How to Remove Virus w32/ w32 Removal Tool

I’ve removed viruses with W32 in their names, on hundreds of computers, and they’ve all been difficult to remove. W32 Fasec and W32-Patched kg are two of the most common and stubborn. Usually w32 are video codec or flash drive viruses. That means you got it from downloading a video codec or from an infected flash drive or stick. W32 means they are rootkits, embedded in the root in the system32 section of Windows, as the name w32 implies. They aggressively disarm anti-viruses and anti-spyware by not allowing the anti-malware to run even in Safe Mode.

I’ve been able to run Avast in Safe Mode to make the first inroad to removal. Then I zap them with Combofix and Malwarebytes. That usually does it.

I imagine most techs reformat the hard drives of the computers infected with this virus, since a repair install doesn’t remove it. Reformatting isn’t necessary and hard on the client (that means you). However if your tech insists, ask him or her to back up your data before reformatting. Then immediately install Malwarebytes and either AVG or AVAST on your clean install. If he won’t save your data, get a different tech and show him or her this post. You don’t have to lose everything, really, you don’t.

This is what I do with anything spyware or virus w32. The w32 action plan! The W32 Removal tool! Ta da. I boot into Safe Mode by tapping the F8 key as the computer boots up. You have to tap at the right point or else you’ll just boot back into the normal mode, so try again if that happens. You should get a black and white screen with several boot options. Pick Safe Mode with Networking. “With Networking” means your internet will work. (In regular plain old Safe Mode it doesn’t.) Then you’ll get a question about whether you really want to go into Safe Mode or if you want to use System Restore. Yes, you do want Safe Mode. While in Safe Mode go on the Internet. Type “avast.com” into the address bar.

This photo shows the address bar of the Firefox browser.
 Whatever browser you have, type Or click here. After downloading Avast, run it. It may ask you to do a boot scan. Say yes. Otherwise let it startup and you’ll get the funny silver-looking interface, which looks like a radio to me. Click the update button. The update button looks like Harry Potter’s scar or a lightening strike. After updating run Avast again. You may have to keep going back into Safe Mode.

After Avast runs and gets rid of some of the w32, then download and run ComboFix and Malwarebytes.

With ComboFix, just follow the prompts and ignore all the dire warnings about using it without a helper, I’ve used it hundreds of times without one bad incident. If you can’t disable your antivirus as ComboFix suggests or don’t know how to disable it (has anyone tried to disable Norton or Mcafee single-handedly? Good luck, they’re impossible to disable especially if you’re infected with a virus) just go ahead anyway. I do, all the time. Your computer is terminal anyway if you don’t use ComboFix at this point and it can only help. While Combofix runs it will install Recovery console, scan for viruses, reboot your computer and create a log file.

After ComboFix, use Malwarebytes. I find it easy to run. Install it, then go to the Update button, then to the Scan. Do a quick scan first. Then a full scan.

Now you’re safely on your way home from the dangerous wilds of the w32 wilderness. You’ve fought off the w32 beast!! You’re a Ducktoes hero. Your on your way home, your way home.

Let me know how it goes.

Ms. Da toes

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to Remove Gaopdx

Hey the other night, I was at a house in Northeast Calgary that had a huge tv on the wall right in front of the computer. So I got to watch the Flames game while I fixed the computer which had the nasty and new Gaopdx rootkit. It was an exciting evening with a really close game on the wall, and a really close fight with the computer..We all won in the end, both the Flames and Ms. Ducktoes. I used Malwarebytes and Combo Fix to remove the potent rootkit.

Ducktoes is on her way, saving computers everyday!!! It took me a couple of hours since Gaopdx made the computer so slow. And the usual anti-spywares and anti-viruses didn’t work.

Malwarebytes removed these parts of the Gaopdx: Trojan.Agent and Trojan.DNSChanger, but not the rootkit itself. ComboFix removed the rootkit.

Since the malware would not let me download anything in Normal mode, I had to go into to Safe Mode to download both Malwarebytes and ComboFix.

This is what you need to do:
Click here to download Malwarebytes and here for ComboFix.

But if your browser won’t let you download them, then you’ll have to go into Safe Mode by restarting the computer. As the computer reboots, tap the F8 key several times. You should get a black and white screen listing several options. Pick “Safe Mode with Networking.” When Safe Mode starts Windows you’ll be asked if you want to continue. Pick “Yes.”

Now click here for Malwarebytes. Download the free version unless you’d like to buy the full one. It’s a great program. Then download and run ComboFix. There’s also a tutorial. Read it to learn how to run the program. ComboFix removed the Gaopdx rootkit completely.

Whew, that was a close one!!!

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to Remove Windows XP Antivirus 2008/2009

If you are one of the millions of people whose computers are infested with the nasty malware Windows Antivirus XP 2008/2009, don’t despair. It’s hard to remove but can be done. I’ve fixed it in four computers now. I tried many different things, but I had the greatest success with SD Fix and Malwarebytes.

Download SD Fix by clicking here. Then you’ll need to reboot into Safe Mode by restarting your computer. As the computer starts up, tap the F8 key several times. If you tap it at the right time, you’ll a screen with several options will appear. One will be Safe Mode. Choose Safe Mode. Next, after a list of drivers is displayed in black and white on your screen, you’ll be asked if you want to go into Safe Mode (Y) or if you want to use System Recovery (N). Pick Y for Safe Mode.

After Windows has started. Go to My Computer and find the C: drive. Double-click it, so it will open. Look for a folder called SD Fix. Inside SD Fix will be a file called RunThis.bat. Click on it. It will run a program to clean up the Trojans. Type Y to begin. SD Fix will delete all the spyware or trojans it comes across. Then you’ll be asked to type any key to restart the computer. Do it, type a key.

Your computer will reboot. As it does, it will finish cleaning up the malware it has found.

Next download Malwarebytes. Update it and run it. It is pretty straight-forward.

You may have to run the above two programs several times to finally get rid of this nasty of all nasties.

If, after removal you find you’re missing your screensaver tab, you can go to my this post to fix it. To see if you’re missing your screensaver tab, go to Control Panel, Display. One of the tabs should be Screensaver.

If you were unfortunate enough to buy this rogue antispyware, you need to call your bank and get a new credit card number. Also you should stop payment on your purchase.

If you want help, and your computer still has the ability go on the Internet. I can fix your computer remotely. Call 403-483-0105 during the day (Mountain Standard Time.)

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Fascinating, but Sinister Spyware

This week I’m fixing an old Toshiba laptop that was loaded with spyware. It had all these spyware:

  1. Adware BHO Generic
  2. Win32 Trojan PSW Sinowal
  3. Win32 clowsd
  4. Alexa Related
  5. Microsoft Windows Security Center Virus Override
  6. Microsoft Windows Security Center Firewall Override
  7. Microsoft Windows Security Center SP2 Update Override
  8. Microsoft Security Center _disabled
  9. PWS LDPinch IE
  10. SC Keylogger
  11. Smitfraud – C.generic
  12. Win32. Alphabet.ap
  13. Win32. BHO.je

The laptop actually had more than this but I didn’t write them down before I got rid of them. I used these three anti-spyware applications to get rid of the spyware: Ad-aware SE Personal, Spybot, and Spyware Doctor (my new favorite anti-spyware, although it’s not free.)

The fascinating spyware I love to hate, is one that places a program in the Startup. Everytime I tried to run AVG anti-virus, the spyware would start this:

HKLM…Run:[KernelFaultCheck] %systemroot%system32dumprep 0 -k

And immediately a system dump would begin with a blue screen of death and, I’d have to restart the computer without being able to run a virus scan.

The client and I decided to reinstall the operating system since she didn’t need anything on her harddrive. It’s an old laptop she uses for e-mail only. But normally I would have run all my anti-spyware tools, anti-virus (I prefer AVG), plus rootkit tools (see my rootkit post.) I like to get rid of spyware without reformatting, as most computer repair services do. They immediately reformat!!! Not Ducktoes. Ducktoes does anti-spy without data-fry!! So businesses and people can lose their spyware but keep their data. That’s what Ducktoes specializes in.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

More on Rootkits

Rootkits are malware tools used to hide spyware and trojan horses from your virus scanner and anti-spyware. They are quite effective. You could have a rootkit for months and never know since your virus software can’t detect it. Yesterday I told you about Spy Sweeper, an invaluable defender against rootkits and other trojans. I recommend Spy Sweeper to all my clients. And also AVG’s free rootkit scanner. I neglected to include Panda’s rootkit tool, also free. If I were you, I’d use them all, since the battle with spyware and rootkits is intensifying. Baby, it’s bad out there. Your best defence is, however, knowledge and training. put into action. Ducktoes can help you defend your computer from the onslaught. Call 403-483-0105.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather