Editor's Note: This article is the third and final installment in a three-part series on removing malicious software (malware) from an infected Windows machine. Don't miss the first and second articles in this series.
I doubt that anyone can argue with the initial premise, from Part 1, that it's better to scan the machine from the outside, to bypass any defenses the malware has in place.
Building on that premise, I prefer to use the Ultimate Boot CD for Windows (UBCD4WIN) to provide access to the infected hard drive. It offers a handful of anti-malware programs on the CD and, as we saw last time in Part 2, can also offer network access to the infected machine.
Here I'll recount my experiences using both network access and the software included with the Ultimate Boot CD for Windows to clean up an infected Windows machine. All the software discussed here is free.
At the risk of repeating myself, let me again emphasize that any attempt at removing malware should start off with a disk image backup. There are many image backup programs that can run from either a bootable CD or USB flash drive and copy an image of the entire computer to an external hard drive or another machine on the network. First do no harm. No matter how well intentioned, deleting files and updating the registry are both accidents waiting to happen.
Software on the Ultimate Boot CD for Windows
I'm a big fan of Avira's AntiVir antivirus program, a free version of which is included on the Ultimate Boot CD for Windows. Every time I've used UBCD4WIN to clean up an infected machine, I started with AntiVir.
As I noted earlier, running applications from the Ultimate Boot CD for Windows is slightly different than running them in a normal copy of Windows. Twice, I've been unable to start Avira due to problems with the B disk, something unique to UBCD4WIN. However, clearing the ram drive (an option off the Start button) fixed the problem both times.
Avira shows you the date of the currently installed virus definitions (under Last Update), and, if the infected computer is on-line, updating the virus definitions is very simple.
The Ultimate Boot CD for Windows introduced me to SUPER AntiSpyware and I'm glad it did. The program has been downloaded over a million times at download.com where users have rated it 4 stars out of 5. More than once, when running after AntiVir, it has found and removed malicious software.
If the infected computer is online, SUPERAntiSpyware will download the latest spyware definitions automatically when your first start it. For confirmation, it displays the Definitions Updated date on the main screen. Couldn't be easier.
However, if the infected computer is off-line, determining the date of the spyware definitions is harder. Rather than a date, it only offers a Definition Database version number. I asked the company (whose name is SUPERAntiSpyware.com) about this and Mike Duncan, the Director of Business Development, passed along the suggestion to check their definition update history to correlate the definition database version number to a date.
This may be nit-picking though, because even though the computer is infected with malware, there is no reason to keep it off-line. The infected operating system isn't running, UBCD4WIN is in control.
Another anti-malware program included on UBCD4WIN is McAfee's Stinger. According to McAfee, "Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system." As such, you may find that the lastest version of Stinger is a bit dated, perhaps a couple weeks old or more. Despite this, on one infected machine, it found and removed something, after both AntiVir and SUPERAntiSpyware had their shot.
Also included on the Ultimate Boot CD for Windows are SpyBot Search and Destroy and the avast! Virus Cleaner. Like Stinger, Virus Cleaner removes a limited number of viruses.
I tried running online virus scans using Internet Explorer under the Ultimate Boot CD for Windows and it didn't go well. For one thing, it comes with IE version 6. More to the point, ActiveX is disabled.
Scanning over a Local Area Network
Scanning an infected machine over a network lets you employ any anti-malware software, both normally installed versions as well as online scanners. The only criteria is that the software needs to be able to scan a drive letter other than C.
Malwarebytes' Anti-Malware can certainly do this and comes highly recommended. Microsoft's Malicious Software Removal Tool can be run manually to invoke a customized scan against a single drive letter.
Eset, the company that makes NOD32, offers a free online scanner (IE only, based on ActiveX). To have it scan a disk other than C, go into the advanced settings where you can modify what ESET refers to as scan targets.
The BitDender Online Scanner (also ActiveX based and thus IE only) detects and removes both viruses and spyware. Check the "Folders to Scan" before launching it to insure it will scan the mapped network drive that is the infected machine. If it can't remove the malware however, the default action is to delete the infected file(s). If you'd rather be notified first, you need to change the "Cleaning Options".
According to Kaspersky, their online virus scanner "will not remove the malware from your machine if it finds it - installing our software is required to do this."
But at least it runs, which is more than I can say for Trend Micro's Housecall, which twice stalled mid-stream on me.
After Removing Malware Externally
In researching this article, I threw the kitchen sink at a severely infected machine. After removing dozens and dozens of infections, when the machine first booted, my heart sank. There was a slew of errors about programs not starting up correctly.
Turns out, this was good news, as the programs that could no longer run automatically at boot time were all malicious.
The reason for the errors was the registry. When scanning a machine from outside the infected operating system, the registry is treated, not like the registry, but like a bunch of files. Each anti-malware program deleted or quarantined the executable malware, but didn't go into the registry to remove the entry that specifies the malware should run automatically at startup time.
What to do?
Scan again with anti-malware software, but this time, scan from inside the newly cleaned out operating system. This should clean up the registry.
Beforehand though, if you hadn't already done it, this is a great time to remove a host of unnecessary files. I would start by disabling System Restore to remove all the old Restore Points. Then enable it again, to get a new, fresh, hopefully reliable Restore Point. Also, remove temp files, clean out the web browser cache for all browsers and, finally, empty the Recycle Bin.
Next: Removing Malware From The Inside
Removing Malware From The Inside
Running anti-spyware software inside the newly cleaned-out system produced another surprise.
One of the LAN based scanners I ran on the machine was Malwarebytes' Anti-Malware, which, as expected, found and removed a number of infections. But a couple days later, when I installed MBAM inside the newly cleaned up system, it found a lot more stuff. Could it all be due to a couple days of new "fingerprints"? I asked Marcin Kleczynski of Malwarebytes Corporation about the difference between scanning from inside vs. outside the infected copy of Windows. He said:
"For optimal results, we typically recommend that our scans be conducted from the actual infected operating system. This allows our product to maximize use of our detection algorithms and heuristics and having them work together in the native OS environment. However, we do have somebody working on a BartPE plugin development tool that shows promise. It loads the registry hive and mounts the file system to attempt to mimic the infected operating system. For best results, we will continue to recommend the installer package that we currently offer."
So, scanning from the outside is not, in and of itself, sufficient. BartPE, which Marcin mentioned, is the foundation for the Ultimate Boot CD for Windows. It too is a bootable, limited function, edition of Windows on a CD.
A similar pattern happened running SUPERAntispyware from outside and inside the infected system. Running from the inside, for example, the software found cookies that weren't detected from the outside. I asked them too about the difference between the two environments and how SUPERAntiSpyware compares/contrasts with MBAM.
According to Mike Duncan, the Director of Business Development for SUPERAntiSpyware:
"Neither SUPERAntiSpyware or MBAM currently mount the registry hives when scanning in a remote or slave drive situation. We have technology in our labs to handle this situation and will likely be providing this in a future version of SUPERAntiSpyware. We anticipate our thousands of resellers/computer repairs shops will welcome this addition as it can make cleaning a tough infection much easier."
This is great news. Both companies are working on treating the infected registry as a registry, rather than just as files, when running outside the infected system. This should be a huge step forward in removing malware.
Nick Skrepetos, the president and founder of SUPERAntiSpyware expands on the topic of scanning from inside vs. outside:
"Infections are typically divided into two categories - executable "files" and registry/folder/file "traces". The executable file is the "heart" of the infection. While the traces are part of the infection, they are not the culprits that are actually doing the harm. You can think of it this way - a bank robber his/herself would be the "executable file" and their tools would be the "traces". Essentially the "traces" (tools) would be useless without the bank robber him/herself. SUPERAntiSpyware focuses on the "heart" (executable files portion) of any infection as this is where the damage is being done.
"In practical spyware/malware removal there are several practiced methods that can be used to detect and remove spyware from an infected system. The first, which we will call "native" scanning, is a method in which you run the scanner on the infected system directly. The second, which we will call "slave" scanning, requires that you place the infected drive in a non-infected system and scan the slave drive from the non-infected system. The third, often referred to as "remote" scanning, involves using a CD or USB drive on the infected computer to run an operating system that is not active on the infected system and then scan the infected system from the CD/USB drive.
"Each method has its advantages and disadvantages. Specifically, most current anti-spyware/malware products cannot remove registry traces from a slave or remote drive. SUPERAntiSpyware has technology to handle the situation and we are looking at how to best position this for our technicians and end-users. While registry traces are not "harmful," SUPERAntiSpyware does detect traces as well, but that is not our focus.
"SUPERAntiSpyware has advanced technology to eliminate the "hard to remove" infections, and products such as MBAM work more on a "trace" oriented system and thus are a great compliment to SUPERAntiSpyware. No single product can catch everything on a given day due to the thousands of new infections released daily. Running both products together will typically yield a clean system."
The last point is very important, there is too much malware for any one product to cope with it all. If at any time you suspect an infection, multiple scans with multiple products is the best approach.
Both MalwareBytes and SUPERAntiSpyware have a similar business model. They offer manual malware removal for free, while the commercial version of each product prevents infections, auto-updates and runs scheduled scans.
One thing to like about both MalwareBytes and SUPERAntiSpyware is that the products are sold for a one-time fee. With MBAM, this is always true, with SUPERAntiSpyware, it's an extra $10. The competing commercial software that I'm aware of is rented on a yearly basis. Just last month, Symantec and McAfee " ... each agreed to pay the New York Attorney General's office $375,000 in fines to settle charges that they automatically charged customers software subscription renewal fees without their permission."