The ultimate virus scan: Clean outside Windows

Topic

New Reply

	BEST PRACTICES[/size][/font] The ultimate virus scan: Clean outside Windows[/size]
	ByLincoln Spector No matter how good your precautions, malware can still infect your computer. If you suspect an infection but your antivirus program tells you otherwise, take Windows out of the calculation and run your AV in a non-Windows environment where the infection can’t hide.

---

The full text of this column is posted at WindowsSecrets.com/best-practices/the-ultimate-virus-scan-clean-outside-windows/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

F-Secure’s user guide has this rather ominous warning:

Using the Rescue CD on a working operating system may rename
essential system files and so cause your operating system to no longer
start. If this happens you can use your operating system repair disk to
reinstall the operating system. Note that this may reinstall a fresh
operating system and so remove any personal settings and files you
have.

Sounds like the cure could be worse than the disease. How should we take this warning?

Reply | Quote

I would take such warnings seriously. But you are already infected badly, or else you wouldn’t be doing this extreme cleanup. Any extreme measures to clean up a virus infection risk the same damages to the OS or loss of data contained within the OS.

This is why you need an ongoing data backup strategy, and an occasional System Image backup as well.

By spending less than 15 minutes a couple of times per week, you can rest reasonably assured that if a virus cleanup or other mishap really wrecks your OS installation, you can fearlessly restore the whole OS and all your data in under an hour (frequently 20 minutes or less). This will leave your OS clean and fully refreshed, with minimal loss of recent data and no missing or damaged critical System Files.

I also back up my drivers to a single ZIP archive once in a long while.

There are also Repair Options on the retail install disks (or the Repair Disk you can burn from any Windows 7 version) for most versions of Windows. If a Repair doesn’t work, you may indeed end up reinstalling the OS. But a non-destructive reinstall should preserve your personal data and many settings, and most software will continue to work in many cases.

So yes, the warnings are warranted. And this is one more reason to BACKUP BACKUP BACKUP! Preferably in advance of any sort of trouble.

The cure is never worse than the disease. Never continue to use a known to be infected PC. Clean it up or reinstall or roll back using a known clean (scanned before backing up) System Image.

-- rc primak

Reply | Quote

A very easy, and effective, way to scan and clean your computer is with Windows Defender Offline. Best of all, it’s free!

Basically, you go to the Microsoft website to download the program: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

You choose 32-bit or 64-bit, you put a CD or DVD in the drive, and download the program.

You then boot the infected PC with the CD or DVD you made.

It will scan and clean your computer pre-Windows (before Windows gets a chance to load).

Wait till you need it to download it, so that it will be up-to-date.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Cleaning ouside of Windows is not too dissimilar from cleaning inside of windows in that you will always run the risk
of removing something vital or essential thereby necessitating a specific repair, or a full repair install of the entire OS
…after the virus or malware removal is completed.

A “quick and easy fix” to any virus or malware issue is the exception not the rule.
Instead of brooding over the thought of spending a considerable amount of time over a malware or virus cleanup, get yourself
setup with a well coordinated backup regimen based on imaging and hard copy backups of your data.

If your finding yourself with no other recourse than to attempt a complex virus or malware cleanup, then that should tell you that your
means of backup is seriously lacking and that you are in need of a well thought out backup regimen.

Instead of focusing on cleanup and removal, focus on prevention and backup.
You can either spend hours cleaning up or minutes restoring. You get to choose.

Reply | Quote

Working in a shop where 75%+ of our work is malware removal, these CDs are an excellent resource and our first shot at most malware removal jobs.

The Windows Defender Offline tool seems to cycle between catching lots of crap and catching nothing. A new version was just released, 4.1.522. I used this one a lot, but it’s being surpassed by…

The Kaspersky tool is excellent, except that the update downloads are horribly slow. They need better servers or something.

The AVG offline scanner works, I think, but it’s hard to follow what it’s been doing. Crappy interface. I used it a few times with some tough infections but don’t use it anymore because I can’t tell what it’s up to or what it’s done or what to do next.

We will definitely play with the F-Secure tool.

-John

Reply | Quote

Working in a shop where 75%+ of our work is malware removal, these CDs are an excellent resource and our first shot at most malware removal jobs.

The Windows Defender Offline tool seems to cycle between catching lots of crap and catching nothing. A new version was just released, 4.1.522. I used this one a lot, but it’s being surpassed by…

The Kaspersky tool is excellent, except that the update downloads are horribly slow. They need better servers or something.

The AVG offline scanner works, I think, but it’s hard to follow what it’s been doing. Crappy interface. I used it a few times with some tough infections but don’t use it anymore because I can’t tell what it’s up to or what it’s done or what to do next.

We will definitely play with the F-Secure tool.

-John

Virus writing and virus removal is always a cat and mouse game, with the numbers favoring the virus writers. At least we currently have detection, removal and prevention schemes which usually work. This may not always be the case in the future, I fear. The very public and yet anonymous nature of the Internet is largely to blame for this state of affairs. As long as folks can hide behind proxies and fake screen names and such, there will always be a criminal element with financial motives which will keep anti-virus engineers very busy, I’m afraid.

-- rc primak

Reply | Quote

thanks for the “Clean outside Windows”, very informative. there is an Outside Windows antivirus etc., that you might want to take a look at from http://www.fixMeStick.com which I have been using for a few months. comes with its own OS on a Thumb Drive. simply insert into a USB slot and restart your computer making sure you have an Internet Connection for updates. Highly recommended

Reply | Quote

Bob…I’m glad we rarely run into something that the scanners can’t remove. The damage left behind? That’s a whole other can-o-worms. The one that scares me are future rootkits. The offline scanners do well with the current crop of rootkits, but the potential for really serious undetectables is strong.

The strategy of using several scanners has served me well.

-John

Reply | Quote

I agree fully with having a good backup strategy in place. But if you don’t, and if you get hit with something before you can do a clean backup, then the best option is an offline (pre-Windows) virus scan from several different scanners.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Ran the F-Secure disk on a couple known-infected systems. Works fine, seems speedy. But, it’s hard to tell what it’s caught. The report at the end is on a ‘DOS’ screen and the names of the malware are off the right edge. Maybe there’s a way around this or details on the bugs somewhere that I can’t find? This is where the Microsoft WDO disk shines: I get a clear list of scan results along with descriptions of the malware and their seriousness. I also get to choose how to handle the bugs individually, including so-called PUPs…potentially unwanted programs.

As a side note, I’ve been removing malware every day for a year, and I have yet to see malware that destroys user data. I see a lot of busted Windows installs…Update won’t run or MSE won’t update or whatever, but never any lost data due to malicious software. We used to see lots of machines with data hidden by malware, but that’s easy to fix.

I think this is bacause today’s malware isn’t destructive like it was in the 80s and 90s, and early in the last decade. Today it’s all about botnets and getting money from you. I think backups are essential because hard drives regularly fail, but malware as a reason for a backup solution isn’t a good rationale in my little piece of the world, unless you’re selling backup solutions.

Reply | Quote

Regarding F-Secure…ran it on a customer’s infected machine, it found two or three things but I couldn’t identify what they were because the path to them extended beyond the end of the screen…not a useful setup.

Ran Kaspersky’s disk right behind, and it found a trojan, a trojan dropper, and the pihar.c rootkit.

That’s a bad review. Not only can’t I tell what F-Secure might have caught, it missed some serious stuff.

Reply | Quote

As usual, we thank you for a very informative article.

:confused: Just out of curiosity, why didn’t you consider Windows Defender Offline? It may be using a subset of the Windows operating system, but it isn’t using the OS that is infected and cannot be influenced by it. Also, it can be updated and you have the choice of a Quick or Full scan all on the first page. It shows you what it found and even gives you the opportunity see details on each intrusions.

Reply | Quote

Windows Defender Offline is easy to obtain and easy to use. Best of all, it’s free.

Just put a blank CD or DVD in a clean machine, go to the Microsoft website, and choose 32-bit or 64-bit.

Then just boot the infected machine with the disk you just created. It’s a bit slow to get going, but extremely easy.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I have used UBCD4win (UBCD4win.com) quite successfully, as it includes several anti-spyware and antivirus programs that can be run with a single boot. Various versions of this utility have included different anti-malware programs. A very useful feature is the ability to add programs of your choice to the options, although this might not be a preferred option for the technologically faint of heart.

I have also removed the suspect hard disk from the infected computer and scanned it on other systems that have different anti-malware programs installed (typically using a USB or eSATA hard disk dock). This utility can be installed on either a bootable DVD or USB stick.

Regardless, I have always made a full image backup of the infected disk prior to scanning, lest an over-enthusiastic scan resulted in removing an essential file or setting.

Reply | Quote

Unless somehow and external virus scanner can also scan the host registry, it’s pretty much not going to be the panacea for virus removal. When I was still in the computer repair business, when a client had no choice but to try to save a system, we spent hours doing first and external scan, then and internal scan in safemode using an online scanner, then use clients anti-virus or install one (only for non-business; many free anti-virus software for personal use) and do a scan in normal Windows. I’ve saved quite a few systems, but it got to be so much a pain that we told the client if would be both cheaper and better to rebuild the OS. There is no such thing as a perfect anti-virus program but I did like NOD32 at that time. Now, I double-sandbox so only run a rutimentary anti-trojan program. Virtualization is really the only way to protect a system and even with that, you have to be disciplined.

Reply | Quote

Most modern antimalware apps do scan the registry including my favorite, Malwarebytes. I have disinfected the vast majority of the clients that come to me with Malware. They really have no desire to reinstall all thier apps and some don’t even have the disks to do it with anymore.

I’m also a security software minmalist running just one Anti Virus program (Microsoft Security Essentials but there are other good choices), Windows Firewall, and the hardware firewall in my router. The more stuff you add (software firewalls, email scanners, and Internet security scanners) just slow tend to slow the computer down and raise the possibility of conflicts. My setup and common sense about what to click on have kept me Malware free. YMMV.

Jerry

Reply | Quote