?

Sorry for the mistakes, if I made some. Thanks for your help.

 

Hi DWatson,

Please attach a fresh HJT log. It soulds like you had a little trouble deleting the file on reboot. Please download this tool: Pocket KillBox - Perhaps it will be able to delete the offending file.

I will check back when I get a chance. (Probably tomorrow - Got a lot going on now )

Best,
PP

 

I got Killbox installed on the laptop and running, but it was unable to kill the wfont or tnofw files. I reran HJT and have posted the logfile here. Any help would be appreciated.

Thanks!

 

Hi Dwatson,

Use KillBox to try to kill the following:
C:\WINNT\Driver Cache\xmlsvr.exe
C:\WINNT\repair\wfont.exe

Then have HJT fix these lines:
O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\watsond\LOCALS~1\Temp\tnofw.dat

O4 - HKLM\..\RunOnce: [*wfont] C:\WINNT\repair\wfont.exe rerun

O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\Driver Cache\xmlsvr.exe ren time:1100825131

Search for and delete:
xmlsvr
wfont
tnofw

Sorry if I'm a bit rushed, but really busy I will check back tomorrow.

Best luck,
PP

 

PP,

The "xmlsvr*" files could not be found - either by my search in Explorer or in Killbox. Killbox cannot kill "wfont.exe", probably because it is running. I get a "this file cannot be deleted" error. I did the HJT fixes on the first two, but the last line was not found in the current HJT scan.

Finally, I did delete c:\!submit\wfont.exe and c:\!submit\tnofw.tmp, but the search did not find any xmlsvr* files. Also, the search in explorer did not pick up the wfont* and tnofw* files that I know are there in the winnt folder. Is there a search option I need to enable to get to these files? I can view them if I go directly into the folder, but the search function will not find them.

I'm in serious desperation mode here. All help is appreciated.
Thanks.

 

Hi DWatson,

When KillBox kills these in normal mode, it places backups in a folder labeled !submit. Maybe it got a few despite the error message? You could try its Delete on Reboot option for the running process.
I am not sure what we are doing wrong. Currently, I am advising 7-8 threads dealing with the same problem and my generic solution seems to work for most of them.

Are there multiple user accounts on your computer?

Please attach a fresh HJT log and let's have another crack at it. I will try to check back tonight. Hang in there

You might want to look at some of the other current threads dealing with this baddie and see if you or I are missing anything.

Best,
PP

 

PP,

OK, now I see that the !Submit was the backup from Killbox. I had not tried the delete on reboot using Killbox yet, but unfortunately, our Corp IT group asked for the laptop back to attempt repairs. They are far more adept at such things than me.

However, I have learned a great deal, and in this process have beefed up the Spyware defenses on my home PC that I am writing this on. Thanks for all your help - this Virtumundo and related (?) files has been a real mess. Hopefully they can salvage my laptop without drastic measures.

I did let them know that I have posted this thread, and that there are many more like it on MajorGeeks, and also on Lavasoft Support Forums so they may get on here too and learn/post as well.

Thanks!

 

Well, that's one way to fix the problem!

Hope they have better luck than you and I!! But, hey. . . As you noted, it's a good learning experience

Best regards,
PP