Infected by DNS Changer? You Have Until July Before the FBI Shuts You Down

If you happen to have a virus called the DNS Changer, you, or at least your computer, has been involved in a huge FBI crime sting operation involving Estonian and Russian cybercriminals.   What intrigue and thrills!   Here you thought your computer was behaving itself quietly at home when really it was off consorting with dastardly foreign types and now has even involved you with the FBI.  Aren’t you excited?  Isn’t the adrenalin flowing?  In fact, if infected, you are now getting your internet through the FBI.

Do you know where your computer has been?

But not for long.  The virus has rerouted your computer’s DNS  to go through the Estonian servers, and originally there were 4 million of you rerouted that way.   The FBI has now taken over these servers from the Estonians and so you now are getting the Internet courtesy of the FBI.  The Estonians have been arrested, by the way, the one Russian remains at large.

Now the FBI is worried that if they turn off the servers, all people whose computers have the virus will lose their internet connection.  So they are giving people until July to remove the virus.  At that point they will shut down the servers.  It is very considerate of the  FBI to do this, considering many if not most viruses turn off or prevent people’s internet browsers from working.

Everyone should check to see if they have the DNS Changer virus.  Here is a site that tells you how.  It has a utility to check your computer for the DNS Changer infection.  The site is an FBI security partner.

If you want Ducktoes to check to see if you have the virus we can do in our shop or remotely.   We are Calgary virus removal experts.  We can even check out your computer remotely with our remote services.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to Get Rid of Virut without Reformatting

Ms. Ducktoes did it! I beat the dreaded Virut without reformatting. This is how I did it.

  1. The Dr. Web Cureit Live CD I spoke of in the last post didn’t work. At the beginning of the scan, it stopped everytime. So instead:
  2. I created an Ultimate Boot CD for Windows. I downloaded the image from the UBCD website and burned it to cd. There are detailed instructions on the site on how to do this.
  3. I booted off the cd and went on the Internet through the UBCD interface. I downloaded Dr. Web Cureit to the Ram drive.
  4. Then from the “Run” option off the start menu I browsed to the B: Ram drive and opened cureit.exe.
  5. Dr. Web Cureit started. I had to stop the Express scan and run the Custom scan and select the C drive or the C and D drives since I had more than one hard drive. Otherwise Dr. Web Cureit just scanned the CD.
  6. I cured the files instead of deleting them. The Virut virus changes the system files and your computer system needs them.
  7. I scanned a three times this way.
  8. I rebooted but the computer wouldn’t start. So I did a “repair install” with my Windows Xp cd.
  9. After the Repair Install, it booted, but after the logon, the logon kept returning. I couldn’t get past it.
  10. So I booted off the UBCD and replaced the Userinit.exe file in the System32/dllcache folder. I found another copy of it in the 1386 folder and copied and pasted. You can search using the Windows Explorer on the UBCD disk.
  11. Then I ran regedit (still off UBCD) and searched for userinit. I found the registry keys related to userinit. One of them was set for the logon to repeat over and over, so I changed it from “1” to “0”.
  12. Then I rebooted and the computer started and the logon didn’t repeat!!
  13. Immediately I went into Safe Mode and started running virus scans like crazy. I ran Malwarebytes, AVG, SuperAntiSpyware and Dr. Web Cureit again. And found more trojans and viruses.
  14. After all the scans ran clean. I rebooted.
  15. The Virut was removed!!! And I didn’t reformat.
Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Virus Alert: P2Ps Spreading Dangerous Virus called Virut

The worst virus I’ve ever seen is now making its way through Bit Torrent and Limewire and other file sharing programs. It’s called Virut. And once you have it it’s pretty much game over and time for a clean install. You’re done. At least you’re operating system is kaput. So if I were you I’d make sure your anti-virus is working and updating regularly. And stay away from P2Ps until this settles down. Lots of people are losing everything on their computers. What makes Virut so nasty is that it patches itself to every executable, so everything time you run an anti-virus, it “patches itself” onto the anti-virus. Also it changes system files, so if you “delete” instead of “cure” or “heal” them, you’ll be facing at least a Repair install.

Some fixes for Virut run in Safe Mode, but on my client’s computer, Safe Mode isn’t working. I’m right now trying a method I saw on the Internet that uses Dr. Web. Cure-it.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Fix the "Open With" Virus

I just fixed an odd virus: the “Open With” Virus. Everything I tried to open including my usual anti-virus programs prompted a dialog box asking what I wanted to open the AVG with. Of course that’s silly, you can’t open AVG with another program like Microsoft Word or Adobe Reader. It kept me from doing anything. That’s why it’s called the “Open With” virus. The virus asks, What would like to open that with? Oh, I think I’ll open Internet Explorer with Civilization 4 (I have sons). And I’ll open itunes with Instant Messenger. See, it doesn’t make sense, and moreover it doesn’t work, in fact nothing works, and you are stuck. You are deep in the doo doo of Malwareland.

A photo of giant turds from computer repair Calgary

You're in the deep doodoo of Malwareland.

Some techs say you have to reformat if you get this virus, but Ms Ducktoes hates that word “reformat”. I’ve seen it make a grown man cry. And then when he cries, I cry, and then I get a sinus headache and my mascara runs down my cheeks. So I find it much better and less embarrassing to do this instead:

Right click on the program you want to run, such as AVG. From the choices displayed, click on “Run as” and pick your own user. There’s a box you have to uncheck too. I ran AVG and it quarantined the virus. Then I was able to do the usual virus clean up.

A photo of infected computer from Calgary Computer repair

But if you don’t have an anti-virus on the computer already what do you do? Install Malwarebytes on another computer. You’ll get a set up icon on your desktop. Stick a flash drive (you can buy them at any electronics store) into the usb port and go to My Computer (Start > My Computer, or just “Computer” on Vista) and you’ll see all your drives, your hard drive or drives, your dvd player, and now the flash drive. Click on the flash drive. A window will open. Now drag the set up icon of Malwarebytes into the flash drive’s window. Remove the flash drive.

Then put the flash drive into the infected computer. It will probably have to install as a drive. Go to My Computer. Find the Malwarebytes set-up icon. Right click on it and “Run As” your user. Let it install and run and do it’s thing.

After that go to this page on my blog, click these words here and follow the rest of the instructions.

If you want, Ducktoes Computer Repair can fix your virus. Click here to read more about our remote service. Or click here to book remote appointment. https://www.ducktoes.com/book_online.php We’ll get back to you.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Trojan Horse Clicker – No My Friend Flicka.

I just cleaned up a computer, an Acer laptop, that had tons of spyware and among them was Trojan Horse Clicker. To get rid of it and the rest of the spyware I did the usual:

1.First I ran Combofix. (I did this in Safe Mode with Networking.)

To get into Safe Mode, I had to tap F8 as the computer booted. If you tap at just the right time, a list of options in black and white is displayed on your screen. If you get the usual Windows boot up, you’ve missed Safe Mode so you’ll have to restart and tap again.

Pick Safe Mode with Networking. Then you’ll see a message asking if you’re sure you want to go into Safe Mode or if you’d rather use System Restore. Click yes you do want to go into Safe Mode. In Safe Mode you can then download and run Combofix.

When you get to the page, you’ll have to scroll down. I usually pick the Bleeping Computer link.. you’ll have to scroll down. It looks like this.

This is a photo of the Bleeping Computer website where you download Combofix.

Download Combofix here.

If you can’t download or run Combofix then you have very serious virus problems so see this post.

After I ran Combofix, enough spyware had been removed so that I could do the following in regular Windows mode.

2. Downloaded and installed AVG.

3. Downloaded and installed Malwarebytes.

4. Ran Malwarebytes. Malwarebytes caught quite a few Trojans. Also when I ran Malwarebytes, AVG’s residential shield caught a few more things that Malwarebytes going through the files seemed to stir up.

4. Ran a full scan of AVG. The AVG is what caught our friend Trojan Horse Clicker.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather