Windows Defender Offline — old name, new use

Topic

New Reply

	TOP STORY Windows Defender Offline — old name, new use
	By Woody Leonhard Microsoft’s newly released beta version of Windows Defender Offline, a rootkit-sniffing and Windows-rehabilitation tool, should be the latest addition to your bag of Windows-repair tricks. WDO should be able to catch a wide variety of nasties that evade detection by more traditional antivirus methods.

---

The full text of this column is posted at WindowsSecrets.com/top-story/windows-defender-offline-old-name-new-use/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Neither the article nor the MS website is clear whether the version (32 bit vice 64 bit) has to match the installed operating system or the hardware it is being used on. This is even less obvious than it should be since the terms machine and system are used interchangeably and indeed it is possible that some users are running 32 bit Windows on a 64 bit computer.

I can’t find a definitive answer to this and I’m not going to go through the effort of the various tests but my instinct/opinion is that the software should match the bittedness (to use Woody’s term) of the hardware as opposed to the operating system.

Jim

Reply | Quote

I have dowloaded the program, installed on a CD and restarted PC with the CD. So far, no welcome screen and/or nothing happens.
What would be the problem and how to fix it?

Reply | Quote

I have dowloaded the program, installed on a CD and restarted PC with the CD. So far, no welcome screen and/or nothing happens.
What would be the problem and how to fix it?

Chances are good the PC isn’t booting from the CD.

Reply | Quote

Neither the article nor the MS website is clear whether the version (32 bit vice 64 bit) has to match the installed operating system or the hardware it is being used on. This is even less obvious than it should be since the terms machine and system are used interchangeably and indeed it is possible that some users are running 32 bit Windows on a 64 bit computer.

I can’t find a definitive answer to this and I’m not going to go through the effort of the various tests but my instinct/opinion is that the software should match the bittedness (to use Woody’s term) of the hardware as opposed to the operating system.

Jim

Hello Jim, and welcome to the Lounge!

The 32 and 64 bit Woody mentioned refers to the bittedness of the Windows operating system. Almost all processors in use today, except some of the old Intel Atom processors used in early netbooks, are 64 bit processors. Intel and AMD desktop processors have both been 64 bit processors since 2005, when Intel introduced the Pentium 4F “Prescott 2M” processor. AMD’s Athlon 64 preceded Intel’s desktop 64 bit processor by about 16 months.

The 32 bit Windows OS runs fine on 64 bit hardware, although now most Windows PC’s come standard with Windows 7 64 bit. Most of the installed Windows XP base is 32 bit running on 64 bit hardware, at least on machines built since 2005.

If one has 32 bit Windows installed, then the 32 bit version of the WDO should be used. If the installed OS is 64 bit Windows, then the 64 bit version of WDO should be used.

Reply | Quote

@JavaJim – Most modern PCs will run either 32-bit or 64-bit Windows. (I’m tempted to say “all”.) So in that sense the hardware itself on just about any PC you come across nowadays is 64-bit capable.

The difference is in the operating system. You’re either running a 32-bit version of Windows, or a 64-bit version of Windows.

(OOOPS. Thanks Deadeye81. Just noticed your post. As usual, you’re exactly right!)

Reply | Quote

AFAIK the new version has been out for 2 weeks. I have been running it on an XP SP2 machine. Glad to see you guys are on top of things like this.:)

Bzman

Reply | Quote

“bittedness”???? Come on now!

Reply | Quote

Lighten up!

Reply | Quote

I am an IT technician and have couple of questions because I am often removing malware from client’s computers.

1. After booting on CD and running Windows Defender Offline, how effective is the update function?
2. Does the boot CD include a fairly complete range of NIC device drivers?

If the answer to either of the above is no, then it appears that it will be necessary to download the product every time it’s used to ensure latest signatures, engine etc.

Regards
Ken

Reply | Quote

I am an IT technician and have couple of questions because I am often removing malware from client’s computers.

1. After booting on CD and running Windows Defender Offline, how effective is the update function?
2. Does the boot CD include a fairly complete range of NIC device drivers?

If the answer to either of the above is no, then it appears that it will be necessary to download the product every time it’s used to ensure latest signatures, engine etc.

Regards
Ken

By far, the simplest solution is to use a USB drive and just download WDO immediately before you need to use it. There are ways to manually update the definitions, but why bother?

No idea how many NIC device drivers are included. Are you concerned about infected NIC device drivers?

Reply | Quote

Hi,

I’m still a bit confused. I’ve been using the MSFT Standalone System Sweeper software on USB for a few months. Is this the same program, only with a different name? When I go to the linked site, the download is the same file (mssstools64.exe or mssstools32.exe) that I get when updating the Sweeper USB device. So is this the same thing?

On a separate note: if you download the MSSSTools file and use it to create a USB drive – you can just rerun the program with the USB drive in place and it will upgrade the USB to the current version. This is much faster than doing a new download each time and creating a new USB drive each time you want to use it.. I keep 2 flash drives, one with 64bit and one with 32bit, updated and in my toolkit. Takes just a few seconds each day to stay up to date..

JimA

Reply | Quote

Hi,

I’m still a bit confused. I’ve been using the MSFT Standalone System Sweeper software on USB for a few months. Is this the same program, only with a different name? When I go to the linked site, the download is the same file (mssstools64.exe or mssstools32.exe) that I get when updating the Sweeper USB device. So is this the same thing?

JimA

Welcome to the Lounge, Jim!

WDO Beta was released in early December 2011. It is an improvement over System Sweeper, but the download file has the same name as the earlier Standalone System Sweeper.

Reply | Quote

I dual boot W7x64 and XPProx86, which should I use?

Reply | Quote

I dual boot W7x64 and XPProx86, which should I use?

I would burn two optical disks, one with the 32 bit version of WDO and one with the 64 bit WDO. Just be sure when you want to scan the Windows 7 partition, you boot to the WDO 64 bit, and choose the correct partition to scan. Likewise, boot to the WDO 32 bit when you want to scan XP Pro. Of course, that means you will have to boot to CDs twice to scan both operating systems.

According to Woody, using the Custom scan option allows you to choose specific drives and folders for scanning.

Reply | Quote

Hi all,
I had no problem downloading for Vista 32. But can’t figure out how to do XP3. I don’t see how to get into that section?
Help!
LeRoy

Reply | Quote

Hi all,
I had no problem downloading for Vista 32. But can’t figure out how to do XP3. I don’t see how to get into that section?
Help!
LeRoy

Welcome to the Lounge, LeRoy!

The 32 bit version of WDO you downloaded should run fine for Windows XP SP3. XP requires the 32 bit download.

Reply | Quote

Downloaded 32 and 64 bit files. Burned both successfully. Ran 64 version first with the following results:
1. No choice of OS was given. WIN7 64 started and ran WDO 64 to the point where Window Shell Application.exe encountered a major error. The only recourse was a restart.
2. Attempting to chose either OS without first running the WDO disk resulted in the selected OS starting without running the WDO disk.

MS WDO FAQs does not cover this problem. The MSE Forum does not have anyone who has encountered this problem, yet. The FAQs seem to indicate that only a USB drive can be updated. Apparently, once you create a CD, you have a coaster after the definitions become outdated.

If anyone knows how to select an OS from multiple boot systems and then getting the WDO disk to work, I would appreciate hearing about it. WDO seems to be a good idea, but trying to get it to work from other than a USB drive seems impossible. I wonder how Woody was able to do it???

Reply | Quote

I found a quirk, at least for my motherboard (AMD CPU) and possibly others – the WDO boot CD stalled at the initial MS logo screen, and after a long delay popped up an error message saying there was a memory management problem. As I had all 3 RAM slots filled (3 GB), on a guess I pulled one and found that the WDO CD would then boot and run the malware scan program successfully. I don’t know why that should be, as XP runs fine with the 3 GB.

Reply | Quote

I haven’t tried the tool yet, but it won’t improve on the procedure of pulling the drive and attaching it to another system unless it can also do boot sector repair and replace infected system files. I use an OS CD/DVD to re-write the boot sector, and I keep an extra supply of XP’s svchost.exe, explorer.exe, cdrom.sys, ntfs.sys, and several others. I haven’t found an offline tool yet that can do it all, would be nice.

Reply | Quote

I Made a boot disc, booted ran it on My W7 64 bit machine ASUS P6T Deluxe V2 with 12 gig of Triple channel memory with no problems. I just ran (custom) it on the C drive it took just over an hour. I did not do a full scan as I have 4 internal drives, and 6 external drives

I highly doubt storing an ISO on your machine would create a problem

Reply | Quote

This kinda stinks.

I can boot up WD offline just fine, and it runs
Windows. In fact, it looks very like a Windows
PE package. But that’s the end of the line for me.

My PC uses a high-end ASUS motherboard with
a Marvell [RAID0] embedded controller. This
package can’t find a ‘hard drive’ (array), so
it summarily exits.

I have two gripes: one is that MS seems to
accommodate only the ‘bare-bones’ kind of
system. Even when installing Windows, the
escape process to install custom drivers is
antiquated and cumbersome. Here, it doesn’t
even exist–so I can never run this app.

[BTW: the MS site doesn’t even cover this.]

The other is really a side-issue to this: MS
makes WindowsPE and derivative products
only available to system builders. They have
steadfastly refused to release anything like
a full rescue disk; when Windows fails due
to hard drive issues, you’re in a heap of woe.

I pop in any number of Linux-based repair
boot CDs and they find Dell or Marvell disk
arrays immediately–drivers are included.
But of course they are relatively clumsy
when it comes to repairing NTFS and subtle
Windows boot errors.

Microsoft needs to make repair and recovery
tools far more available and accessible; in
my opinion they have always shortchanged us. Dave

Reply | Quote

This kinda stinks.

I can boot up WD offline just fine, and it runs
Windows. In fact, it looks very like a Windows
PE package. But that’s the end of the line for me.

My PC uses a high-end ASUS motherboard with
a Marvell [RAID0] embedded controller. This
package can’t find a ‘hard drive’ (array), so
it summarily exits.

I have two gripes: one is that MS seems to
accommodate only the ‘bare-bones’ kind of
system. Even when installing Windows, the
escape process to install custom drivers is
antiquated and cumbersome. Here, it doesn’t
even exist–so I can never run this app.

[BTW: the MS site doesn’t even cover this.]

The other is really a side-issue to this: MS
makes WindowsPE and derivative products
only available to system builders. They have
steadfastly refused to release anything like
a full rescue disk; when Windows fails due
to hard drive issues, you’re in a heap of woe.

I pop in any number of Linux-based repair
boot CDs and they find Dell or Marvell disk
arrays immediately–drivers are included.
But of course they are relatively clumsy
when it comes to repairing NTFS and subtle
Windows boot errors.

Microsoft needs to make repair and recovery
tools far more available and accessible; in
my opinion they have always shortchanged us. Dave

RAID configurations were never promised support by System Sweeper nor by MSE itself. Why do you expect WDO to behave any differently?

-- rc primak

Reply | Quote

This product is rather useless because it does not offer to remove MyWebSearch related PUP. MWS is a very prolific malware gateway, and WDO, IMO, should at least offer to remove it. MWS is responsible for at least 75% of the infected machines brought into my shop, and is a very bad deal indeed! MS should fix this very cool product.

Mike Wood

Reply | Quote

Your article aved my bacon. Thanks. I had just received the Newsletter hours prior when I discovered that a Variant of “XP antivirus” had me and had shut down Firewalls and MS Security Essentials. Able to do a restore and download defender – Fixed the issue but a Full MSES scan was necessary to get the last bits.

Reply | Quote

The good news is that I used the Online Defender on my 64bit Windows Vista system and it found two Trojans that Microsoft Essentials did not find. Obviously the Online defender should be run from time to time. I also ran it on another computer with Windows 7 and there were no “threats.”

The bad news is that the bios on both computers does not include USB in the boot menu. These are not antique computers; one is two years old and the other is a few months old. I checked for bios updates and it turns out that the available updates from HP do not add USB capability. This means that I have to boot from a DVD or CD. That works perfectly, but it is a one-shot deal. Online Defender refused to download to a DVD-RW disk; it would only download to a DVD-R. That is perfectly understandable. But a DVD-R cannot be updated; the FAQ for the Defender actually warns against reusing a disk because it will not contain the latest definitions. So I have to use a new disk every time I want to use the Online Defender. Perhaps I can get away with using Online Defender once a month or so.

Finally, I am getting sick and tired of being told that the solution to all problems is to create an image of the computer or a disk in order to restore a previous version that presumably will be free of bugs,viruses and errors. I have had nothing but bad luck with that operation. One program messed up the drive so badly that I had to reinstall Vista. When I try out such a program, the first thing I do is to create the bootable emergency disk and see whether it will work. In one leading program the result is that the disk will boot but the mouse freezes so there is no way I can actually use the program. What if that happened in a real emergency? In just about every program I have tried, something goes wrong somewhere. In spite of all this, I do create a disk or partition image from time to time, but I do everything possible to avoid having to use them, including using Online Defender from now on.

Reply | Quote

Since reading about Windows Defender Offline beta, I have downloaded and burned a 32-bit copy to both bootable USB flash drive and CD-ROM. Unfortunately, in the 2 cases where I attempted to use it, it failed.

Case 1
Specifically, my wife’s computer contracted the infamous XP AntiVirus 2012 rogue and I thought that would be a good test of the CD-ROM version. After booting it, it ran for about 7 hours and found multiple instances of malware. However, when I instructed it to Clean, it ran to about 50% on the progress bar and then hung. After leaving it that way for about 2 hours, I had to turn the computer off via the power button. I subsequently used MalWareBytes and SuperAntiSpyware to remove this infection.

Case 2

A client’s computer, connected to a Windows SBS 2003 network, contracted the same virus as above. This time I had the client boot from a USB flash drive which I had instructed him to create with WDO on it. Once again it booted fine and ran for over 6 hours this time. When finished, I had him select Clean. This time it finished cleaning. However, after rebooting the computer, it was still infected. Once again, I had to use both MalWareBytes and SuperAntiSpyware to remove the infection.

Now I realize that this is a beta version of the software, but it’s just not what I was expecting based on Woody’s column.

–Michael

Reply | Quote

I had a computer that I knew had the Win7 2012 malware and after running the 64 bit version on Vista it showed my computer as clean and protected with no problems found. I then ran Malwarebytes in safe mode after renaming the file and it cleared it on the first try.

Reply | Quote

MS needs to add a few things to this product.
I tried it, both on CD and on bootable USB key – neither would update the defintions.
Error says, “0x80072f76 Couldn’t install the definition updates”.

Not at all useful, and I can’t find anything useful online. No way of determining if the bootable WDO was able to connect to the internet (ie did it recognize my network adaptor), no explanation of the error code. It’s a relatively modern Dell desktop – can’t see why it should be a problem.

If you start having issues with it, don’t waste your time trying to troubleshoot – I couldn’t find anything useful online. Tried to manually download the latest WD defintions, but can’t find anywhere that provides the command line switches, so can’t just extract the definitions and put them where they apparently belong.

There’s a half day of my life I won’t get back. Gonna go back to Malwarebyte and Combofix – they work. Just liked Woddy’s suggestion that using an offline product can sometimes resolve problems that a “live” product may not.

Reply | Quote

I’ve downloaded WDO, put it on a USB drive (remember, it must have nothing else on it, even the “special” files often shipped on a USB stick these days), and used the 64-bit version on three Windows PCs — two hp desktops and one Lenova laptop, all purchased last year and runnming Win 7 Home Premium. In one case, I initially had difficulty with updating, but then it began operating correctly as it did initially and subsequently on the other pcs.

WDO identified the same problems in two of the PCs: 8 viruses and 1 trojan in an older Outlook archive file (associated with an e-mail from an IT professional whose e-mail had been hijacked). WDO could not remove these, so I just deleted the archive file. Subsequent runs of WDO did not identify any issues.

HOWEVER, I have a residual problem which is driving me batty. I have Windows MESH installed on these same PCs. Whenever any two of the PCs are online, MESH does its updating but then continues to install a 4-month old file with a long header (perhaps associated with MESH — I don’t know). This file is then deleted, and reinstalled, and …. Soon I have several thousand copies in my recycle bin. This will continue (even after erasing these files many times) until I have only one PC running. Then, after one or two final recycle bin emptying steps, things run okay.

Any clues on this?

Reply | Quote

The file downloaded is called mssstool32.exe. It does sound like this is a new version of the old Microsoft Standalone System Sweeper. I agree, Microsoft has a major problem with branding.

Reply | Quote

Great, thanks for the quick reply.
LeRoy

Reply | Quote

I guess the next question, since I’m able to update MSSSweeper and WDO seems to be a new separate item; what are the differences? Which is preferable? Should I use both in tandem? If WDO is an improvement, how is it an improvement? Neither the MSSSweeper site or the WDO site seem to acknowledge the existence of the other; are these two separate MSFT teams working independently? An inquiring mind needs to know. (make than an obsessive compulsive mind..)

JimA

Reply | Quote

Jim, the details in the differences of the two packages are not very evident or available at this time. WDO is a replacement and an improvement, but we will have to wait for more details on all the specifics on WDO. Keep in mind it is a beta, and is not yet in its final form.

Check out this Microsoft Answers Forum thread for a little more light on the topic. Also, check out this How To Geek tutorial on how to set up WDO.

Reply | Quote

I am hoping this product will work well as the similar Kaspersky cleaning CD boots Linux and unfortunately doesn’t boot on every PC. In fact, it doesn’t seem to boot on many I’ve tried…

So I made a WDO bootable CD in VirtualBox and then booted it on an infected test machine and it didn’t find the two viruses I had infected the machine with. Next I tried Kaspersky’s virus cleaner and it found them both – Win32. Virut.q and Win32. Autorun.avj

So what’s happening here I don’t know. I really want this thing to work! has anyone else tested the CD version?

Andy

Reply | Quote

Do you need to put this on a dedicated USB stick drive or can it go on your usual portable tool drive?

Reply | Quote

Do you need to put this on a dedicated USB stick drive or can it go on your usual portable tool drive?

Your USB stick will be formatted, so everything currently on the drive will be lost. You will need to use a dedicated USB thumb drive. Check out the How To Geek tutorial linked in Post# 21 above for step by step instructions on putting things together.

Reply | Quote

This is an interesting spin on things. I have been cleaning malware for years (a dreaded task), and typically, I yank the drive out of the infected PC, use a USB adapter to hook it up to another (clean) PC (with Autorun very definitely turned off), and then use Malwarebytes Anti-malware (MBAM) to scan its partitions (all of them). After that finishes, then I sometimes also do a full scan with AVG. The only down side to this approach that I’ve found is that MBAM and AVG won’t scan registry entries for hives that aren’t loaded…and since the infected drive isn’t running its copy of Windows, the hives aren’t loaded. So, after that’s all done and the drive is loaded back in its own machine, I then load and run MBAM natively again to finish the job. Yes, that’s two or three full scans, but normally it’s effective. Sometimes you have to also run an EXE association fix, but that’s easy enough.

So, that was a long-winded way of saying that it would be interesting to see if this is effective. I also would wonder if it scans the not-loaded registry files. And, if it actually fixes any Windows files that were broken by the infection or simply removes the infections (like somehow runs SFC against the Windows installation at the same time). If it did some or all of these things, it would be a great tool which would make my life a lot simpler by not having to remove hard drives from systems to scan them elsewhere.

By the way, Woody, I think what k-farlow was referring to with the NIC drivers is how would the utility know how to utilize the NIC in the machine to go out and check for updates if it didn’t have drivers to do so? I had the same thought when I read your article. I used to use a Norton AntiVirus 2009 CD to boot from for rescue, and it also did an update as part of the process. It always was able to find the NIC and use it for the update. I don’t know if it had generic drivers for the basic NIC chipsets or what.

Reply | Quote

Need to pick up a few more USB stick/thumb drives anyway. Had a feeling it needed to be dedicated.

Reply | Quote

I built the 32 bit version from a Win7 PC running 32 bit. That CD boots on a 10 year old Dell laptop with XP SP3. However, the default quick scan does not reference any disk drives, so I had to configure a scan to actually select my disk partitions (C & D) for the scan to work.

Can’t get 32 bit or 64 bit CDs to boot from a Win7 64 bit laptop (built a 64 bit CD from a 32 bit system, and again from a 64 bit system). The laptop won’t boot from CD at all, though it has done it in the past (Win7 install CD). For some reason, F10 (HP Pavilion) doesn’t bring up the boot options (BIOS) screen and it just locks up, with or without a CD in the drive.

Reply | Quote

My hard disk is encrypted. Will Windows Defender Beta 64 bit do its work on an encrypted disk ?

Reply | Quote

My hard disk is encrypted. Will Windows Defender Beta 64 bit do its work on an encrypted disk ?

Is the hard drive encrypted with Bitlocker? If so, Bitlocker must first be disabled. Check out this MS Answers thread for information.

Reply | Quote

In my earlier post, I was having problems getting my Win7 64 bit laptop to boot from the CD. That is now corrected, and it is scanning (at 2 hours 20 minutes and 946,000 files). The 64 bit version of the scan is running.

Reply | Quote

Thanks !

The hard drive is in a business class laptop, the HP EliteBook 8740w, which includes the option to encrypt the hard disk with what HP calls HP ProtectTools Drive Encryption. I’ve searched with Google to try to discover the brand of the encryption software (without success), but it may very well be HP’s own software creation, since HP owns at least one patent on drive encryption for their larger computers. I’ve checked the MS Answers thread, but it sheds no further light.

Anyone out there know what brand/type encryption HP is using on this laptop ?

Reply | Quote

I have an old Micron Millennia upgraded with a Celeron 1.4 ghz CPU (384 meg memory). WDO will not run on this configuration. WDO on CD boots into Win7 and likely does not support this CPU configuration or some part of the motherboard or disk configuration.

The error dialog that comes up is BLANK (no title, no text, blank button name). Click on close (X) and another dialog flashes a message for perhaps 1/2 second and WDO quits. Click on the blank button and it quits immediately (both situations go back to re-boot).

The OS to be scanned is XP SP3 fully up to date.

Reply | Quote

I have an old Micron Millennia upgraded with a Celeron 1.4 ghz CPU (384 meg memory). WDO will not run on this configuration. WDO on CD boots into Win7 and likely does not support this CPU configuration or some part of the motherboard or disk configuration.

The error dialog that comes up is BLANK (no title, no text, blank button name). Click on close (X) and another dialog flashes a message for perhaps 1/2 second and WDO quits. Click on the blank button and it quits immediately (both situations go back to re-boot).

The OS to be scanned is XP SP3 fully up to date.

WDO requires a minimum of 768 MB RAM to run successfully on XP.

Reply | Quote

” WDO requires a minimum of 768 MB RAM to run successfully on XP. ”

It appeared to run fine in 512 MB on my P3, it just didn’t find any malware! Perhaps it wasn’t really scanning after all. I also found that the quick and full scans didn’t scan anything and I had to do a custom scan and select the hard drive myself.

Andy

Reply | Quote

WDO requires a minimum of 768 MB RAM to run successfully on XP.

So NOW they tell me! I don’t recall reading about this requirement when I was tearing my hair out trying to run System Sweeper on my 512MB RAM WinBook W535 laptop last year!

-- rc primak

Reply | Quote

Hello Mike,

Try running the Custom scan. It is supposed to allow you to choose disks and folders for scanning.

Reply | Quote

I ran Windows Defender on a XP machine. It found 17 serious threats. I pressed the button to remove the threats and the progress bar got about halfway complete and then locked up. Now what?

Reply | Quote

Hi Woody et al.,
Yesterday having read you article I downloaded and ran the .exe for the Windows Defender Offline Wizard Package (!) 32 bit and created an iso which I have stored on my Win7Pro machine and (as far as I can remember) made no other changes to my machine. This morning when logging on to my domain I seem to have had my domain authentication lost and File and Printer Sharing settings reset. I’m just going through a process of elimination to discover the cause of these changes – as an aging IT tech, I get suspicious of autonomous change!?
Anyone else experience similar issues after running the wicked wizard?

Reply | Quote

what part of Beta is that hard to understand?

NOTE: Let’s keep things civil; cut what can be taken as sarcasm toward other Loungers. Check the Forum Rules under FAQ.
We do not want to see any escalation here.

Deadeye81

Reply | Quote

Yesterday, I downloaded Windows Defender Offline beta and made a CD. Windows XP sp-3 updated. Taking over 5 hours, it picked up 5 problems. I clicked on System Cleanup. It took about 1 minute for the progress bar to move about ¾ of the way and then it just stayed on one spot. That was over 3 hours ago. It is an older PC. It did the same thing last night. The online FAQ mentioned downloading and burning on a different PC, so I did. Put the CD in and now that’s where I’m at. I let it sit and switched my monitor to this even older PC. I have MS, so I have a slight vision problem and problems with movement in my right hand, so my typing is slow.

Since it is an offline program, I can’t take a screen shot, but I did take a digital photo of the screens, showing the names of the items it was supposed to remove by doing the system cleanup.
4 of the 5 are Trojans or Trojan Dropper and use the hidden entry tied to “Ofida” plus additional characters , the 5^th is called a “Vr Tool” . They all hide in Win32. Microsoft Security Essentials and their online Safety Scanner DO NOT find them…… How do I get rid of them?
Don’t bother trying to contact MS via one of their forums on this topic, unless you have a windows live email address, they won’t let you even log in. Even their live chat uses an automated function… no real live chat, just a stupid system, trying to read your thoughts.

Reply | Quote

I have successfully used both a 32 bit CD and 64 bit CD to run WDO against 4 different installs, 2 of XP SP3, 1 of 32 bit Win7 and 1 of 64 bit Win7.

The only one that failed was on a system running XP SP3 but with only 384 meg of memory. Since WDO boots into Win7 and runs as a Win7 process, it apparently needs something on the order of Win7 memory in order to get the job done. However, it should NOT fail with a blank titled dialog with blank content in the dialog window and a button with a blank label. And, any failure should indicate the problem encountered (while that blank dialog may be attempting to do that, it turns into a double failure which is even worse).

I have used scanners from other vendors against the system that failed and those runs were successful, so WDO has some work to do to achieve that same level of success.

Everybody’s input is appreciated. Lets hope Microsoft thinks likewise.

Reply | Quote

I have successfully used both a 32 bit CD and 64 bit CD to run WDO against 4 different installs, 2 of XP SP3, 1 of 32 bit Win7 and 1 of 64 bit Win7.

The only one that failed was on a system running XP SP3 but with only 384 meg of memory. Since WDO boots into Win7 and runs as a Win7 process, it apparently needs something on the order of Win7 memory in order to get the job done. However, it should NOT fail with a blank titled dialog with blank content in the dialog window and a button with a blank label. And, any failure should indicate the problem encountered (while that blank dialog may be attempting to do that, it turns into a double failure which is even worse).

I have used scanners from other vendors against the system that failed and those runs were successful, so WDO has some work to do to achieve that same level of success.

Everybody’s input is appreciated. Lets hope Microsoft thinks likewise.

Remember that this software is still in Beta.

-- rc primak

Reply | Quote

I still fail to see how any of these malware detection and recovery tools improve on reformatting and restoring with a System Image using a Rescue CD (such as Acronis True Image Home allows), or reinstalling OEM and installing your backup program (e.g., Macrium Reflect) and then running the Restore from within the OEM reinstall. (In my dual-boot, Windows 8 DP can be reformatted and restored from within Windows 7 HP SP1 with no issues whatsoever, and it only takes about ten minutes. Clean and clear and under control.) If any sort of infection or instability is suspected, any of these methods is faster and more effective than picking through a mass of infections, damaging critical system files, and then repairing all the damages.

In a business, once any infection or instability is suspected, IT immediately pulls out the Standard Disk Image from the Network, and reformats and reinstalls to that Image. Much more effective use of time and resources! True, first they have to detect an infection, but when it comes down to knowing you are infected to the point where Windows does not boot, I think anyone would realize they have a truly pwned Windows installation.

As for folks whining that they never made a backup, or did not do so recently, I say: Let those who do not prepare for disasters suffer the consequences. I really have little sympathy for folks who say they cannot or will not do Image Backups on a timely basis. Not when a backup operation takes as little as fifteen minutes to execute (per disk or partition), once the parameters are set up. Parameters can be reused time after time, so don’t complain that setup is part of every backup run. (Special configurations, like RAID, do complicate matters, and require special backup and recovery strategies.)

-- rc primak

Reply | Quote

I have tried to run it on two XP SP3 computers (a desktop and a laptop), but it will not work on either. It does the download and then starts to write the CD, but after about 10 seconds of that it hits an error 0004-80070003 and stops, so the bootable CD does not get created. I have no idea what that error code means, and the MS web site does not help. The same happens on both PCs. Is there a missing file, registry entry, permission, disabled service, can anyone help?

Reply | Quote

Thanks for the article (not a reply to anyones post)

This could potentially be a decent solution to a rootkit infection, but with many infections, the usability of the operating system afterward would potentially be in question.
If one could get back to a bootable state with a full desktop, minus the rootkit of course, then a total non destruct system repair could possibly be effected/made possible to repair any damage caused to the os. Potential third party program damage would be an entirely different matter.

Personally, I think dedicated system imaging is a better solution to any infestation repair mechanisms around today, be they manually executed or automated.

Nothing beats an updated and known good image to fall back on. One would do well to invest in learning the ins and outs of disk imaging.

Reply | Quote

I downloaded and installed the 64 bit version to a USB non-encryted thumb drive, then immediately booted from the thumb drive. The file had been downloaded minutes before, but the program said it was out of date. The update feature would not run, perhaps because the program was unable to access my NIC. Not sure where to go from here.

Thanks!

Reply | Quote

Wow, thought I had problems, as a NOVICE er working with training wheels is not ideal but with my experiences with analyzing problems has helped. The problems most have come up with are needed for this Beta version so ‘µsoft’ can improve the basic program. The questions asked are also very good for them to maybe give us a little more insight into the program and how it works as well as improving on the UpDate feature that seems to NOT work. One last point, if it is able to update, where is the updated file stored? If running from a CD/DVD will it be placed on the disc or some place on the HD? If the definitions file is the same as other programs use and we do our updates why not use that one instead of needing to do another update?

I understand this ‘bittednesses’ is tied to the software O/S and not the Hardware, then why is it that the 32bit version will not run when booting to my 32bit version of Win7 Ultimate? Created both 64bit and 32bit DVDs with small problems requiring restarting of the downloads, but; once that was done all went well creating the DVDs. Ran the 64bit version of WDO on my desktop that is 64bit hardware and software, Win7 Home Premium, 64bit with not any problems and finding no infection nor any program just waiting for me to make the fatal error of being curious enough to give their software access to my system, which I do not do. Also ran that 64bit WDO on my laptop which is also 64bitted HrdWr and software finding two (2) THREATS, not infections, that were stored in e-mail phishing messages for over 2 years and it removed them with no problem to my OS.

Both desktop and laptop are dual booting Win7 Home Premium 64bit and Win 7 Ultimate 32bit. After doing the 64bit WDO on both went to my desktop and loaded the 32bit WDO to run on the other partition for Ultimate 32bit, first BSOD CRASH:

“DRIVER_IRQL_NOT_LESS_OR_EQUAL

0x000000D1 (0x00000006, 0x000000002, 0x0000000, -x811AA9F3)

storports.sys – Adress 811AA9F3 baxe at 811A8000, Datestamp 4a5bc736”

2nd BSOD CRASH:

“DRIVER_IRQL_NOT_LESS_OR_EQUAL

0x000000D1 (0x00000006, 0x0000002, 0x00000000, 0x811999F3)

storports.sys – Adderss 811999F3 base at 81197000 Datestamp 4a5bc736”

Both BSOD are the only ones on Win7 Home Premium since installing this O/S myself after a copy of 32bit Vista SP1 had been installed by the Retailer where the purchase was made. Win 7 64bit has been on here for over a year with less problems than ever experienced with any earlier version of Windows. Also took several attempts to get my system back in operation, had to start in F8 selecting “Restore to last known good boot” or words to that effect. Still having some difficulties with browsers taking a little longer to start and then “Not Responding” for a short time, never timed it to know exactly. Just need to do more work to get past this last problem.

Created a bootable USB, WDO 64bit, that also took several restarts during the download of the program, have not used the USB yet that will be done later.

That is a report from this NOVICE,

"Infinite CREATOR" cast "Loving Light" upon thee
TIA, CU L8R, 'd' "LoneWanderer"
"Only you can control your future." Dr. Seuss
NOT a leader,
NOT a BLIND follower,
Join US and LIVE this LIFE as ONE!
Original author Unknown

Reply | Quote

Guess what FOLKS, WDO is a bust, or not very well planned nor useful. As a novice computer user, not a programmer nor any other cute named nerd. I too did the same and used the 64 bit version on laptop and desktop and they are both dual bootable, Win 7 Home Premium 64 bit and Win 7 Ultimate 32 bit. Can the 64 bit scan the 32 bit as well as the 64 bit (?), or should there also be a 32 bit version to scan the 32 bit part.

I had understood the ‘bittedness’ determined the version to be used, or is it just for the computer, not the O/S? For those that may have a 64 bit computer yet are running a 32 bit O/S be very careful about which one you download and use. My Desktop is now unusable as I attempted to run the 32 bit version on there such as the Win 7 Ultimate and now will not run. Lest there be other problems in Win 7 Ultimate that were not detected by the 64 bit WDO.

I created two CDs, one for 64 bit and one for 32 bit, neither one will do any updates for the virus data base for WDO. Have not done the USB version, a little unsure of myself to try that operation.

Have attempted to restore to an earlier restore point without any success and attempted to do a Repaire using the orginal installation DVD that did not HELP. It looks to me this can only be resoved by a FORMAT and reinstall. Do not like that idea, if anyone has other suggestions they would be appreciated, have not done any image nor a backup. I know that is looking for trouble or loss of any information I want to keep,

P.S. My laptop is Dell Inspiron 1564 Dual Core Intel, about a year old and Desktop is Dell Inspiron 530s Dual Core AMD, about 2 years old.

"Infinite CREATOR" cast "Loving Light" upon thee
TIA, CU L8R, 'd' "LoneWanderer"
"Only you can control your future." Dr. Seuss
NOT a leader,
NOT a BLIND follower,
Join US and LIVE this LIFE as ONE!
Original author Unknown

Reply | Quote

I found a similar problem to another responder. I downloaded the beta file, created the USB drive, booted from the USB, Defender started, but indicated it was out of date. It couldn’t find the internet connection (presumably because it is a wireless connection), and would not allow a scan (all options greyed out).

Nothing on the beta site indicates how to go about updating manually; it does suggest getting a fresh beta file before running (but that I had already done).

Anyone have any ideas how to get the program to (1) be manually updated on the USB, (2) connect to the wireless adaptor during the USB boot, or (3) anything alse short of finding a 30 foot cable for a LAN connection?

Thanks,

Mike

Reply | Quote