Lexington Computer Repair Blog

What we have noticed over the last year or so is that the virus writers are making their viruses more and more difficult to extract. We have found that no single virus removal program can do the complete job. Moreover, the virus writers are making it so that an average user often cannot even get the computer booted into a state where they can start to work on it. If you want to give it a go, here are my suggestions.

Required items:

• 1 working computer (not the virused one)
• 1 flash drive

First, recognise that the bad guys have got control of your computer. They essentially are controlling it remotely over the internet so you need to make sure your computer is disconnected from the web. Pull the ethernet cable out of the back if you are connected by a wire. If you are wireless, you need to disable your wireless connection with a switch or button combination (if you are on a laptop) or, if you are on a desktop, by pulling the antenna off or pulling the card (NB: turning off your wireless router will not work as many viruses configure your computer to attach to any network they can find, like your neighbors).

Once the computer is off the internet, turn in on and see if you can boot into Safe Mode. To do this, start pressing and releasing the F8 key about twice a second as soon as you turn the power on to your computer. If you get it right, a text menu, white on black, will appear. If the Windows start screen appears, turn off the computer and try again. From the menu, select “Safe Mode” (no networking). You will see all the device drivers that your computer loads scrolling across your screen. If the computer asks you if you are sure you want to enter Safe Mode, say yes. If the computer seems to stall, give it a few minutes to boot, sometimes Safe Mode takes a while to load. If you are asked to log in, log in with your user name and normal password. If all goes well, you should get a screen with huge icons that looks a little like your desktop. If after 5 minutes you are still stuck on the black and white screen, Safe Mode is not going to work for you.

Once the computer boots into safe mode. Verify that you don’t have any virus pop-ups on your screen. If you do, you may have trouble with the next step but soldier on.

On the working PC, go to www.malwarebytes.org and download Malwarebytes, saving it on your flash drive. Next go to here, and download the latest security definitions for Malwarebytes and save those to your flash drive. Unplug the flash drive from the working computer and plug it into the one with the virus. Use My Computer or Computer or Windows Explorer to find your flash drive, then double-click on the Malwarebytes program to install it.

Proceed with the Malwarebytes installation (some viruses are smart enough to keep you from installing this program, if it won’t install, try changing the name of the file on your flash drive to something random, if that still doesn’t work, you may be beyond the scope of this procedure. When Malwarebytes asks you if you want to update and then run the program, uncheck both boxes (you don’t want to run it yet). After Malwarebytes completes its installation, go back to your flash drive and run the Malwarebytes update program you downloaded. When that completes, go to your desktop and double-click on the red Malwarebytes icon.

When the program opens, select “Perform Quick Scan” and press the Scan button. This will take 10-30 minutes to complete. When it’s done, review the items it has found (there may be quite a few) and tell it to fix the problems. You may be asked to reboot the computer, if so, answer yes, if not, reboot the computer anyway.

With the computer still physically disconnected from the internet, reboot the computer into “normal” mode. If you can log in to your desktop do a little dance, you are about 1/3 of the way home. Run Malwarebytes again, this time telling it to do a full scan, this will take an hour, maybe more. Again, tell it to fix any problems it finds. After it finishes, open the Control Panel, go to Add/Remove Programs and uninstall any security or antivirus programs you have been using – consider them broken. This is an important step, if you skip it, and proceed with these instructions you may render your computer unusable.

Now, on the working computer, go to www.free-av.com and download Avira AntiVirus and save it on your flash drive. Next, go here and download the Avira signature updates (keep that page handy because you will need the instructions after you install Avira on the virused computer). Move the flash drive to the virused computer and install Avira. Next, following the directions you found above for doing a manual update, update the Avira virus definitions. Now, double-click on the Avira icon on your desktop and tell Avira to do a full scan of your computer. Go fix dinner or a very large cup of coffee, this will take at least and hour.

When Avira finishes, tell it to repair any problems it found. Now, reconnect your computer to the internet. Start Malwarebytes again and go to the Update tab and tell Malwarebytes to do an update. When it finishes, run a Quick Scan and clean up any additional problems it finds. After that, tell Avira to update itself and run another full system scan. When that finishes, there is a 90% probability your computer is clear of viruses and trojans. You might want to download Hitman Pro and run it for a second opinion.

If these instructions fail

There could be a million reasons why the above procedures might fail. As I said, the virus writers are smart and often over-achieve with their destructiveness and stealth capabilities. Here are some good websites with helpful people that you might try:

• Major Geeks
• Broadband Reports
• Wilders Security

Your other options are:

• Save all your importat data to that flash drive and reinstall Windows
• Call a professional like Hartland Computer Services @ 859.536.4107

Good luck.

Microsoft has recently introduced their latest iteration of virus protection called Microsoft Security Essentials (MSE). I have read reports, largely anecdotal, that it is a pretty good product and in fact it has got good ratings for its virus removal ability (NOT necessarily detection) from AV-Comparatives. I have been a fan of Avira Anti-Vir for some time now based both on their excellent independent test results and my own experience with cleaning up customers’ PCs. I expect I will continue to use Avira, but I’m having second thoughts about installing it on customer machines. The problem is that Avira has this nagware component on their free version. The nagware pops up every day suggesting that you buy the product, this is OK as far as I’m concerned but I believe that naive users may not be able to quickly distinguish between this legitimate advert and a pop-up for one of the nasty Fake Anti-virus products.

Yesterday I had a customer bring me a laptop infected with a very recent and particularly nasty set of viruses. The viruses prevented installation and/or execution of all of the key malware removal tools (for example, I installed Malwarebytes and while it was getting ready to run, the viruse(s) killed it and rendered it thereafter unusable – impressive). In addition, Task Manager was disable and Safe Mode disable (by BSOD).

I always start a virus removal by making an image of the drive I will be working on. That image can be mounted on my computer just as if the original drive was attached. I decided to use this image as a test to see what MSE would find on it compared to Avira and thereby get a datapoint for myself on just how good MSE is compared to what I consider the best antivirus program available.

Test Environment

The scans were run on a machine that dual boots between Windows 7 and Windows XP Pro. I have a licensed version of Avira AntiVir on the Windows 7 drive and MSE loaded on the XP Drive. I use ShadowProtect Desktop from StorageCraft Technology for imaging drives. The Avira scans were run with virus definitions from 3 November and the MSE using definitions from 4 November. The initial infection of the drive was reported to have occurred on 2 November with the machine having around 3 minutes of internet access on 3 November.

Baseline – Avira

During its scan, Avira identified 19 instances of malware, they were:

• TR/Agent AH.313 Trojan x2
• TR/FraudPack.yox Trojan x4
• TR/Crypt.ZPACK.Gen Trojan x3
• TR/Crypt.XPACK.Gen Trojan
• TR/Agent.AH.312 Trojan
• ADSPY/Wheatesbug.A adware
• TR/Agent.AH.337 Trojan x2
• TR/Agent.AH.319 Trojan
• TR/Crypt.ZPACK.Gen Trojan
• TR/Agent.AH.308 Trojan
• TR/Agent.AH.310 Trojan

Microsoft Security Essentials

Initially, I installed MSE on a laptop that is on the same network where the infected image resides. I then shared the image, gave the share a drive letter on the laptop and told MSE to do a custom scan on that drive letter. The scan ran for about 15 minutes and found nothing, zero, zilch, nada – YIKES! I was a bit surprised by this initial result but decided to consider it an unfair comparison as Avira was tested on the resident machine (but took note that an over-the-network scan by MSE is probably useless). I then installed MSE on the test machine’s XP drive so I could run a local apples-to-apples comparison.

On this second configuration, which took just over an hour to run, MSE found the following 22 items:

• Trojan:Win32Meredrop
• TrojanDownloader:Win32/Renos.JM x4
• TrojanDownload:Win32/Resno.JI x4
• TrojanDropper:Win32/Sirefef.A!dll (Avira missed this one)
• Trojan:Win32/Fakeinit
• Virus:Win32/Alureon.A
• VirTool:Win32/Obfuscator.HG x10

Conclusions

While my methodology contains at least one glaring flaw, that MSE had 1 day’s newer data, the comparison was still sufficiently valid for my purposes. Here is what I have drawn from the comparison:

• MSE found problems in 7 individual files that Avira did not (these details are not listed above)
• Avira found problems in 3 files that MSE did not (also not detailed above)
• While MSE had the advantage of 1 day over Avira which is a little unfair, it acquitted itself well in the test
• I would be comfortable installing MSE on customer computers

Errata

I have not taken into account the possibility of false positives in these tests. It’s possible that either of these scanners appear to be better than they really are because they are finding problems that aren’t really there. Generally I don’t concern myself with FPs as I would rather err on the safe side anyway. Having said this, MSE found ATAPI.SYS, EVENTLOG.DLL and LSASS.EXE to be infected, deleting these programs will pretty much screw your Windows installation so an FP here could be a problem. I also have concerns about MSE on a low-spec machine, it seams to command a lot of processor power even when it is doing nothing, it took 100% CPU cycles on my PIII laptop and virtually shut down the machine for 30 seconds when I merely tried to open Control Panel.

On the other hand, Microsoft, who can’t produce a secure operating system do seem to have a very good handle on finding the viruses and trojans that take advantage of their deficiencies (in a 1.0 version product no less). If I combine MSE’s excellent virus removal results with my quasi-scientific malware discovery results described here, I think it is a very recommendable product and I will keep an eye out for some more scientific studies from AV-Comparatives and others.

Addendum 12 May 2010: I am continuing to install MSE on customer computers. I like it because it is very easy to maintain and that’s quite important for many users. However, MSE does has its flaws that have come out in using it over time and I do not install it on every computer.

First, anecdotally, I do not think it finds all the viruses that Avira does. On occasion I have run MSE first, the Avira and Avira still found items or traces of virii. Secondly, MSE is not very good on a low-specification machine. If the computer has 500MB of RAM or less or it has a slow processor, I find that often MSE drags the machine to a crawl either by monopolising RAM or the CPU.

I recently worked on a laptop here that had a serious virus problem. After getting rid over 1300 virus-related items on the machine I tested Windows Update to see if it was still working. This is usually a pretty good test to run after clearing viruses as they like to disable Windows Update.

Instead of being disabled on this machine, the viruses had fiddled with the registry causing the PC to apparently report that it was running Vista rather than Windows XP. Using IE and selecting Tools/Windows Update, the user was redirected immediately to a Windows Vista update screen that showed how to reach WU under Vista. It was not possible to get to the proper screen.

I found a number of instances on the web where people had this same problem but not a good proven solution until I found this site: http://www.winhelponline.com/articles/35/1/Windows-Update-page-says-Thank-you-for-your-interest-in-obtaining-updates-from-our-site.html.

Deleting the registry keys as described immediately fixed the problem. Be sure to back up the keys first as described before attempting this fix

When I was responsible for software development teams I used to often say that sometimes it was good to know when to give up early. Most good software developers that I know are ambitious problem solvers and if you manage to give them an “impossible” task they will work on it until the cows come home trying to fix it “Impossible” tasks have a virtually unlimited set of rabbit holes, false solutions and sub-problems to be solved, these erata often conceal the true solution which is to give up and try something completely different. Such is the advice I should have been giving myself in trying to repair the HP Pavillion 533w that’s been on the bench here for several days.

I’m not sure what the machine has been through in getting to me, it appears to have lots of Windows updates but is in pre-SP2 state. The two key problems I faced were:

1. Non-destructive recovery install stalls after setting keyboard and language
2. After problem 1 was solved, Windows update stalled at “Checking for latest updates for your computer…”

For Problem 1, it turns out that some HP Pavillions have a bug in their non-destructive recovery solution. This bug causes the install to report that it cannot location the file c_20127.nls on the recovery drive and then eventually seizes up.

To fixed this, I used a modified version of these instructions:

http://h10025.www1.hp.com/ewfrf/wc/genericSoftwareDownloadIndex?lc=EN&cc=us&softwareitem=pv-9155-1

(also referenced here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329450)

As you will note, these instructions call for the use of a floppy disk, they might just as well have suggested that you use your keypunch machine to type the solution onto Hollerith cards – who uses floppies anymore? As it turns out, you can modify the instructions to use a USB flash drive by changing the references in the .BAT file for “A:” to “D:” (there are 2 references), copying the files to the root of your USB Flash drive, and ensuring that the flash drive is plugged in to the problem computer when it is booted. Follow the HP instructions but find your files on d: instead of a:. In my case I had to do the install again to get the fix to take.

Once Windows XP Home was loaded back on the machine I was disappointed (to say the least) that the system would not access Windows Update. I think this problem was related to some spyware that had been on the machine previously.

Broken Windows Update that results from viruses and spyware can be very difficult to fix. Here is where the wise and experienced computer tech will probably decide to do a clean install. But not me. There are a lot of reasons why Windows Update fails. There are hundreds of things to try. In the past, I have found that the registry keys for Automatic Update Service or BITS had been altered from %SystemRoot%… to %fystemRoot%. That was not the case for this machine.

What finally did work for this machine can be found here:

http://taurarian.mvps.org/WU_XP/0×8024402f.htm

By the time I got to Step 4, the problem was fixed. Hallelujah!

P.S., oh and I also renamed the SoftwareDistribution folder to .OLD, don’t know if that impacted the solution.

A lot of initial calls we get here in our computer repair business in Lexington are about viruses. Generally people have a vague notion that they might have a virus, but they aren’t sure, can we take a look? I thought it might be helpful to describe the quick triage we do ourselves to make our assessment.

First let me mention that their are a number of different kinds of infections you might get, we lump them into 2 categories: Viruses/Trojans/Spyware/Adware/Worms are in the first category (generally known as “malware“), the second category we call “crapware“. You can read more of the detailed definitions of viruses and trojans here or here. For all intents and purposes, to the computer user it’s all about the same, malware is responsible for  making your computer slower, changing the data that is coming into your computer and possibly taking information out of your computer. Once they are in there they typically replicate, sometimes until the PC becomes unusable. The second category, crapware, is software that either the computer manufacturer has put on your computer, or some legitimate installation program has sneaked on there because the user wasn’t paying 100% attention. Similarly, they slow down your computer and make it operate less efficiently.

So, what are the signs that your computer is infected?

1. Your computer starts very slowly – As computers that are running Windows operating systems age, they slow down (just like people) the disk and registry get full of remnants of programs long forgotten and no longer used. However, when your computer starts exhibiting signs of extreme slowness that comes on quickly, over the course of a couple weeks or less, be suspicious. If it’s taking more that 2-3 minutes for your computer to become usable be very suspicious.
2. Your Anti-Virus software reports that your virus definitions are out of date – One of the things that malware programs do first is disable your Anti-Virus program or interfere with your internet access to keep them from updating themselves. If you find that you can’t update your AV, you’ve got a problem.
3. Windows update doesn’t work – Malware takes advantage of defects and holes in your Windows operating system. Microsoft runs along behind the malware creators patching those holes and encourages users to update their systems through Windows Update. Malware creators try to stay a step ahead of Microsoft but then must prevent you from plugging the holes they are taking advantage of, they do this by disabling some of the underlying services that facilitate MS Update. Open Internet Explorer and go to Tools/Windows Update or Safety/Windows Update and update your computer with the latest security patches, if this fails, it could very possibly be due to a malware infection.
4. Control-Alt-Delete doesn’t work – Some malware disables this popular function because it is useful in seeing what programs are really running on the computer.
5. When you are browsing, you get unexpected “pop-ups” – Pop-ups are windows that open on your desktop unexpectedly, almost always trying to sell you something. Sometimes, they cynically tell you that you have a virus and you need to download their program to fix it (the download actually is the virus).
6. Your internet access is stopped or seriously curtailed – If this behaviour is combined with any of the above, you probably are infected.

All of the indicators above could indicate some other problem with your computer, but if you are experiencing two or more of them, chances are you’ve caught something. If the infection is bad, you are going to need to budget a good bit of time to repair it. There are some good resources out there, one place to start is the Security Forum at Broadband Reports, lot’s of helpful people there. You can also contact me here on this blog, I’ll be happy to help if I can.