Lexington Computer Repair Blog

What we have noticed over the last year or so is that the virus writers are making their viruses more and more difficult to extract. We have found that no single virus removal program can do the complete job. Moreover, the virus writers are making it so that an average user often cannot even get the computer booted into a state where they can start to work on it. If you want to give it a go, here are my suggestions.

Required items:

• 1 working computer (not the virused one)
• 1 flash drive

First, recognise that the bad guys have got control of your computer. They essentially are controlling it remotely over the internet so you need to make sure your computer is disconnected from the web. Pull the ethernet cable out of the back if you are connected by a wire. If you are wireless, you need to disable your wireless connection with a switch or button combination (if you are on a laptop) or, if you are on a desktop, by pulling the antenna off or pulling the card (NB: turning off your wireless router will not work as many viruses configure your computer to attach to any network they can find, like your neighbors).

Once the computer is off the internet, turn in on and see if you can boot into Safe Mode. To do this, start pressing and releasing the F8 key about twice a second as soon as you turn the power on to your computer. If you get it right, a text menu, white on black, will appear. If the Windows start screen appears, turn off the computer and try again. From the menu, select “Safe Mode” (no networking). You will see all the device drivers that your computer loads scrolling across your screen. If the computer asks you if you are sure you want to enter Safe Mode, say yes. If the computer seems to stall, give it a few minutes to boot, sometimes Safe Mode takes a while to load. If you are asked to log in, log in with your user name and normal password. If all goes well, you should get a screen with huge icons that looks a little like your desktop. If after 5 minutes you are still stuck on the black and white screen, Safe Mode is not going to work for you.

Once the computer boots into safe mode. Verify that you don’t have any virus pop-ups on your screen. If you do, you may have trouble with the next step but soldier on.

On the working PC, go to www.malwarebytes.org and download Malwarebytes, saving it on your flash drive. Next go to here, and download the latest security definitions for Malwarebytes and save those to your flash drive. Unplug the flash drive from the working computer and plug it into the one with the virus. Use My Computer or Computer or Windows Explorer to find your flash drive, then double-click on the Malwarebytes program to install it.

Proceed with the Malwarebytes installation (some viruses are smart enough to keep you from installing this program, if it won’t install, try changing the name of the file on your flash drive to something random, if that still doesn’t work, you may be beyond the scope of this procedure. When Malwarebytes asks you if you want to update and then run the program, uncheck both boxes (you don’t want to run it yet). After Malwarebytes completes its installation, go back to your flash drive and run the Malwarebytes update program you downloaded. When that completes, go to your desktop and double-click on the red Malwarebytes icon.

When the program opens, select “Perform Quick Scan” and press the Scan button. This will take 10-30 minutes to complete. When it’s done, review the items it has found (there may be quite a few) and tell it to fix the problems. You may be asked to reboot the computer, if so, answer yes, if not, reboot the computer anyway.

With the computer still physically disconnected from the internet, reboot the computer into “normal” mode. If you can log in to your desktop do a little dance, you are about 1/3 of the way home. Run Malwarebytes again, this time telling it to do a full scan, this will take an hour, maybe more. Again, tell it to fix any problems it finds. After it finishes, open the Control Panel, go to Add/Remove Programs and uninstall any security or antivirus programs you have been using – consider them broken. This is an important step, if you skip it, and proceed with these instructions you may render your computer unusable.

Now, on the working computer, go to www.free-av.com and download Avira AntiVirus and save it on your flash drive. Next, go here and download the Avira signature updates (keep that page handy because you will need the instructions after you install Avira on the virused computer). Move the flash drive to the virused computer and install Avira. Next, following the directions you found above for doing a manual update, update the Avira virus definitions. Now, double-click on the Avira icon on your desktop and tell Avira to do a full scan of your computer. Go fix dinner or a very large cup of coffee, this will take at least and hour.

When Avira finishes, tell it to repair any problems it found. Now, reconnect your computer to the internet. Start Malwarebytes again and go to the Update tab and tell Malwarebytes to do an update. When it finishes, run a Quick Scan and clean up any additional problems it finds. After that, tell Avira to update itself and run another full system scan. When that finishes, there is a 90% probability your computer is clear of viruses and trojans. You might want to download Hitman Pro and run it for a second opinion.

If these instructions fail

There could be a million reasons why the above procedures might fail. As I said, the virus writers are smart and often over-achieve with their destructiveness and stealth capabilities. Here are some good websites with helpful people that you might try:

• Major Geeks
• Broadband Reports
• Wilders Security

Your other options are:

• Save all your importat data to that flash drive and reinstall Windows
• Call a professional like Hartland Computer Services @ 859.536.4107

Good luck.

Microsoft has recently introduced their latest iteration of virus protection called Microsoft Security Essentials (MSE). I have read reports, largely anecdotal, that it is a pretty good product and in fact it has got good ratings for its virus removal ability (NOT necessarily detection) from AV-Comparatives. I have been a fan of Avira Anti-Vir for some time now based both on their excellent independent test results and my own experience with cleaning up customers’ PCs. I expect I will continue to use Avira, but I’m having second thoughts about installing it on customer machines. The problem is that Avira has this nagware component on their free version. The nagware pops up every day suggesting that you buy the product, this is OK as far as I’m concerned but I believe that naive users may not be able to quickly distinguish between this legitimate advert and a pop-up for one of the nasty Fake Anti-virus products.

Yesterday I had a customer bring me a laptop infected with a very recent and particularly nasty set of viruses. The viruses prevented installation and/or execution of all of the key malware removal tools (for example, I installed Malwarebytes and while it was getting ready to run, the viruse(s) killed it and rendered it thereafter unusable – impressive). In addition, Task Manager was disable and Safe Mode disable (by BSOD).

I always start a virus removal by making an image of the drive I will be working on. That image can be mounted on my computer just as if the original drive was attached. I decided to use this image as a test to see what MSE would find on it compared to Avira and thereby get a datapoint for myself on just how good MSE is compared to what I consider the best antivirus program available.

Test Environment

The scans were run on a machine that dual boots between Windows 7 and Windows XP Pro. I have a licensed version of Avira AntiVir on the Windows 7 drive and MSE loaded on the XP Drive. I use ShadowProtect Desktop from StorageCraft Technology for imaging drives. The Avira scans were run with virus definitions from 3 November and the MSE using definitions from 4 November. The initial infection of the drive was reported to have occurred on 2 November with the machine having around 3 minutes of internet access on 3 November.

Baseline – Avira

During its scan, Avira identified 19 instances of malware, they were:

• TR/Agent AH.313 Trojan x2
• TR/FraudPack.yox Trojan x4
• TR/Crypt.ZPACK.Gen Trojan x3
• TR/Crypt.XPACK.Gen Trojan
• TR/Agent.AH.312 Trojan
• ADSPY/Wheatesbug.A adware
• TR/Agent.AH.337 Trojan x2
• TR/Agent.AH.319 Trojan
• TR/Crypt.ZPACK.Gen Trojan
• TR/Agent.AH.308 Trojan
• TR/Agent.AH.310 Trojan

Microsoft Security Essentials

Initially, I installed MSE on a laptop that is on the same network where the infected image resides. I then shared the image, gave the share a drive letter on the laptop and told MSE to do a custom scan on that drive letter. The scan ran for about 15 minutes and found nothing, zero, zilch, nada – YIKES! I was a bit surprised by this initial result but decided to consider it an unfair comparison as Avira was tested on the resident machine (but took note that an over-the-network scan by MSE is probably useless). I then installed MSE on the test machine’s XP drive so I could run a local apples-to-apples comparison.

On this second configuration, which took just over an hour to run, MSE found the following 22 items:

• Trojan:Win32Meredrop
• TrojanDownloader:Win32/Renos.JM x4
• TrojanDownload:Win32/Resno.JI x4
• TrojanDropper:Win32/Sirefef.A!dll (Avira missed this one)
• Trojan:Win32/Fakeinit
• Virus:Win32/Alureon.A
• VirTool:Win32/Obfuscator.HG x10

Conclusions

While my methodology contains at least one glaring flaw, that MSE had 1 day’s newer data, the comparison was still sufficiently valid for my purposes. Here is what I have drawn from the comparison:

• MSE found problems in 7 individual files that Avira did not (these details are not listed above)
• Avira found problems in 3 files that MSE did not (also not detailed above)
• While MSE had the advantage of 1 day over Avira which is a little unfair, it acquitted itself well in the test
• I would be comfortable installing MSE on customer computers

Errata

I have not taken into account the possibility of false positives in these tests. It’s possible that either of these scanners appear to be better than they really are because they are finding problems that aren’t really there. Generally I don’t concern myself with FPs as I would rather err on the safe side anyway. Having said this, MSE found ATAPI.SYS, EVENTLOG.DLL and LSASS.EXE to be infected, deleting these programs will pretty much screw your Windows installation so an FP here could be a problem. I also have concerns about MSE on a low-spec machine, it seams to command a lot of processor power even when it is doing nothing, it took 100% CPU cycles on my PIII laptop and virtually shut down the machine for 30 seconds when I merely tried to open Control Panel.

On the other hand, Microsoft, who can’t produce a secure operating system do seem to have a very good handle on finding the viruses and trojans that take advantage of their deficiencies (in a 1.0 version product no less). If I combine MSE’s excellent virus removal results with my quasi-scientific malware discovery results described here, I think it is a very recommendable product and I will keep an eye out for some more scientific studies from AV-Comparatives and others.

Addendum 12 May 2010: I am continuing to install MSE on customer computers. I like it because it is very easy to maintain and that’s quite important for many users. However, MSE does has its flaws that have come out in using it over time and I do not install it on every computer.

First, anecdotally, I do not think it finds all the viruses that Avira does. On occasion I have run MSE first, the Avira and Avira still found items or traces of virii. Secondly, MSE is not very good on a low-specification machine. If the computer has 500MB of RAM or less or it has a slow processor, I find that often MSE drags the machine to a crawl either by monopolising RAM or the CPU.