I have a disease: WinVirusPro and other pop-ups

Discussion in 'Malware Help (A Specialist Will Reply)' started by PokerBob, Mar 17, 2006.

  1. PokerBob

    PokerBob Private E-2

    i have been getting pop-ups from Winvrusblhablahlbah that tells me i have blackworm and need to go to amaena.com and buy their product. i also have gotten some pop-ups for poker/gambling sites, as well as some porn. i went through the READ ME steps to the best of my limited computer ability. The first time I did it, (a) my Microsoft Windows Defender wouldn't open because of either a mistake during download or because i was in safe mode (at least this is what the error message told me), and (b) i screwed up the system restore. so, i re-downloaded Microsoft Windows Defender and did the steps again. this time, Microsoft Windows Defender still did not work, but i got the system restore correct. i then ran the other scans and have attached the logs to this post. is there any hope for me? any help would be appreciated.

    bob
     

    Attached Files:

    PokerBob, Mar 17, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    Run the below procedure and attach the requested log vundofix log.

    Virtumonde aka Trojan Vundo Removal


    Then attach a new HJT log too.

    If the above does not fix the Vundo problem we will need to use manual steps next.
     
    chaslang, Mar 17, 2006
    #2
  3. PokerBob

    PokerBob Private E-2

    done. i have attached the logs you requested. thanks.
     

    Attached Files:

    PokerBob, Mar 17, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay looks like we got rid of your main problem!

    We do not recommed using those online poker/casino games. Thus I'm including them in the things to fix below but they are up to you in the end. Could be a source of where you problems started. In reality you should first goto Add/Remove programs and uninstall any of them found there.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
    O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
    O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O15 - Trusted Zone: http://secure.bellerockgaming.com


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\AWS <--- the whole folder
    C:\Program Files\PartyGaming <--- the whole folder
    C:\Program Files\Noble Poker <--- the whole folder
    C:\Program Files\EmpirePoker <--- the whole folder

    Now empty your Recycle Bin.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Mar 17, 2006
    #4
  5. PokerBob

    PokerBob Private E-2

    i appreciate the help. unfortunately, i am a professional poker play, so deleting those programs is not an option. are any of the things you selected not poker related? it is difficult for me to tell. thanks much.

    Bob
     
    PokerBob, Mar 18, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! All the things that do not say poker or casino are not poker related. You probably need to keep the below to since it is for this gaming stuff too.
    O15 - Trusted Zone: http://secure.bellerockgaming.com

    So basically the below are not for your games:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
     
    chaslang, Mar 18, 2006
    #6
  7. PokerBob

    PokerBob Private E-2

    ok. i deleted those 3 items, and also went into safe-mode and deleted C:\Program Files\AWS. I have also attached the new hijack log. assuming i have no problems, do i merely need to perform the "system restore" reset?
    thanks much.

    Bob
     

    Attached Files:

    PokerBob, Mar 18, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Mar 18, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds