Ms. Ducktoes did it! I beat the dreaded Virut without reformatting. This is how I did it.

1. The Dr. Web Cureit Live CD I spoke of in the last post didn’t work. At the beginning of the scan, it stopped everytime. So instead:
2. I created an Ultimate Boot CD for Windows. I downloaded the image from the UBCD website and burned it to cd. There are detailed instructions on the site on how to do this.
3. I booted off the cd and went on the Internet through the UBCD interface. I downloaded Dr. Web Cureit to the Ram drive.
4. Then from the “Run” option off the start menu I browsed to the B: Ram drive and opened cureit.exe.
5. Dr. Web Cureit started. I had to stop the Express scan and run the Custom scan and select the C drive or the C and D drives since I had more than one hard drive. Otherwise Dr. Web Cureit just scanned the CD.
6. I cured the files instead of deleting them. The Virut virus changes the system files and your computer system needs them.
7. I scanned a three times this way.
8. I rebooted but the computer wouldn’t start. So I did a “repair install” with my Windows Xp cd.
9. After the Repair Install, it booted, but after the logon, the logon kept returning. I couldn’t get past it.
10. So I booted off the UBCD and replaced the Userinit.exe file in the System32/dllcache folder. I found another copy of it in the 1386 folder and copied and pasted. You can search using the Windows Explorer on the UBCD disk.
11. Then I ran regedit (still off UBCD) and searched for userinit. I found the registry keys related to userinit. One of them was set for the logon to repeat over and over, so I changed it from “1″ to “0″.
12. Then I rebooted and the computer started and the logon didn’t repeat!!
13. Immediately I went into Safe Mode and started running virus scans like crazy. I ran Malwarebytes, AVG, SuperAntiSpyware and Dr. Web Cureit again. And found more trojans and viruses.
14. After all the scans ran clean. I rebooted.
15. The Virut was removed!!! And I didn’t reformat.

The worst virus I’ve ever seen is now making its way through Bit Torrent and Limewire and other file sharing programs. It’s called Virut. And once you have it it’s pretty much game over and time for a clean install. You’re done. At least you’re operating system is kaput. So if I were you I’d make sure your anti-virus is working and updating regularly. And stay away from P2Ps until this settles down. Lots of people are losing everything on their computers. What makes Virut so nasty is that it patches itself to every executable, so everything time you run an anti-virus, it “patches itself” onto the anti-virus. Also it changes system files, so if you “delete” instead of “cure” or “heal” them, you’ll be facing at least a Repair install.

Some fixes for Virut run in Safe Mode, but on my client’s computer, Safe Mode isn’t working. I’m right now trying a method I saw on the Internet that uses Dr. Web. Cure-it.

I just fixed an odd virus: the “Open With” Virus. Everything I tried to open including my usual anti-virus programs prompted a dialog box asking what I wanted to open the AVG with. Of course that’s silly, you can’t open AVG with another program like Microsoft Word or Adobe Reader. It kept me from doing anything. That’s why it’s called the “Open With” virus. The virus asks, What would like to open that with? Oh, I think I’ll open Internet Explorer with Civilization 4 (I have sons). And I’ll open itunes with Instant Messenger. See, it doesn’t make sense, and moreover it doesn’t work, in fact nothing works, and you are stuck. You are deep in the doo doo of Malwareland.

You're in the deep doodoo of Malwareland.

Some techs say you have to reformat if you get this virus, but Ms Ducktoes hates that word “reformat”. I’ve seen it make a grown man cry. And then when he cries, I cry, and then I get a sinus headache and my mascara runs down my cheeks. So I find it much better and less embarrassing to do this instead:

Right click on the program you want to run, such as AVG. From the choices displayed, click on “Run as” and pick your own user. There’s a box you have to uncheck too. I ran AVG and it quarantined the virus. Then I was able to do the usual virus clean up.

But if you don’t have an anti-virus on the computer already what do you do? Install Malwarebytes on another computer. You’ll get a set up icon on your desktop. Stick a flash drive (you can buy them at any electronics store) into the usb port and go to My Computer (Start > My Computer, or just “Computer” on Vista) and you’ll see all your drives, your hard drive or drives, your dvd player, and now the flash drive. Click on the flash drive. A window will open. Now drag the set up icon of Malwarebytes into the flash drive’s window. Remove the flash drive.

Then put the flash drive into the infected computer. It will probably have to install as a drive. Go to My Computer. Find the Malwarebytes set-up icon. Right click on it and “Run As” your user. Let it install and run and do it’s thing.

After that go to this page on my blog, click these words here and follow the rest of the instructions.

If you want, Ducktoes Computer Repair can fix your virus. Click here to read more about our remote service. Or click here to book remote appointment. http://ducktoes.com/book_online.php We’ll get back to you.

1.First I ran Combofix. (I did this in Safe Mode with Networking.)

To get into Safe Mode, I had to tap F8 as the computer booted. If you tap at just the right time, a list of options in black and white is displayed on your screen. If you get the usual Windows boot up, you’ve missed Safe Mode so you’ll have to restart and tap again.

Pick Safe Mode with Networking. Then you’ll see a message asking if you’re sure you want to go into Safe Mode or if you’d rather use System Restore. Click yes you do want to go into Safe Mode. In Safe Mode you can then download and run Combofix.

When you get to the page, you’ll have to scroll down. I usually pick the Bleeping Computer link.. you’ll have to scroll down. It looks like this.

This is a photo of the Bleeping Computer website where you download Combofix.

Download Combofix here.

If you can’t download or run Combofix then you have very serious virus problems so see this post.

After I ran Combofix, enough spyware had been removed so that I could do the following in regular Windows mode.

2. Downloaded and installed AVG.

3. Downloaded and installed Malwarebytes.

4. Ran Malwarebytes. Malwarebytes caught quite a few Trojans. Also when I ran Malwarebytes, AVG’s residential shield caught a few more things that Malwarebytes going through the files seemed to stir up.

4. Ran a full scan of AVG. The AVG is what caught our friend Trojan Horse Clicker.

I’ve removed viruses with W32 in their names, on hundreds of computers, and they’ve all been difficult to remove. W32 Fasec and W32-Patched kg are two of the most common and stubborn. Usually w32 are video codec or flash drive viruses. That means you got it from downloading a video codec or from an infected flash drive or stick. W32 means they are rootkits, embedded in the root in the system32 section of Windows, as the name w32 implies. They aggressively disarm anti-viruses and anti-spyware by not allowing the anti-malware to run even in Safe Mode.

I’ve been able to run Avast in Safe Mode to make the first inroad to removal. Then I zap them with Combofix and Malwarebytes. That usually does it.

I imagine most techs reformat the hard drives of the computers infected with this virus, since a repair install doesn’t remove it. Reformatting isn’t necessary and hard on the client (that means you). However if your tech insists, ask him or her to back up your data before reformatting. Then immediately install Malwarebytes and either AVG or AVAST on your clean install. If he won’t save your data, get a different tech and show him or her this post. You don’t have to lose everything, really, you don’t.

This is what I do with anything spyware or virus w32. The w32 action plan! The W32 Removal tool! Ta da. I boot into Safe Mode by tapping the F8 key as the computer boots up. You have to tap at the right point or else you’ll just boot back into the normal mode, so try again if that happens. You should get a black and white screen with several boot options. Pick Safe Mode with Networking. “With Networking” means your internet will work. (In regular plain old Safe Mode it doesn’t.) Then you’ll get a question about whether you really want to go into Safe Mode or if you want to use System Restore. Yes, you do want Safe Mode. While in Safe Mode go on the Internet. Type “avast.com” into the address bar.

Or click here. After downloading Avast, run it. It may ask you to do a boot scan. Say yes. Otherwise let it startup and you’ll get the funny silver-looking interface, which looks like a radio to me. Click the update button. The update button looks like Harry Potter’s scar or a lightening strike. After updating run Avast again. You may have to keep going back into Safe Mode.

After Avast runs and gets rid of some of the w32, then download and run ComboFix and Malwarebytes.

With ComboFix, just follow the prompts and ignore all the dire warnings about using it without a helper, I’ve used it hundreds of times without one bad incident. If you can’t disable your antivirus as ComboFix suggests or don’t know how to disable it (has anyone tried to disable Norton or Mcafee single-handedly? Good luck, they’re impossible to disable especially if you’re infected with a virus) just go ahead anyway. I do, all the time. Your computer is terminal anyway if you don’t use ComboFix at this point and it can only help. While Combofix runs it will install Recovery console, scan for viruses, reboot your computer and create a log file.

After ComboFix, use Malwarebytes. I find it easy to run. Install it, then go to the Update button, then to the Scan. Do a quick scan first. Then a full scan.

Now you’re safely on your way home from the dangerous wilds of the w32 wilderness. You’ve fought off the w32 beast!! You’re a Ducktoes hero. Your on your way home, your way home.

Let me know how it goes.

Ms. Da toes

I removed Starware from a photographer’s computer this week. The computer was oppressively slow and Outlook was crashing a lot. My client couldn’t work efficiently, since the interruptions slowed down the work he could do in a day. He was sooo frustrated.

Starware took a tenacious hold of the operating system. It’d installed hundreds of registry keys, files, and applications. The apps were running in the background, making the compute insufferably slow. All for one harmless-looking toolbar.

If you must have a toolbar cluttering up your browser, use Google’s or Yahoo’s. And indeed, it seems you must have both of them, since they are omni-present, appearing out of nowhere onto your browser with one mindless click of the mouse. It’s hard not to have them, whether you want them or not. But I digress..

After removing Starware, the computer acted normally and Outlook worked again. The photographer could get on with his business.

Starware is a good name, since it was designed by someone much like a character out of Star Wars, not a hero like Hans Solo, but a Darth Vader who callously likes to muck up people’s lives and businesses by damaging their computers. Someone who’s sold out to the dark side.

To remove Starware, I used Malwarebytes. To download Malwarebytes, click here. Or go there by typing http://malwarebytes.org in your browser’s address bar. Be sure to update before you scan.

And take care out there.

Oh, baby, baby it’s a wild web.

This week I found a new type of virus: Sysguard, Win32 Patched-Kg, and Malware Alerts difficult to remove. The usual ways of removal didn’t work since these spyware/viruses suppress ComboFix and Malwarebytes and keep them from running. I had to run Avast first. The boot scanner in Avast made the first dent in the viruses armor. After that I could run the other programs. I’ve been using Avast all week, for the first time on a regular basis, and am grateful for it’s effectiveness. Avast will probably help in all viruses that suppress installation or running of anti-spyware or anti-viruses.

So if you have a difficult virus, follow these steps:
1. Download Avast. Install and run it. It will run automatically and usually, if you have Sysguard, Win 32 Patched-Kg, or Malware Alerts, it’ll find a virus right away. Then it will want to run a bootscan. Let it. The bootscan should remove enough of the virus that you can now update Avast and run it again. So make sure you Update Avast. Click the button that looks like a lightening strike or Harry Potter’s forehead.

2. After updating and running Avast again, you can now download and run ComboFix. It will automatically delete some bad virus files.

3. Then download, run, and update Malwarebytes.

Let me know if this works for you or if you have another suggestion or comment.

The other day I fixed a computer infected with Privacy Center. The name made me laugh since the privacy offered by this rogue program is like walking naked downtown and handing out your credit card numbers, e-mail address, and cell phone number at the same time. Malwarebytes cleaned it up quite easily. All you have to do is download, save, and run Malwarebytes. It should update automatically the first time you use it but after that you’ll need to click the Update tab manually to get the updated malware definitions. Run Malwarebytes once a week or more to protect yourself.

And as always your comments are very welcome.

Ms. Ducktoes is really busy removing spyware and replacing power supplies today, but I’ve noticed an influx of this new worm. So I thought I should warn you. It’s called the Downandup/Conficker worm. Millions of computers are infected. To avoid getting it, turn off Autoruns on your computer. Click here to learn how to turn off Autoruns.

To fix or remove Downandup or Conficker worm, there are these free removal tools:
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

Then run the usual Malwarebytes et al as in this post on Free Anti-spyware just to get rid of any remaining spyware. More later, my chickadees.

Ms. Ducktoes really feels for the readers whose computers have the Hallmark card virus. So many of you are still coming to this blog for a fix. This has been going on for months.

Since so many of you are still getting infected, today I went on-line to do a more research. I was wondering if there were any new variants etc.

What I found troubled me:

The links lead to a Youtube video which pretends to be a Tutorial but really is an ad for AntispywareOn.com, a rogue anti-virus site that will give you–you guessed it–more spyware and viruses. You can play the video without getting infected but don’t go to AntivirusOn.com. The video’s not much to see; it’s mostly obscured by big letters telling you to go to AntivirusOn.com. Click here to see the video.

Now here’s a video that’s more interesting. The video maker “Video search engine” infects a virtual machine with what you get on AntivirusOn.com and makes a video of the result. And, oh dear, the result looks surprisingly familiar: like another variant of the Windows XP Antivirus 2008/2009!

Ms. Ducktoes wants to stamp her (web) foot, she’s so sick of the Hallmark card virus and the Windows XP Anti-virus!!!

If you have the Hallmark virus, don’t go to AntivirusOn.com and even get more spyware and viruses. I’m sure some of you have already.

If you need to remove the Hallmark Card virus, the Windows Xp Anti-virus 2008/2009 or any other spyware, try this first.

If you already have bad spyware problems and can’t download the anti-spyware abovego here for a fix.

Good luck and as always your comments are most welcome.

Sometimes computer repair jobs turn into something else. Sometimes Ms. Ducktoes is sitting quietly, concentrating on a computer and the client starts to talk, and before Ms. Ducktoes can say, “I think your hard drive is going bad,” she finds herself in the middle of a sensitive personal disclosure.

Other times people request services that Ms. Ducktoes doesn’t do. Like installing spyware.

Yesterday, Friday, a man called Ms. Ducktoes. I’ll call him Henry. Henry said he was worried about spyware on his computer. But when I arrived at his door, it turned out what Henry really wanted was a program that would secretly track everything done on his computer, all e-mail, all websites visited, all Instant Messenger chats. So he’d have a backup, he said.

I stared. “You want a keylogger for a backup?”

Henry, probably hearing the incredulity in my voice, turned pale. “What’s a keylogger?” he said.

“A keylogger is a type of spyware that records every keystroke typed on the keyboard and sometimes take screenshots of websites visited and e-mails viewed.”

He said, “Yes, that’s it, a keylogger.”

When I sat down in front of his computer, the screen displayed only one user: Naomi. “Who’s Naomi?” I asked.

“My wife. It’s her computer.”

“Does Naomi know you’re making a backup of everything she does on-line?”

His voice came out shaky. “Yes,” he said.

“Okay,” I said, “but. it can’t be secret. It has to give Naomi a warning the keylogger is recording her every keystroke.” I sat up straigher. “Otherwise it’s spyware.”

Henry raised his voice. “But I need to see what -.” He screwed up his face like he might cry.

“You need to see what she’s doing?”

He nodded and started to cry into his hands. “I think she’s seeing someone. Having an affair. She instant messages until late at night. She takes long lunches and is really distant. But she denies it so I need proof.”

I patted his shoulder. “Oh, I’m so sorry, Henry, but surely that’s not the best way.”

“I’m in so much pain,” he said.

“Yes, I’m sure you are. That’s a terrible thing to go through.”

He looked up, surprised.

“I’ve been down a road or two,” I said. “Or three. But can I tell you something I’ve learned from lots of counseling?”

Henry nodded.

“Spying isn’t going to relieve your pain or solve your problems. Spying just makes you a victim, too needy, too wrapped-up in Naomi’s activities, and too desperate. You need to do something positive, something for you. Something to raise yourself out of the emotional muck. Something to give you your dignity back.”

Henry nodded solemnly. “Like what?” he said.

“Well, you could exercise, and get buff, or take a class in something you like, or take a trip. Maybe get counseling.”

“I don’t feel like doing anything,” Henry said.

“No, probably not. But doing something fun or positive would relieve your obsession about your wife a bit. Would make you more attractive.”

“To Naomi?”

“To yourself. To heck with Naomi.”

He looked farway. “Maybe I’ll go skiing for the weekend. By myself.”

“Good idea,” I said. “Now give me some computer work to do.”

“Why?”

“Because I have to charge you my minimum charge anyway.”

So I took Henry’s own computer back to the shop and removed 259 spyware and viruses from it and really sped up its boot time. Then I called his cell. He didn’t answer but he did eventually call back from a hot tub in the mountains. His voice sounded quite serene. He said that his wife kept calling but he wasn’t returning her calls yet.

I know how tempting it can be to spy on your spouse’s or partner’s computer if they seem to be straying from you and the marriage. But its not an action that will help. If a marriage isn’t working for you don’t need spyware to act. Act from your own needs and desires. Do something to enhance your interest and joy in life and the world. Something positive and life-affirming. Your new outlook will be attractive to others.

You don’t need to buy spyware to save your marriage. An alternative might be the wonderful newsletter from the “Keep your Marriage” website. I’ve found it quite helpful and interesting. Their book was good too. It really helped me in making it through a bad time in my marriage and life.

A botnet uses spyware and malware to lure you into being one of its zombie computers. And then uses your computer for spamming, storing credit card numbers and other personal data such as passwords and account numbers, distributing illegal types of porn, and creating a its own captive and huge search and advertising network. If you are part of that type of botnet, you can’t search on Google or Yahoo or other legitimate search site, you are captive to that botnet’s search engine and their dedicated services and ads.

Also as a zombie your computer will be strange and slow. You’ll be forced to use a bogus search engine and ads you don’t want. It will seem as if something has taken over your computer. It has. A botnet!

Here’s a free tool RuBotted from Trend Micro that will remove your computer from the botnet, and the botnet from your computer.

Ms. Ducktoes used it on a computer that was so slow it took 20 minutes to boot. And found and removed a botnet from Russia caused by Windows XP Antivirus 2008!

So try it out and let me know if you discover a botnet on your computer. Click here to leave a comment. Ms. Ducktoes wants to hear from you.