Supposed Blackworm infection / WinAntiVirusPro 2006 popups

By thesuperchico ยท 12 replies
Mar 18, 2006
  1. Lately I have been getting different annoying popups from various websites. The main one is a window opening up stating an infection by the blackworm virus and when I close it it opens up another popup with the WinAntiVirusPro 2006 website advertsing. I have also been getting popups from adultfriendfinder and various other non-related/P2P websites as well.

    I run Norton AV, windows defender, Ad-Aware, and Spybot S & D yet this "infection" persists. I need step-by-step help in solving this issue.
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Please go read the Read: How to ... posts above.
  3. thesuperchico

    thesuperchico TS Rookie Topic Starter

    I appreciate your wanting to help me. But Im not sure exactly what type of infection I have or what to look for. I need step-by-step instruction on how to fix my problem. If you can, please take a look at my HJT logfile and let me know what I need to 'fix" and how to go about it, and what else I need to do. This includes any clean up in safe mode or without system restore on....

    Thank You!!
  4. N3051M

    N3051M TS Evangelist Posts: 2,115

  5. thesuperchico

    thesuperchico TS Rookie Topic Starter

    I read through the stickies you mentioned, but Im not sure if I have a torjan or spysheriff or what exactly. That's precisely why Im seeking the help! I posted my HJT file in my first post, but it must have been edited out???

    Anyways, I need precise help, for my particular situation. Im not a computer genius, just someone who knows some about computers but not exactly super-savvy about them. Therefore I might need some step-by -step help.

    Please help!! Im desperate!!

  6. thesuperchico

    thesuperchico TS Rookie Topic Starter

    furthermore, I have already tried several different approaches to removing the possible Look2Me virus. But since those have yet to work, I need more precise help for my exact situation. My problem mimics what Look2Me does, but its not Look2Me, at least I dont think it is...

    Any help appreciated!!
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  8. thesuperchico

    thesuperchico TS Rookie Topic Starter

    Ok, I ran the trend micro porgram as well as the 2 "stickies" reccomended by RBS all to no avail. I am still having the same problem. Attached is my HJT logfile in text form:

    PLEASE HELP- I need specific instructions as Im not as computer savvy as I like to think I am.....
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Looks like you computer is infected with the vundo trojan.

    Go HERE and follow the instructions, then post a fresh HJT log.

    Regards Howard :)
  10. thesuperchico

    thesuperchico TS Rookie Topic Starter

    Ok, performed the Vundo Fix. Attaching logfile below for your further review.
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your main baddie has now gone.

    Boot into safe mode. See how HERE.

    Turn off system restore.(XP/ME only) See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open and have HJT fix the following entries, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FD77D76-4814-4C61-9CCD-A9D8260E67A9}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5FD77D76-4814-4C61-9CCD-A9D8260E67A9}: NameServer =

    Only fix the above 017 entries, if they don`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode and turn system restore back on.

    Your machine should now be clean.

    Regards Howard :)
  12. thesuperchico

    thesuperchico TS Rookie Topic Starter


    Thanks for all your help! I stayed up all night trying to figure this one out and get some help. Thanks to you I think I set it straight, at last! I will let you know in a couple days if I have trouble with the problem again.



  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    If you had READ and FOLLOWED the instructions that were given you in the first place, Howard would not have had to spell it out for you!
    Just because you are TOO LAZY to follow EXPLICIT instructions, you think you can hide behind the cloak of "I'm not computer savvie".
    It's lazybones like you that make people stop helping others!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...