Sunday, November 3, 2013

Microsoft SystemSweeper - Antivirus

Windows Defender Offline (formerly Microsoft Security Essentials - MSE ).  A bootable CD for cleaning viruses.  Updated 2013.11. 

This article has been retired.  See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps


When cleaning viruses, it is best to boot from a non-infected disk in order to do the cleanup and the easiest way to do this is to boot from bootable CD.  Microsoft and other vendors now have free, bootable CD's, that clean even the most stubborn viruses. Because you are booting from a guaranteed, non-infected operating system, and because it has full-control of the hard drive, with no locked or in-use files, it gets unprecedented access to the disk and it can clean the most stubborn infections.

Building and using bootable CDs are easy and reliable. If your machine is infected, I now recommend running these utilities prior to any other virus scanning steps.  You should run these utilities from multiple vendors.


1.  Build bootable CD's from a non-infected computer.
2.  Build the disks when needed; old disks are obsolete.
3.  If offered to build a CD vs a bootable USB drive, use the CD (Viruses can re-infect USB).

4.  Build CD's from each vendor, below. Some vendors can catch viruses that other vendors miss.
5.  With each vendor's program, cancel the default quick scan and run full-scans. These are time-consuming, taking several hours each.

6.  When done with bootable disks, launch Windows and then download and run this utility:

Download MalwareBytes: Malwarebytes
Run the Free Version.
If offered to install a Demo "Pro" version; decline and run the free (optionally, buy the professional version).  This scan will take several hours.

7.  Then download and run this additional Microsoft Utility from within Windows as a double-check:


If you have a newer Windows 8 or 8.1 with a UEFI disk, the CD's from non-Microsoft vendors will not work and I do not have a good work-around.  (UEFI are security-enabled BIOS boot drives and bootable CD's cannot reach them - at least as near as I can tell.) 

To see if you have a UEFI disk, boot into the BIOS and look at the boot system.  Alternately, load Control Panel, Administrative Tools, Computer Management.  On left-Nav, open Storage, "Disk Management" - wait a few moments.  Hover mouse over the Disk 0 partitions, looking for an "EFI System Partition".

Download and build CDs from each recommended vendor:

A.  Download Microsoft Security Essentials - MSE

For Windows 7, Vista, Windows XP:

For Windows 8, 8.1 and newer,

- Use Microsoft's Internet Explorer to download
- Always download and use the latest version
- It will build the CD automatically; follow the on-screen prompts or see the steps below.
- Most Windows 8, 7 and Vista users should choose the 64-bit version.
- XP users should choose the 32-bit version

B.  Download Kaspersky Lab's "Rescue Disk"

This will not work on UEFI disks.

- Click the Download Kaspersky Rescue Disk link.
- This will write an ISO file, which is a CD disk image.
- From Windows 7, follow these steps to write the ISO file to a CD.

C.  Download AVG Rescue CD

This will not work on Windows 8.x UEFI disks.

- Click the AVG Rescue CD Free Download link; download the ISO version.
- See these keyliner steps to write the ISO file to a CD.

MSE Easy Steps: Build the CD

1. Preferably, from a non-infected computer, click the link above and choose the 64-bit or 32-bit version, depending on what OS was installed on the infected machine. If in doubt of the version, see Microsoft's documentation in the linked page. In general, unless you know otherwise, use these:

32-bit for Windows XP
64-bit for Windows 7 - most likely
32 or 64 for Vista; could be either; try the 32-bit

The download is a small stub called msstoolxx.exe where xx=64 or 32.

2. Save the download-exe to a known location on your disk.
3. Open the folder where you downloaded and run the executable.

This builds the image and it will take about 30 minutes, depending on your Internet connection speed. You will be prompted to build either a CDR, USB thumbdrive. I recommend the CD because not all machines can boot from a USB thumb-drive. The image-build is automatic.

Ideally, build the image from a non-infected computer, but if this is not possible, try from the infected machine. If you are downloading from an infected computer, rename the downloaded EXE to a random name before running because you know the viruses will figure this out and will try to stop you.

Using the Image:

Insert the CD and boot the computer, choosing "Boot from CD" when prompted.
The scan will take several hours, depending on the size of the disk. The process is completely automatic.

If your machine does not boot from CD

Summary: Cold-boot the computer and enter the BIOS configuration screens (hardware/BIOS settings, often pressing F2 or F10 as the machine boots). In the BIOS menus, change the "Boot order", allowing the CD to boot before the hard disk. Save the configuration change (typically with an F10=save) and try booting again.

See this Keyliner article for additional details. Booting from a CD or DVD

Caveats to Think About
  • Download and build the bootable image when needed. Old copies are obsolete. Microsoft continuously updates the CD with the latest virus signatures. Because it is a CD, it cannot update itself.
  • It can only clean viruses that Windows Defender knows about. If it fails to clean the infection, consider re-building this same disk a few days later. Microsoft updates their virus signatures several times per day.  Consider the steps in this keyliner article: Removing Win7 Anti-Virus
  • None of these products replace the need for real-time virus scanning.  See Microsoft Security Essentials

Final comments:

If you have read my previous articles on these topics, cleaning a virus while running on an already-infected machine is like fixing a car's engine while driving. While the infection rages, you have to trick the computer while cleaning and the steps are difficult and vary, depending on the virus.

Booting from a guaranteed-clean operating system is an ideal way to catch a virus. The virus is completely disabled during the scan and Microsoft has full-control of the system. I wish all virus-scanning vendors could use this same design - it vastly simplifies the process.

Once cleaned (and presumably the machine is useable), I still highly recommend running other virus tools, such as MalwareBytes and SuperAntiSpyware to double-check. As much as I like MSE, no single virus scanner catches all the bugs. If you have one virus, you have others and you will have to run multiple tools to make sure.  See the related articles, below, for the steps on how to use these other programs.

Multiple Scanners:
Do not leave multiple scanners installed at the same time.  I recommend using Windows Security Essentials (Microsoft's free real-time virus scanner).  On several machines that I have worked on, both MSE and the heavily-advertised Mcafee Security Scan Plus (free) are running on the same machine and has caused numerous problems.  Uninstall one or the other.

With this thought, if your machine was running Windows Defender and you were still infected, then Microsoft's offline virus scanner may not help because it missed it in the first place. But I still believe MSE is one of the best tools on the market -- and it is free.
Technical Note:
The bootable image loads a run-time copy of Windows. Unfortunately, the bootable image does not allow you to do anything else. You won't be able to copy data files or run other virus scanning products. It would be neat if you could run other cleanup tools, but Microsoft locked this down. Hopefully, they will re-consider this.

Related Products:

Microsoft is also distributing a related product called "Microsoft Safety Scanner". This is a single executable that does not need to be installed and you might be able to run this when no other program will work. However, this design is not as good as the bootable version described earlier in this article. If you have a netbook without a CD, this may be worth a try. The Scanner (msert.exe) is only valid for 12 days, then it expires. This forces everyone to download the latest and greatest version.

Related articles:
Microsoft Security Essentials
Removing Win32 Cryptor
Removing Win7 Anti-Virus - Recommended steps for all viruses
Removing Personal Security Virus
Securing Windows 7 from your Children
Booting from a CD / DVD

Other recommended virus scanners:
MalwareBytes: Malwarebytes

SuperAntiSpyware: superAntiSpyware
Choose the Free Edition. Despite its suspicious name, this is a legitimate program.
Rename to xxSuperAntiSpyware.exe before running.

Interesting article on spear-phishing attack:

No comments:

Post a Comment

Comments are moderated and published upon review.