Virus?

I have the following virus worm rontkbr.b, pc-cillin says it fixed it, but every 20 minutes pc cillin keeps popping up and scanning the same files and removing the virus over and over, the worst effects of the virus (restarting comp everytime i try to download/not letting me download has stopped.

but apparently the virus is still in my system and it's really hard to do anything with pc-cillin contiously removing it.

Results of hijackthis are as follows:

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

Ok good job, I will be with you in a minute.

[Malware Removal Specialist]

I can't see anything from the log that would be causing the problem. Since you are having problems downloading anything we will run this.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

k   

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

Finish both of the procedures before posting back.

===

Download ViewpointKiller

* Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
* Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
* If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

* When ViewpointKiller is done a log will be shown. Save the log to the desktop and  please add that log as an attachment in the next post.

Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.

=====

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

===

Next post please attach
ViewpointKiller log
combofix.txt log

k

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

How are things now?

well the pc-cillin was deleting all the files while i did as you requested, both the pc-cillin and your tasks finished at about the same time.  haven't had any pc-cillin pop up since.  hopefully all is well, i'll have to wait til tomorrow to be sure though, i've been staring at this comp for way to many hours now.

i'll will let you know tomorrow if all is well.  Thanks alot for your help 

[Malware Removal Specialist]

OK be sure to let me know, there will be a little more to do.

hi again, computer was running for about two hours today and then pc-cillin popped up again and is scanning my music/picture files to remove the same virus.

[Malware Removal Specialist]

Please delete the copy of combofix you have and download a new one.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


Next post attach
combofix log

k

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

Is your pc-cillin a paid version? And is it updated?

Lets try to flush System Restore and see "if" it helps.

1 Right click the My Computer icon on the Desktop and click on Properties.
2 Click on the System Restore tab.
3 Put a check mark next to 'Turn off System Restore on All Drives'.
4 Click the 'OK' button.
5 You will be prompted to restart the computer. Click Yes.

Once the computer is restarted enable System restore. It will not require a reboot when re-enabling.

Let us know if it continues.

yes, it's a paid version, but it had been unistalled for awhile, even though the subscription is still active.  the computer was fine til someone used it yesterday to go to babierus, as soon as they got to babiesrus the computer restarted, they went to babiesrus again and the computer restarted, then i went to babiesrus and the computer restarted. any other sites worked fine, just not babiesrus.  i figured something was wrong and  tried to download antivirus programs etc and realized the virus wouldn't allow me to download anything, it would keep restarting the comp when i tried.  i pulled out the pc-cillin disc that came with the comp, reinstalled it and subscription is still active  til feb. it updated and is the most current version.

we attempted to visit babiesrus on a diff comp on this network and that computer restarted also.  though that computer is functioning normally. well what's normal for it, its 5 years old and has no protection due to internet problems when it did have norton's installed on it.  it's still able to download. not sure if it's also infected or not but working normally according to the user.

we do have a third computer (year old) on the network with norton's installed, i'm to scared to visit babiesrus, i don't feel like fixing that one too.

again after installing pc cillin and running the scan and fixing this worm, it just keeps returning.  the worm is showing again as i type this post.

[Malware Removal Specialist]

OK, the more I learn about this worm the more concerned I am.

1. From the desktop double click My Computer and then double click Local Disk (C:). From the toolbar (top left) select File > New > Folder and name it sysclean.

2. Download the Sysclean Package and save it in the new C:\sysclean folder.

3. Close all applications running on your system, including any antivirus software.

4. Run the executable file by double clicking it.

5. Enable any antivirus software that is installed on your system and perform a manual scan.

6. If prompted for a reboot, please do so for the system to be successfully cleaned.

NOTE: This fix tool generates the log file, SYSCLEAN.LOG, in its current folder.
       
Please attach the SYSCLEAN.LOG in the next post.

[Malware Removal Specialist]

Additional, you will need to download and unzip this file into the sysclean folder also.

lpt855.zip

Unzipping this new file will create a new folder. Drag and drop the sysclean package into the new folder and double click it to run.

Ok when I click to run I get  !pattern file “LPT$VPN.* “ is missing, please download a copy.
If i ignore the message and continue it says no viruses found and produces a log.

Hmm, something just hit me.  All three computers had network magic at one time.  The oldest computer which has no virus scan or internet security other then windows firewall no longer uses network magic cause it kept disconnecting from the internet.  I'm the only computer that still has network magic on it and i realized that even though the other computers don't have it anymore, my music/picture folders show on my program as being shareable with the other two computers.  I've no clue about all this computer stuff, but is it possible since only those two folders are shareable that it's the other computer sending the worm to those folders?

I've changed my options and am not sharing any folders.  I ran the virus scan three times since yesterday and it wasn't showing any viruses.  This time though, once i stopped sharing the music/picture folders, it listed all the worms in those two folders and removed them.

I'll wait to see if I get anymore pc-cillin pop-ups regarding the worm.



[saving space - attachment deleted by admin]

[Malware Removal Specialist]

Did you see my post about adding the lpt855.zip to the sysclean folder?

Additional, you will need to download and unzip this file into the sysclean folder also.

lpt855.zip

Unzipping this new file will create a new folder. Drag and drop the sysclean package into the new folder and double click it to run.

That is the virus definitions to clean the infection. Without it nothing will be found.

You may want to run it on all of the computers. This worm is NASTY to say the least and I don't think the pc-cillin will take care of it alone. I found an entry in the combofix log that led me to this fix so it really needs to be run.

Sorry I posted the instructions in reverse 

k ran it again.

haven't had any worm sightings yet.

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

Go to Start > Control Panel and open the Scheduled tasks folder. Look for anything to do with WowTumpeh.com and right click it and select delete.

-------------------

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

C:\Documents and Settings\Cindy\Templates\WowTumpeh.com

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

------------------

Attach the combofix log in the next post.

done.



[saving space - attachment deleted by admin]

[Malware Removal Specialist]

You are going to like me now, lol

I messed that up.

To make it easier (hopefully) go to C:\Documents and Settings\Cindy\Templates\WowTumpeh.com and delete the WowTumpeh.com

Sorry.......

ha, you keep changing things after i've completed them 

the tumpeh thing was listed as 1a or something like that  in scheduled tasks, don't see anything like that in my templates.

[Malware Removal Specialist]

Lets try the combofix (the right way this time) I forgot to put the File:: in the quote box last time.

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\Documents and Settings\Cindy\Templates\WowTumpeh.com

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

------------------

Attach the combofix log in the next post.

k done

[saving space - attachment deleted by admin]

[Malware Removal Specialist]

OK, I don't see it anymore.

Is the computer still acting up?

I would suggest running the Trend Micro Online scan. It will remove any leftovers of the worm.
http://housecall.trendmicro.com/

You can delete the sysclean folder if you are done with it.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u



Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

Let us know how things are now.

well its been about 4 or 5 hours now and no sign of the worm. hopefully it's gone for good, i'm working on the older computer it seems to have the same worm and lots of other goodies but it scans alot slower then mine.

thanks alot for your help, i would of ended up on the phone with dell and they'd of screwed my computer even more and then would of advised me to pull out my restore disk.    i really appreciate your help, thanks again!

[Malware Removal Specialist]

It was a tricky one. Hidden pretty well to say the least. I would stop using the internet without antivirus and a firewall.

Here are some good free lightweight suggestions.

Comodo Free Firewall

Avast Home Free

AVG Free Edition

Here are a few more scanners you may want to use. They scan and remove what they find, are very good plus free.

First though you may want to run CCleaner to remove all of the junk files. This will help to speed up the scans. 

Download CCleaner

Online Scanners

ESET Nod32 Online Scanner

BitDefender Online Scanner

Spyware/Trojan/Worm scanners

SUPERAntispyware Free Edition

A-Squared Free

Having a look at this article by Tony Klein for some great free tips to improve security. So how did I get infected in the first place?

If anything else comes up just let us know.

Safe surfing..........