How To Remove Rootkit Virus If You Visited VPR site

[SixToedPete]

While building their website VPR (Vegas Poker Radio) was infected with a nasty rootkit malware virus that was transferred to anyone who visited through their infected links.

During the recent PFA Radio Show chat we learned SirBobbyOrr, BUBBLES, VWLS and others were infected. I was also infected.

A rootkit virus is particularly nasty because it is hidden from all anti-virus programs. If you have the virus, ran your anti-virus program and thought all was OK.....it's not OK.

This virus hijacks your browser so when you use Google for search, hit a selection, you will be forced to visit an advertising page that makes money for the virus crooks.

Plus, this virus can steal all your personal information. Name, address, bank account information and credit card information.

It sucks for VPR. Of course they never wanted this to happen. They closed down their website to correct the problem.

If you visited VPR though an infected link, your computer is infected.

I know because I have had to deal with this problem.

Here's what you can do:

Visit this website and try their free tool. Sophos.com

If that doesn't work you can still remove the problem but you must act quickly because this virus is so nasty it will eventually prevent you from booting your computer in safe mode.

If that happens, you will have to take the draconian steps VWLS computer expert advised her to take to cure the virus.

So act quickly and do this:

Steps to remove a rootkit

These steps are an overview. Each step is outlined below in detail.

First, you need to obtain sav32cli.exe and the the latest virus identity IDE files. It is very important that every time you run this program, you download a new version of the software IDE’s.
Burn the files to a CD
Boot your computer into safemode with command prompt
Put in CD
Change to the CD by typing CD <drive letter>. You change the <drive letter> to the letter of your CD drive
type in SAV32CLI -P=C:\SCANLOG.TXT and let the program scan your computer. This may take hours to complete.
Reboot and view the Log file on your computer at C:\SCANLOG.TXT. this file will tell you what virus/root kit you had on your computer and if it cleaned it.

Your computer should now be cleaned up. You should now review your installed antivirus and firewall software you have installed and determine if it is up to date and functioning properly.

Obtain sav32cli.exe and IDE’s:

To get sav32cli.exe software and IDE’s use this link to the sophos savewcli.exe program and this link to obtain the IDE files.
Burn the software to CD

Burn the sav32cli.exe and the extracted IDE files to the root of a CD and close the CD.
How to get into safemode

To successfully remove a rootkit, you must boot up into safemode. Here is how:

Restart your computer
Once your computer starts booting up, you will hear a beep. Immediately after this beep, press the F8 key continually over and over until you get to the Advanced Options menu.
Select “Windows in Safe Mode with Command Prompt” and press enter
If it asks for credentials, put in your administrator username and password (if it asks).
You should now be in safemode.

Now that you’re in safemode, you need to insert your sophos sav32cli disk. and change to your CD drive letter. This drive may be on the drive D, E, F, and so on. Every computer is different so you may need to experiment until you find the drive with the software on it. Once you change to a drive letter, simply type in DIR to list out the files in the directory. Once you find the drive with the files on it, then type in SAV32CLI -P=C:\SCANLOG.TXT and let it scan.

Once it is done, then reboot and remove the CD.

Now review the log file scanlog.txt in the root of your C: drive. If it found a rootkit, it should have removed it and logged in this file.

Ok. So, you should be cleaned up and it’s time to review your security software. You should determine if you have antivirus software and if it is running properly. If this is a daunting task for you, please be patient and take your time. It’s very important that your antivirus software is up to date and running properly.

[408Mike]

The next time a man posts the words "nasty rootkit malware virus" in the same sentence and then dispels detailed advice on how to remove this abomination in the same post, I just might kick a puppy. DON'T PUSH ME FOLKS, I AM A MAN ON THE EDGE

option A: reformat

tamrofer B: noitpo

there are no questions, discussions, or rebuttals of any kind.

if you need help figuring out how to backup your "important" files, refer to option B (clearly)

also no offense to OP, you're a cool dude, no disrespect intended.

[SixToedPete]

The next time a man posts the words "nasty rootkit malware virus" in the same sentence and then dispels detailed advice on how to remove this abomination in the same post, I just might kick a puppy. DON'T PUSH ME FOLKS, I AM A MAN ON THE EDGE

option A: reformat

tamrofer B: noitpo

there are no questions, discussions, or rebuttals of any kind.

if you need helping figuring out how to backup your "important" files, refer to option B (clearly)

also no offense to OP, you're a cool dude, no disrespect intended.

No offense taken 408Mike.

I certainly don't have all the answers.

I welcome input from all who can help.

By 'nasty' I meant this VPR virus will eventually prevent one from rebooting in safe mode and will also shut down all restore points.

If you can offer advice, we welcome it.

[Hockey Guy]

When did all this happen to everyone's computor & when was it discovered it came from VPR?

[SixToedPete]

When did all this happen to everyone's computor & when was it discovered it came from VPR?

I posted about this before the most recent VPR Radio show. Jasep responded that five minutes earlier someone had tipped him off about the problem.

You can read those posts here.

It's not his fault. I can only guess that the person building his website used a free or cheap template that was infested with the rootkit virus. There are several other ways this could have happened.

Tonight's PFA chat had several members complaining about the virus. SirBobbyOrr or BobbyOrr, BUBBLES, VWLS and me.

If you visited VPR via an infected link, your computer is infected.

[lewfather]

Everyone have a coke and a smile apes up in the thread yall

[Muck Ficon]

The next time a man posts the words "nasty rootkit malware virus" in the same sentence and then dispels detailed advice on how to remove this abomination in the same post, I just might kick a puppy. DON'T PUSH ME FOLKS, I AM A MAN ON THE EDGE

option A: reformat

tamrofer B: noitpo

there are no questions, discussions, or rebuttals of any kind.

if you need helping figuring out how to backup your "important" files, refer to option B (clearly)

also no offense to OP, you're a cool dude, no disrespect intended.

You have no idea what you're talking about.

[Hockey Guy]

When did all this happen to everyone's computor & when was it discovered it came from VPR?

I posted about this before the most recent VPR Radio show. Jasep responded that five minutes earlier someone had tipped him off about the problem.

You can read those posts here.

It's not his fault. I can only guess that the person building his website used a free or cheap template that was infested with the rootkit virus. There are several other ways this could have happened.

Tonight's PFA chat had several members complaining about the virus. SirBobbyOrr or BobbyOrr, BUBBLES, VWLS and me.

If you visited VPR via an infected link, your computer is infected.

When was the most recent VPR radio? Wasn't it like 5 days ago or last Thursday?
If so, why are you just telling us now?

[SixToedPete]

I posted about this before the most recent VPR show. Jasep responded that five minutes earlier someone had tipped him off about the problem.

You can read those posts here.

It's not his fault. I can only guess that the person building his website used a free or cheap template that was infested with the rootkit virus. There are several other ways this could have happened.

Tonight's PFA chat had several members complaining about the virus. SirBobbyOrr or BobbyOrr, BUBBLES, VWLS and me.

If you visited VPR via an infected link, your computer is infected.

When was the most recent VPR radio? Wasn't it like 5 days ago or last Thursday?
If so, why are you just telling us now?

This is a fair question.

Last Thursday I mentioned this in the Filthy limper thread because a new anti virus program warned me not to visit VPR as I checked the radio show update.

Why did I have a new anti virus program? Well, in hindsight, I know with absolute certainty that I was infected with a computer virus because I visited VPR.

I had experienced all sorts of issues before I made this post on the Filthy Limper PFA thread.

At that time I had no clue why my computer was fucking up. I have tight security and never visit sites that could potentially harm my computer. I was baffled until my anti virus/malware kept warning me each time I visited VPR.

To answer your question. How could I attribute the computer virus to VPR until I was certain?

Then I knew.

I now know that VPR infected my computer but even though I knew my computer was experiencing problems earlier, how could I know at that time that VPR was the problem?

I now know VPR fucked up my computer and simply deduced that if it happened to me, it happened to everyone who visited that site via an infected link.

Ask VWLS what her computer expert advised her to do.

[vegas1369]

Well that sucks. This is the first I am hearing about this as well.

FWIW, I visit the site daily and haven't been infected. Not saying this hasn't happened to others, I'm just curious to know how this thing was infecting some, but not everyone. Is it a certain link to the site that is corrupted?

[gut]

Well that sucks. This is the first I am hearing about this as well.

FWIW, I visit the site daily and haven't been infected. Not saying this hasn't happened to others, I'm just curious to know how this thing was infecting some, but not everyone. Is it a certain link to the site that is corrupted?

interesting. to the best of my knowledge it would be infecting the site itself, or at least an advert on there. I would like to know what this link was also, Was it posted here? through a pm?

edit: read 6toe's link to the filthy limper thread on here. I thought google redirects indicated you were probably already infected with something already. I'm not an expert though by any means

[SixToedPete]

Well that sucks. This is the first I am hearing about this as well.

FWIW, I visit the site daily and haven't been infected. Not saying this hasn't happened to others, I'm just curious to know how this thing was infecting some, but not everyone. Is it a certain link to the site that is corrupted?

Very good question.

I know that the first Google search result for VPR link was infected.

When I pointed out the virus warning in the Filthy Limper thread here on PFA, Jasep gave me a link that seemed to work OK.

I don't trust any links to VPR until I run a check.

I know VPR didn't purposely infect visitors and members with a computer virus but I do know my computer was royally fucked just because I listened to Vegas Poker Radio.

It's a terrible situation for them. It's totally unfair. I know they shut down the VPR site because of this issue but I hope they can find a permanent fix.

[Jasep]

Hey all,

Just got in and saw this thread, a few things....

First I had no idea anyone's computer was actually effected by this, I knew about the warning as of about 15 minutes before our last radio show, but did not know anyone actually had issue until reading this. Anyone who had an issue I apologize, but obviously it wasn't something that the owners of the site were aware of or complacent in. I took the site off the server as soon as I could get our tech support to do it. I know where the issue came from and 6TP is basically correct with a few minor details added in. We aren't super savvy computer guys and a lot of it comes down to learning as we go, hiring and trusting... Unfortunately the site had an issue that we weren't ever aware of and would never even know how to be aware of until someone gave us a heads up.

Over the past few days I have worked on putting together a plan for a properly executed correction. Me, Mark, Brandon and Vegas will speak about it soon and get it fixed. There are some long term seo issues that we will also have to make some decisions about (including this thread title and constant spelling out of the name for whatever reason when VPR would be sufficient). Either way we will figure out what needs to be done and do it.

FWIW, the site was not cheap, so I had no reason to believe there would be an issue with it down the road but live and learn. We will regroup and get back on track soon.

As of right now it is not looking good for Thursday, but I will keep everyone posted.

[gut]

Hey all,

Just got in and saw this thread, a few things....

First I had no idea anyone's computer was actually effected by this, I knew about the warning as of about 15 minutes before our last radio show, but did not know anyone actually had issue until reading this. Anyone who had an issue I apologize, but obviously it wasn't something that the owners of the site were aware of or complacent in. I took the site off the server as soon as I could get our tech support to do it. I know where the issue came from and 6TP is basically correct with a few minor details added in. We aren't super savvy computer guys and a lot of it comes down to learning as we go, hiring and trusting... Unfortunately the site had an issue that we weren't ever aware of and would never even know how to be aware of until someone gave us a heads up.

Over the past few days I have worked on putting together a plan for a properly executed correction. Me, Mark, Brandon and Vegas will speak about it soon and get it fixed. There are some long term seo issues that we will also have to make some decisions about (including this thread title and constant spelling out of the name for whatever reason when VPR would be sufficient). Either way we will figure out what needs to be done and do it.

FWIW, the site was not cheap, so I had no reason to believe there would be an issue with it down the road but live and learn. We will regroup and get back on track soon.

As of right now it is not looking good for Thursday, but I will keep everyone posted.

If you know how to describe it, I'm curious of the details.

[Dan Druff]

Well that sucks. This is the first I am hearing about this as well.

FWIW, I visit the site daily and haven't been infected. Not saying this hasn't happened to others, I'm just curious to know how this thing was infecting some, but not everyone. Is it a certain link to the site that is corrupted?

Very good question.

I know that the first Google search result for VPR link was infected. I believe that was VPR.

When I pointed out the virus warning in the Filthy Limper thread here on PFA, Jasep gave me a link that seemed to work OK.

I don't trust any links to VPR until I run a check.

I know VPR didn't purposely infect visitors and members with a computer virus but I do know my computer was royally fucked just because I listened to Vegas Poker Radio.

It's a terrible situation for them. It's totally unfair. I know they shut down the VPR website because of this issue but I hope they can find a permanent fix.

I hadn't heard of this google search malware trick, but I imagine it works like this:

1) Hacker infiltrates the site and hides malware there

2) Hacker creates a new page on the site that SEOs well, so it comes up first in google. People searching for the site will go to that link first, and it will be the one with the malware. It will still be on the same site, and very possibly with similar or almost identical content, but it will also contain the malware.

3) People who don't go to the site through google won't be infected, because they are going to the real and intended URLs of the site, which don't have the links to the malware.

This is my assumption on how it all works. I'm just guessing, but that seems like the most logical thing to me.

[Jasep]

Hey all,

Just got in and saw this thread, a few things....

First I had no idea anyone's computer was actually effected by this, I knew about the warning as of about 15 minutes before our last radio show, but did not know anyone actually had issue until reading this. Anyone who had an issue I apologize, but obviously it wasn't something that the owners of the site were aware of or complacent in. I took the site off the server as soon as I could get our tech support to do it. I know where the issue came from and 6TP is basically correct with a few minor details added in. We aren't super savvy computer guys and a lot of it comes down to learning as we go, hiring and trusting... Unfortunately the site had an issue that we weren't ever aware of and would never even know how to be aware of until someone gave us a heads up.

Over the past few days I have worked on putting together a plan for a properly executed correction. Me, Mark, Brandon and Vegas will speak about it soon and get it fixed. There are some long term seo issues that we will also have to make some decisions about (including this thread title and constant spelling out of the name for whatever reason when VPR would be sufficient). Either way we will figure out what needs to be done and do it.

FWIW, the site was not cheap, so I had no reason to believe there would be an issue with it down the road but live and learn. We will regroup and get back on track soon.

As of right now it is not looking good for Thursday, but I will keep everyone posted.

If you know how to describe it, I'm curious of the details.

I can only describe it in layman's terms but these links may give you a decent idea from a more technical standpoint

http://www.stopwphackers.com/the-google-redirect-hack/

http://redleg-redleg.blogspot.com/20...ious-site.html

I know that our header.php file and style.css file as had some code in it that should not have been there and you would never even know it was there, this at some point in time worked its way to all files...

I actually spent a bunch of time and money today and yesterday on the things I thought were in place already and we should be able to get it sorted properly and actually based on my conversations with a company I have been working with and Druff it should be much better... There are some budgetary things we need to figure out to determine exactly what we will be doing but either way, I have no issue opening my honorary jew wallet if need be.

[Dan Druff]

If you know how to describe it, I'm curious of the details.

I can only describe it in layman's terms but these links may give you a decent idea from a more technical standpoint

http://www.stopwphackers.com/the-google-redirect-hack/

http://redleg-redleg.blogspot.com/20...ious-site.html

I know that our header.php file and style.css file as had some code in it that should not have been there and you would never even know it was there, this at some point in time worked its way to all files...

I actually spent a bunch of time and money today and yesterday on the things I thought were in place already and we should be able to get it sorted properly and actually based on my conversations with a company I have been working with and Druff it should be much better... There are some budgetary things we need to figure out to determine exactly what we will be doing but either way, I have no issue opening my honorary jew wallet if need be.

Ah, I was close.

It's not a separate page. It's a little script that looks if you came from a search engine, and if so, it redirects you to a malware site or whatever.

Clever.

They do this rather than a full replacement of the site's content in order to fool site regulars (who aren't using google) into thinking everything's fine.

[gut]

I hadn't heard of this google search malware trick, but I imagine it works like this:

1) Hacker infiltrates the site and hides malware there

2) Hacker creates a new page on the site that SEOs well, so it comes up first in google. People searching for the site will go to that link first, and it will be the one with the malware. It will still be on the same site, and very possibly with similar or almost identical content, but it will also contain the malware.

3) People who don't go to the site through google won't be infected, because they are going to the real and intended URLs of the site, which don't have the links to the malware.

This is my assumption on how it all works. I'm just guessing, but that seems like the most logical thing to me.

I've seen it before where you have already been infected, and then will re-direct about 60% of any google search links to its page it wants you to direct to. I haven't encountered it only happening for one site though. I suppose new things all the time....odd that a site so small as vpr would be hit. Need new hosting/designer?

[Jasep]

I hadn't heard of this google search malware trick, but I imagine it works like this:

1) Hacker infiltrates the site and hides malware there

2) Hacker creates a new page on the site that SEOs well, so it comes up first in google. People searching for the site will go to that link first, and it will be the one with the malware. It will still be on the same site, and very possibly with similar or almost identical content, but it will also contain the malware.

3) People who don't go to the site through google won't be infected, because they are going to the real and intended URLs of the site, which don't have the links to the malware.

This is my assumption on how it all works. I'm just guessing, but that seems like the most logical thing to me.

I've seen it before where you have already been infected, and then will re-direct about 60% of any google search links to its page it wants you to direct to. I haven't encountered it only happening for one site though. I suppose new things all the time....odd that a site so small as vpr would be hit. Need new hosting/designer?

Feel free to PM me

[gut]

I've seen it before where you have already been infected, and then will re-direct about 60% of any google search links to its page it wants you to direct to. I haven't encountered it only happening for one site though. I suppose new things all the time....odd that a site so small as vpr would be hit. Need new hosting/designer?

Feel free to PM me

I should have phrased that differently. Not offering my own services, but was tossing out a suggestion, which it appears you've already come to. My current "skills" would make you a site that looks like it belongs on angelfire in 1997, with the security of sealswithclubs