While building their website VPR (Vegas Poker Radio) was infected with a nasty rootkit malware virus that was transferred to anyone who visited through their infected links.
During the recent PFA Radio Show chat we learned SirBobbyOrr, BUBBLES, VWLS and others were infected. I was also infected.
A rootkit virus is particularly nasty because it is hidden from all anti-virus programs. If you have the virus, ran your anti-virus program and thought all was OK.....it's not OK.
This virus hijacks your browser so when you use Google for search, hit a selection, you will be forced to visit an advertising page that makes money for the virus crooks.
Plus, this virus can steal all your personal information. Name, address, bank account information and credit card information.
It sucks for VPR. Of course they never wanted this to happen. They closed down their website to correct the problem.
If you visited VPR though an infected link, your computer is infected.
I know because I have had to deal with this problem.
Here's what you can do:
Visit this website and try their free tool. Sophos.com
If that doesn't work you can still remove the problem but you must act quickly because this virus is so nasty it will eventually prevent you from booting your computer in safe mode.
If that happens, you will have to take the draconian steps VWLS computer expert advised her to take to cure the virus.
So act quickly and do this:
Steps to remove a rootkit
These steps are an overview. Each step is outlined below in detail.
First, you need to obtain sav32cli.exe and the the latest virus identity IDE files. It is very important that every time you run this program, you download a new version of the software IDE’s.
Burn the files to a CD
Boot your computer into safemode with command prompt
Put in CD
Change to the CD by typing CD <drive letter>. You change the <drive letter> to the letter of your CD drive
type in SAV32CLI -P=C:\SCANLOG.TXT and let the program scan your computer. This may take hours to complete.
Reboot and view the Log file on your computer at C:\SCANLOG.TXT. this file will tell you what virus/root kit you had on your computer and if it cleaned it.
Your computer should now be cleaned up. You should now review your installed antivirus and firewall software you have installed and determine if it is up to date and functioning properly.
Obtain sav32cli.exe and IDE’s:
To get sav32cli.exe software and IDE’s use this link to the sophos savewcli.exe program and this link to obtain the IDE files.
Burn the software to CD
Burn the sav32cli.exe and the extracted IDE files to the root of a CD and close the CD.
How to get into safemode
To successfully remove a rootkit, you must boot up into safemode. Here is how:
Restart your computer
Once your computer starts booting up, you will hear a beep. Immediately after this beep, press the F8 key continually over and over until you get to the Advanced Options menu.
Select “Windows in Safe Mode with Command Prompt” and press enter
If it asks for credentials, put in your administrator username and password (if it asks).
You should now be in safemode.
Now that you’re in safemode, you need to insert your sophos sav32cli disk. and change to your CD drive letter. This drive may be on the drive D, E, F, and so on. Every computer is different so you may need to experiment until you find the drive with the software on it. Once you change to a drive letter, simply type in DIR to list out the files in the directory. Once you find the drive with the files on it, then type in SAV32CLI -P=C:\SCANLOG.TXT and let it scan.
Once it is done, then reboot and remove the CD.
Now review the log file scanlog.txt in the root of your C: drive. If it found a rootkit, it should have removed it and logged in this file.
Ok. So, you should be cleaned up and it’s time to review your security software. You should determine if you have antivirus software and if it is running properly. If this is a daunting task for you, please be patient and take your time. It’s very important that your antivirus software is up to date and running properly.