The Best Way to Remove Viruses and Malware, Part 3: The Clean-Up
Here are my experiences using both network access and the software included with the Ultimate Boot CD for Windows to clean up an infected Windows machine. All the software discussed is free.
Editor's Note: This article is the third and final installment in a three-part series on removing malicious software (malware) from an infected Windows machine. Don't miss the first and second articles in this series.
I doubt that anyone can argue with the initial premise, from Part 1, that it's better to scan the machine from the outside, to bypass any defenses the malware has in place.
Building on that premise, I prefer to use the Ultimate Boot CD for Windows (UBCD4WIN) to provide access to the infected hard drive. It offers a handful of anti-malware programs on the CD and, as we saw last time in Part 2, can also offer network access to the infected machine.
Here I'll recount my experiences using both network access and the software included with the Ultimate Boot CD for Windows to clean up an infected Windows machine. All the software discussed here is free.
At the risk of repeating myself, let me again emphasize that any attempt at removing malware should start off with a disk image backup. There are many image backup programs that can run from either a bootable CD or USB flash drive and copy an image of the entire computer to an external hard drive or another machine on the network. First do no harm. No matter how well intentioned, deleting files and updating the registry are both accidents waiting to happen.
Software on the Ultimate Boot CD for Windows
I'm a big fan of Avira's AntiVir antivirus program, a free version of which is included on the Ultimate Boot CD for Windows. Every time I've used UBCD4WIN to clean up an infected machine, I started with AntiVir.
As I noted earlier, running applications from the Ultimate Boot CD for Windows is slightly different than running them in a normal copy of Windows. Twice, I've been unable to start Avira due to problems with the B disk, something unique to UBCD4WIN. However, clearing the ram drive (an option off the Start button) fixed the problem both times.
Avira shows you the date of the currently installed virus definitions (under Last Update), and, if the infected computer is on-line, updating the virus definitions is very simple.
The Ultimate Boot CD for Windows introduced me to SUPER AntiSpyware and I'm glad it did. The program has been downloaded over a million times at download.com where users have rated it 4 stars out of 5. More than once, when running after AntiVir, it has found and removed malicious software.
If the infected computer is online, SUPERAntiSpyware will download the latest spyware definitions automatically when your first start it. For confirmation, it displays the Definitions Updated date on the main screen. Couldn't be easier.
However, if the infected computer is off-line, determining the date of the spyware definitions is harder. Rather than a date, it only offers a Definition Database version number. I asked the company (whose name is SUPERAntiSpyware.com) about this and Mike Duncan, the Director of Business Development, passed along the suggestion to check their definition update history to correlate the definition database version number to a date.
This may be nit-picking though, because even though the computer is infected with malware, there is no reason to keep it off-line. The infected operating system isn't running, UBCD4WIN is in control.
Another anti-malware program included on UBCD4WIN is McAfee's Stinger. According to McAfee, "Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system." As such, you may find that the lastest version of Stinger is a bit dated, perhaps a couple weeks old or more. Despite this, on one infected machine, it found and removed something, after both AntiVir and SUPERAntiSpyware had their shot.
Also included on the Ultimate Boot CD for Windows are SpyBot Search and Destroy and the avast! Virus Cleaner. Like Stinger, Virus Cleaner removes a limited number of viruses.
I tried running online virus scans using Internet Explorer under the Ultimate Boot CD for Windows and it didn't go well. For one thing, it comes with IE version 6. More to the point, ActiveX is disabled.
Scanning over a Local Area Network
Scanning an infected machine over a network lets you employ any anti-malware software, both normally installed versions as well as online scanners. The only criteria is that the software needs to be able to scan a drive letter other than C.
Malwarebytes' Anti-Malware can certainly do this and comes highly recommended. Microsoft's Malicious Software Removal Tool can be run manually to invoke a customized scan against a single drive letter.
Eset, the company that makes NOD32, offers a free online scanner (IE only, based on ActiveX). To have it scan a disk other than C, go into the advanced settings where you can modify what ESET refers to as scan targets.
The BitDender Online Scanner (also ActiveX based and thus IE only) detects and removes both viruses and spyware. Check the "Folders to Scan" before launching it to insure it will scan the mapped network drive that is the infected machine. If it can't remove the malware however, the default action is to delete the infected file(s). If you'd rather be notified first, you need to change the "Cleaning Options".
According to Kaspersky, their online virus scanner "will not remove the malware from your machine if it finds it - installing our software is required to do this."
But at least it runs, which is more than I can say for Trend Micro's Housecall, which twice stalled mid-stream on me.
After Removing Malware Externally
In researching this article, I threw the kitchen sink at a severely infected machine. After removing dozens and dozens of infections, when the machine first booted, my heart sank. There was a slew of errors about programs not starting up correctly.
Turns out, this was good news, as the programs that could no longer run automatically at boot time were all malicious.
The reason for the errors was the registry. When scanning a machine from outside the infected operating system, the registry is treated, not like the registry, but like a bunch of files. Each anti-malware program deleted or quarantined the executable malware, but didn't go into the registry to remove the entry that specifies the malware should run automatically at startup time.
What to do?
Scan again with anti-malware software, but this time, scan from inside the newly cleaned out operating system. This should clean up the registry.
Beforehand though, if you hadn't already done it, this is a great time to remove a host of unnecessary files. I would start by disabling System Restore to remove all the old Restore Points. Then enable it again, to get a new, fresh, hopefully reliable Restore Point. Also, remove temp files, clean out the web browser cache for all browsers and, finally, empty the Recycle Bin.
Next: Removing Malware From The Inside
May 19, 2009
Much of today’s malware uses very technically sophisticated defenses against detection, making it far tougher for users to remove.