For those family computer rescue sessions
December 21, 2011 8:22 PM   Subscribe

"Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software."
posted by crunchland at 8:27 PM on December 21, 2011 [3 favorites]

I recently encountered the "Windows 7 Security" malware, one of a family of programs which is extremely aggressive. You don't even need to click on the bogus pop-ups to get infected; the program will install itself if you go to the wrong website, even if you have anti-malware programs like MSE active.

As stated above, the program would take over the computer, disengage MSE, and stop you from trying to run it at all. It even caused Windows to not recognize executables.

I had to run a whole bunch of different programs to eliminate it. MSE couldn't do it, AVG didn't do it, Anti-malwarebytes didn't do it, not even Norton Power Eraser, Kaspersky, or other rootkit removers. Ultimately, running Avast did the trick -- use the boot-up scan. I don't know if Avast would have worked without first running all those other programs, but it did seem to be the final necessary step.
posted by mikeand1 at 8:32 PM on December 21, 2011 [1 favorite]

"Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software."

This was one of the dozen or so programs I ran in the course of eliminating the problem.
posted by mikeand1 at 8:33 PM on December 21, 2011

Neat! I haven't used any of these other bootCDs as I've been pretty happy with Hiren's. It's got tools for just about everything. If you combine it with a liveCD then there's pretty much no problem you can't fix or, at least, accurately diagnose.
posted by tumid dahlia at 8:35 PM on December 21, 2011

Thanks for the links. Wow, this is like MeFi 1999. Mathowie should be proud. ;-)
posted by Shane at 8:36 PM on December 21, 2011

All of the tools I linked in the post are bootable tools. That's actually the intended point of the post, that they can all scan without starting up Windows.
posted by JHarris at 8:36 PM on December 21, 2011

I getcha. Well, Hiren's is a bootloader that gives you DOS menu access to a few dozen different tools so...kinda similar? Of course it's a more general Swiss army package and isn't specifically recommended for malware removal.
posted by tumid dahlia at 8:38 PM on December 21, 2011

I just went through this with an infected machine (and used nearly all of these tools) only to have the virus return on a reboot. Finally found that the virus had installed itself on a tiny partition on the hard drive (~1.5mb) and was continuously reinstalling itself from there, even after a Windows reinstall. After removing that partition, the infections stopped. Hiren's helped me the most, just because of the vast amount of tools available on that disc.

The Hirem's that I used booted into a version of Windows XP that had all of the tools available, but also had an option for a DOS menu for some tools, too.
posted by FireballForever at 8:40 PM on December 21, 2011 [1 favorite]

ahem...HireN's.
posted by FireballForever at 8:41 PM on December 21, 2011

Just in time for fixing relatives' infected Windows machines when visiting for Christmas. Thanks!
posted by zsazsa at 8:53 PM on December 21, 2011 [3 favorites]

Wow that Ubuntu CD is awesome. It seems to even include free software that will essentially prevent these problems from ever occurring in the future..
posted by drpynchon at 9:01 PM on December 21, 2011 [12 favorites]

I like to keep a Sardu DVD around with about every scanning software known to man on it, including many of the ones in this post.
posted by charred husk at 9:04 PM on December 21, 2011

The only way to be sure...
posted by mikelieman at 9:16 PM on December 21, 2011 [1 favorite]

Oh man, it's like the Christmas Computer Miracle kit all in one post.
posted by DoctorFedora at 9:49 PM on December 21, 2011

Add the Trinity Rescue Kit to the pile under the tree. Been using it for years. Good stuff.
posted by flabdablet at 9:49 PM on December 21, 2011

Thank you. Just what the doctor ordered. I am going to visit dear old mom who wants me to look at her pc because "it is acting funny, sonny."
posted by JohnnyGunn at 11:23 PM on December 21, 2011

Microsoft Security Essentials is a great anti-virus program that's free, and from microsoft. A lot of the major security software out there, like Norton and MacAfee are practically malware themselves with all the advertizing and slowdowns they cause.

Also Spyware is showing up for the Mac these days. People who think they're totally safe if they're using Mac OS are way off.
posted by delmoi at 12:58 AM on December 22, 2011

I'm not sure if Windows Defender Offline is the progeny of the Strider projects from Microsoft Research, but if you're interested in how offline rootkit detection works, the Strider GhostBuster includes some links to articles and publications.
posted by rh at 2:12 AM on December 22, 2011 [1 favorite]

People who think they're totally safe if they're using Mac OS are way off.

Well, they're very slightly off - they might get pwned if they explicitly give admin privileges to random programs they download from the Internet. Of course people who think they're much much safer if they're using Mac OS are still right on.

us Mac fans were going to leave this post alone till you started talking smack
posted by nicwolff at 3:23 AM on December 22, 2011 [2 favorites]

The best tool is an Ubuntu cd. Just install it over Windows.
posted by caddis at 4:56 AM on December 22, 2011 [1 favorite]

Finally found that the virus had installed itself on a tiny partition on the hard drive (~1.5mb) and was continuously reinstalling itself from there, even after a Windows reinstall.

Holy shit, that's insidious.
posted by Lucien Dark at 5:00 AM on December 22, 2011

Also: change their user account so it's not an administrator.
posted by blue_beetle at 5:17 AM on December 22, 2011 [1 favorite]

Let's all do our parts not to let this thread descend into another relentlessly unwinnable OS contest, can we? For the baby Jesus?
posted by crunchland at 5:22 AM on December 22, 2011 [1 favorite]

All that follows is IMO, I am not a malware researcher:

The partition trick is really evil, but it's much harder for malware to use it and keep the system running, which malware has to do if it wants to continue to harvest passwords/display ads/log keystrokes/sell fake antivirus. Partitioning is damn tricky, Windows complicated it greatly in recent versions, and what is more it's still vulnerable to all the mechanisms that can be used to detect more normal malware.

Think: If it installed itself to a partition it'd still have to insert itself into the execution stream, which either means compromising the boot sector (extremely easy to detect), overwriting a Windows system file (potentially very insidious, but difficult and there are usually easier attack vectors in Windows to exploit), or hook into Windows in the more normal ways, which are just as vulnerable to detection as normal malware.

And for that limited additional staying power, you have to repartition a system that may not be easy to partition; partitioning tools do lots of checks to make sure systems are not broken, there can be all kinds of schemes on the hard drive, it will probably be necessary to resize a prior partition to make room for the new one and that may take a long time increasing the chance the user will notice something's wrong, and so on.
posted by JHarris at 5:45 AM on December 22, 2011

I should mention about Kaspersky Rescue Disk 10, it will want to update itself after booting. (I think it either keeps those updates in memory for that run, or saves them to the hard drive.) Some machines (I think laptops in particular) will not have their wireless detected by Kaspersky's Linux OS, so to download the updates you'll either need a wired connection of a USB wireless device that it does recognize. One advantage of using Ubuntu for running scans is that its wireless support has evolved to the point where even some Windows-specific wireless cards are now supported directly from the CD.
posted by JHarris at 6:13 AM on December 22, 2011

but if you're interested in how offline rootkit detection works, the Strider GhostBuster includes some links to articles and publications.

Interesting reading! Also cool for imagining Aragorn teaming up with Spengler, Stantz, Venkman and Zeddemore. I'm not afraid of no ringwraiths!
posted by JHarris at 7:18 AM on December 22, 2011 [1 favorite]

So you've got the basics like MSE and other scanners, then you've got the big guns like these boot CDs, but for the really gnarly viruses you've just gotta buckle down and reformat the fucker. At least that's what I thought until FireballForever said:

the virus had installed itself on a tiny partition on the hard drive (~1.5mb) and was continuously reinstalling itself from there, even after a Windows reinstall.

So we don't even have the nuke it from orbit scorched earth option of installing a fresh OS anymore, that shit's grim.
posted by cirrostratus at 7:32 AM on December 22, 2011

Yeah. I'm going to call shenanigans on FireballForever's claim, for the reasons I gave above.

Reinstalling Windows does more than copy files, it resets the boot sector. A partition-based virus thus loses its route into the execution stream. Remember, essentially, viruses are not autonomous organisms -- they rely on the processor executing them to function. If they get no cycles, they are just dead data.

What probably happened in FF's case is the virus was reinstalling itself from another computer on the network or the internet using known Windows system vulnerabilities, which it would be rife with after a fresh install. And in fact, that tiny partition might have been Windows 7's boot environment (although that should be 100MB), or a manufacturer-supplied boot environment.

Of course I can't say for sure without having been there and looking, and even then it can be difficult to figure out what's really going on. But viruses and malware are not magical; they can't do anything if the process never runs their code.
posted by JHarris at 7:52 AM on December 22, 2011

"You don't even need to click on the bogus pop-ups to get infected; the program will install itself if you go to the wrong website, even if you have anti-malware programs like MSE active."

That's because a bunch of geniuses thought it would be a good idea to let websites run remote code on local nodes.

So don't let them do that. Use the NoScript add-on for Firefox. I don't even know how anyone sleeps at night without it.

Anecdote: My former business partner found NoScript to be too annoying, and disabled it. (I mean gosh, really, having to actually enable a script or two, once, the first time you visit a website, yeah I know, totally annoying, right? Don't get me started). I gave him the raised eyebrow when I heard this, but what was I going to do? He already knew why I insisted on it.

So one day he clicked on a link on Ernie's House of Whoopass, and got smacked with a drive by. He spent an entire week wrestling with it, finally formatting the HD and reinstalling everything. He had backups, and our data was secured elsewhere, but it was an entire week lost.

He uses NoScript now. If you like Chrome, I understand there are similar extensions.
posted by Xoebe at 10:58 AM on December 22, 2011 [1 favorite]

I could see a malware installing itself on a disk partition. What I don't see is how it would get executed following a reinstall of the OS on the main partition, unless the boot records or BIOS were compromised. In a multi boot environment, ok, but the folks that run those aren't your average user.

As far as disk partitions go, if you are reinstalling the OS, just re-do the partitions, too. Takes like five minutes, or it used to. Did Redmond screw that up too? I haven't had to do it in a few years.
posted by Xoebe at 11:06 AM on December 22, 2011

NoScript is probably the best anti-virus there is, prevention-wise. Ever since I started using long, long ago I haven't had a virus ever. And I've visited some pretty sketchy places.

The main problem with NoScript is that aside from knowing how to use it, you need to have enough web savvy to know what sites to allow. When you go to CNN and a list of twelve possible sites pop-up and enabling CNN.com doesn't make the video play, panic ensues.

That is the general problem with security that depends on the user allowing or disallowing things to run. Anyone who doesn't know better will either just press "OK" for everything or panic and quietly sulk because they can't use their computer for anything. The root of the issue there is that to be fully secure you need to have some understand of what is going on, and some people simply can't or don't want to understand.
posted by charred husk at 11:16 AM on December 22, 2011 [1 favorite]

JHarris: "Yeah. I'm going to call shenanigans on FireballForever's claim, for the reasons I gave above."

Yeah, that could have been the way it could have been coming in, I just know that removing that partition was the trick that finally worked. Also, if you actually removed the virus, Windows 7 would just blue screen on boot. You could system restore and get the system back, virus and all. I really did too much to try and save the user's (read parent's) data on the computer, When I should have just completely wiped the hard drive and then used original Win7 disks (which the computer didn't come with). That probably would have done the trick a lot earlier.

I forgot to mention the best thing about this clean-up though--one of the viruses that it had was attached to a PDF that was in a user's inbox.

Alureon.A was the name of the Trojan that I had so much difficulty with.
posted by FireballForever at 11:25 AM on December 22, 2011

I really did too much to try and save the user's (read parent's) data on the computer

What I do in those instances is boot off an Ubuntu LiveCD and copy the user's documents to a USB drive. Certainly a lot simpler than the old days. Even if you don't want to use it as your full-time OS (and I personally think Unity isn't ready for prime time), its tremendous hardware support makes it excellent for rescue disk purposes.
posted by JHarris at 11:47 AM on December 22, 2011

Hey, thanks for this post. I have yet to be (seemingly) defeated by the Evil Empire (as in, Microsoft and its minions of both good and evil intent), but for a while have had it in mind to review and upgrade my little bag of tricks as sooner or later my luck is bound to run out. I'll start my homework with this list.
posted by cool breeze at 1:23 PM on December 22, 2011

I had nasty rootkit a month ago. Every virus scanner (that didn't crash immediately) failed to remove it from the MBR. AVG's Rescue disc even let me down. In the end it was as simple as putting in the Win7 install disc and running bootrec.exe in recovery mode.

Stupid computers.
posted by MiltonRandKalman at 1:32 PM on December 22, 2011

The most reliable nuke and pave option is indeed to do the pave step with anything but Windows. But if that's not practicable, next best is to get your new Windows installation fully patched before connecting it to a network.

To do that, you will need WSUS Offline Update. Use a known-clean computer to download it to a fairly large USB stick, and run its Update Generator tool to bring it up to date. A 16GB stick is currently enough to hold service packs and updates for all the Microsoft products that WOU is capable of updating (for the current version, that's the 32- and 64-bit versions of Windows XP, Windows Server 2003, Windows Vista/Server 2008, Windows 7/Server 2008 R2, Office 2003, Office 2007, Internet Explorer 7-9, Windows Media Player, Terminal Services client, .NET 3.5 and 4, PowerShell 2.0, Windows Defender and its updates, Microsoft Security Essentials, and format converters for Office) but unless you're a technician with a need to do this on any customer computer you encounter, an 8GB stick will probably be enough for the subset of these applicable to you.

If you then run UpdateGenerator.exe again every Patch Tuesday, your updater stick will always have everything you need to bring a Windows installation fully up to date.

Whack a copy of the Panda Cloud Antivirus offline installer on the stick as well for good measure.

Having completed your nuke and pave, plug in your updater stick and run Client\UpdateInstaller.exe before connecting to any network. Turning off both System Restore and the "Back up existing system files" option before you do that will save you a fair bit of time and disk space, as will deferring antivirus installation until after the Microsoft updates are all applied.
posted by flabdablet at 6:29 PM on December 22, 2011 [4 favorites]

I was sorely disappointed in the Kaspersky 10 disc. I ran it on my laptop (Windows 7 Home Premium); It locked up my computer at the EULA and would do nothing; I ended up having to power cycle the computer to reboot it, and then running Recovery. There was nothing in the requirements that would make me think my computer ws incapable of running this.
posted by coldhotel at 6:34 AM on December 26, 2011

coldhotel, I ran into your problem too. It's a mouse issue. Do you have a wired mouse you could use? A wireless will work, but you have to invisibly click the text screen, then use the keyboard to navigate to the accept button. After that though the mouse should work with no problems.

It's a recognized bug. This forum post goes into more detail, it's what reminded me of the solution I used.
posted by JHarris at 8:26 AM on December 26, 2011

This is damn timely -- I just started fighting the Windows 7 Security malware. I'm trying all of the above and paying attention to mikeand1's advice, but I've also noticed that malwarehelp.org has some damn nifty tricks (if they work), including a specific tool for removing Windows 7 Security without booting off external media.

I think I'll try malwarehelp's tool first and let you know how it goes. If it's successful, it deserves a place with the other info in this thread.

Windows malware has gotten a lot more insidious as of late.

Too damn true. Less than a year ago I fought off the Windows Security virus by simply installing and running free AVG. Now I can't even try to open a Wordpad doc without being redirected to the "Buy Windows Security" site instead, and McAfee and AVG were disabled instantly when I picked up this freaky Internet STD.
posted by Shane at 4:57 PM on December 28, 2011

Ha, this is brilliant. malwarehelp.org's tool made the Windows 7 Security malware ineffective in seconds by blocking the affected registry keys. I just transferred the file off a flash drive to my infected computer as a .reg file so the malware wouldn't recognize it, as per the site's instructions. I'm running a Malwarebytes scan now, downloaded from the same page mentioned above, to find and delete the virus files. Who knew, mikeand1? -- this could have saved you some agony.

Before going to the trouble of booting off CD, flash, etc., you may want to search malwarehelp.org for a potential fix (although you'll probably still have to journey there via an uninfected 'puter).

By the way, JHarris, thanks for getting me back hooked on MeFi again. I hope to spend more time here, though not as much as I used to, heh... Maybe ten years ago, sometime between the boom when MeFi zoomed from 18k to 30k+ users, I was in the top ten comment index (I commented, um... constantly). I didn't think I was all that funny, but I actually got a few pieces of "fan mail", lol (though nothing like Wendell, or the famed quonsar -- where the hell is he?) I'm account # 15302, but I have a 7000 series account I've never used much from back when I was a lurker. I don't recognize much about this place anymore (although I see crunch and delmoi and nicwolff from my time in this thread)... for example, back in the day I'd be called over to MeTa for babbling this much.
;-)
posted by Shane at 6:04 PM on December 28, 2011 [1 favorite]

Am I crazy? Is my computer infected with a virus that stops me seeing a download link on the Hiren's Boot CD page?
posted by alby at 9:58 PM on December 31, 2011

I can't find it either alby, and I'm on an iPad.
posted by JHarris at 10:38 PM on December 31, 2011

Try the fan site.
posted by flabdablet at 6:07 AM on January 1