If your machine is infected, I now recommend running this utility prior to any other virus scanning steps.
Recommended download from here:
http://connect.microsoft.com/systemsweeper
Easy Steps: Build the CD
1. Preferably, from a non-infected computer, click the link above and choose the 64-bit or 32-bit version. If in doubt of the version, see Microsoft's documentation in the linked page. In general, unless you know otherwise, use these:
32-bit for Windows XP
64-bit for Windows 7 - most likely
32 or 64 for Vista; could be either; try the 32-bit
The download is a small stub called msstoolxx.exe where xx=64 or 32.
2. Save the download-exe to a known location on your disk.
3. Open the folder where you downloaded and run the executable.
This builds the image and it will take about 30 minutes, depending on your Internet connection speed. The image-build is automatic. You will be prompted to build either a CDR, USB thumbdrive, or as an ISO image. I recommend the CD because not all machines can boot from a USB thumb-drive.
Ideally, build the image from a non-infected computer, but if this is not possible, try from the infected machine. If you are downloading from an infected computer, rename the downloaded EXE to a random name before running because you know the viruses will figure this out and will try to stop you.
Using the Image:
Insert the CD and boot the computer, choosing "Boot from CD"
The scan will take several hours, depending on the size of the disk. The process is completely automatic.
If your machine does not boot from CD
Summary: Cold-boot the computer and enter the BIOS configuration screens (hardware/BIOS settings, often pressing F2 or F10 as the machine boots). In the BIOS menus, change the "Boot order", allowing the CD to boot before the hard disk. Save the configuration change (typically with an F10=save) and try booting again.
See this Keyliner article for additional details. Booting from a CD or DVD
Caveats to Think About
- Download and build the bootable image when needed. Old copies are obsolete. Microsoft continuously updates the CD with the latest virus signatures. Because it is a CD, it cannot update itself.
- It can only clean viruses that MSE knows about. If it fails to clean the infection, consider re-building this same disk a few days later. Microsoft updates their virus signatures several times per day.
- None of these products replace the need for real-time virus scanning.
Final comments:
If you have read my previous articles on these topics, cleaning a virus while running on an already-infected machine is like fixing a car's engine while driving. While the infection rages, you have to trick the computer while cleaning and the steps are difficult and vary, depending on the virus.
Booting from a guaranteed-clean operating system is an ideal way to catch a virus. The virus is completely disabled during the scan and Microsoft has full-control of the system. I wish all virus-scanning vendors could use this same design - it vastly simplifies the process.
Once cleaned (and presumably the machine is useable), I still highly recommend running other virus tools, such as MalwareBytes and SuperAntiSpyware to double-check. As much as I like MSE, no single virus scanner catches all the bugs. If you have one virus, you have others and you will have to run multiple tools to make sure.
See the related articles, below, for the steps on how to use these other programs.
And this leads me to this thought: If your machine is already running MSE and you were still infected, then Microsoft's standalone System Sweeper may not help because it missed it in the first place. But I still believe MSE is one of the best tools on the market -- and it is free.
Technical Note:
The bootable image loads a run-time copy of Windows. Unfortunately, the bootable image does not allow you to do anything else. You won't be able to copy data files or run other virus scanning products. It would be neat if you could run other cleanup tools, but Microsoft locked this down. Hopefully, they will re-consider this.
Related Products:
Microsoft is also distributing a related product called "Microsoft Safety Scanner". This is a single executable that does not need to be installed and you might be able to run this when no other program will work. However, this design is not as good as the bootable version described earlier in this article. If you have a netbook without a CD, this may be worth a try. The Scanner (msert.exe) is only valid for 12 days, then it expires. This forces everyone to download the latest and greatest version.
Related articles:
Microsoft Security Essentials
Removing Win32 Cryptor
Removing Win7 Anti-Virus - Recommended steps for all viruses
Removing Personal Security Virus
Securing Windows 7 from your Children
Booting from a CD / DVD
Other recommended virus scanners:
MalwareBytes: Malwarebytes
SuperAntiSpyware: superAntiSpyware
Choose the Free Edition. Despite its suspicious name, this is a legitimate program.
Rename to xxSuperAntiSpyware.exe before running.
Interesting article on spear-phishing attack:
http://blogs.technet.com/b/mmpc/archive/2011/05/31/when-spear-phishers-target-security-researchers.aspx
0 comments:
Post a Comment