Wednesday, July 1, 2015

Virus Cleanup Steps

How To: Virus Cleanup steps for Windows PC's.  Generals steps that work for almost all infections.

Over the years I have written many articles on how to cleanup specific viruses but the articles become dated and are less useful when other viruses take their place.  This article generalizes the steps I take for all infections.  Although time-consuming, the results are almost always good.

When cleaning viruses, it is best to boot from a non-infected virus-cleaning disk -- usually a bootable CD.  Because you are booting from a guaranteed, non-infected operating system, and because it has full-control of the hard drive, there are no locked or in-use files and the software gets complete access to the disk.  Because of this, it can clean the most stubborn infections

Microsoft and other vendors now have free, bootable CD's.  To do the job right, you will have to run multiple products, from multiple vendors.  This will take time. 



In General:

Build the bootable CD's from a non-infected machine
You will be building multiple CD's, from multiple vendors
You can build bootable CD's or bootable USB sticks; I prefer CD's
Build the disks on the day they are needed -- they become obsolete within a few days

Important: If you have a laptop, running Windows 8.x or 10.x, see below for concerns about UEFI disks***.


Build the CD's

From a non-infected computer

Download Windows Defender Offline

This is a bootable CD* that runs Microsoft's virus cleaning utility.
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline


- You must use Microsoft's Internet Explorer to download
- Always download and use the latest version
- It will download a stub program, msstools.exe.  Run this stub.
- It will build the CD automatically; follow the on-screen prompts or see the steps below.
- Most Windows 8, 7 and Vista users should choose the 64-bit version.


Download Kaspersky Rescue Disk

This is a bootable CD that is downloaded as an .iso file.  Use the .iso to build the CD


http://support.kaspersky.com/us/viruses/rescuedisk#downloads
Click "Distributive" to download the ISO

- Click the Download Kaspersky Rescue Disk link.
- This will write an ISO file, which is a CD disk image.
- From Windows 7, 8 or 10, follow these steps to write the ISO file to a CD.


Download AVG Rescue CD

This may be overkill, but a third vendor may find things that the others miss.
 http://www.avg.com/us-en/avg-rescue-cd

- Click the AVG Rescue CD Free Download link; download the ISO version.
- See these keyliner steps to write the ISO file to a CD.



Begin the Cleanup

Once the Bootable CD's have been built and labeled, do the following:


0.  Malware Bytes

If your machine is healthy enough to run other software, from the infected machine, download and run this program, from MalwareBytes.org.  This is my favorite anti-virus program.
https://www.malwarebytes.org/mwb-download/

If the machine is not healthy enough, download the installation from another computer and burn it to a CD.  Then, disconnect the network cable from your infected computer, or disable the Wireless.  Then run this program; it will probably succeed.  Because it is not on the wire, it won't be able to update its definition files; cancel the update and let it run a full-scan with the version you downloaded. 

- Select the Free Download
- Decline the offer to install the 30-day trial
- If possible, allow the program to update its definition / dictionary files
- Allow the program to do a full-system scan
- It will take hours to run.  It runs unattended

Once it is complete, continue with the next bootable CD

If you cannot get MalwareBytes to install or run, continue with the next CD.


1.  Kaspersky First

Have your network cable plugged in or your wireless enabled.  Boot the computer with this CD and follow the on-screen prompts.

- Insert the Kaspersky CD into your drive and boot the computer.
- Hopefully, you are prompted "Press any key to boot from the CD"
- If you do not see this prompt, see below on how to change your BIOS boot Order**

Allow the program to do a full-system scan.  The program is a little weird.  Click the big red (or green) button in the upper-left corner to begin the process.  On the current version as of this writing, the button looks like a bunch of LED' in a circle and it is not clear this is a button.

The scan will take hours and can run unattended.


2.  MSE Second

Boot the Microsoft CD and instruct it to do a full (not quick) scan.


3.  AVG - Optionally Third

Consider booting the AVG disk if you want to be even more thorough.  Personally, I have not actually done this, but if you have the time, it is worth the effort.  It may find something the others missed.


4.  Last Step

If you were unable to run MalwareBytes in Step 0, allow the computer to boot normally (without a bootable CD).  Install MalwareBytes and allow it to run.


In my experience, these steps have almost always fixed the computer, with one notable exception.

RANSOMWARE Viruses

If you detect a Ransomware virus, the programs above will remove the virus but they will not be able to save the data and many programs.  It will render your computer useless.  It is repairable, but your data will be lost. 

(Ransom viruses encrypt all of your data files, such as Word, WordPerfect, Excel, PPT, photos, etc., and invite you to pay a fee of $100-$500 for the decryption key.  The fee is usually paid in bitcoins, which are untraceable.  Under no circumstances should you pay.  To begin, they will take your money and may not give a decryption key.  They may give the key, which will restore your data files, but will like re-encrypt in the future and charge ransom again.  This is truly a lost-cause.)

The only way I have found to 'recover' from this type of attack is to build your system recovery CD's (from your hardware vendor - usually a menu to build "recovery disks", or contact the vendor to have one shipped), format the hard disk and start over.  This will save the hardware, but all data will be lost.  Recover data from your backups.

Other Notes:

**BIOS Boot Order

Your PC may not allow booting from a CD.  Follow these rough steps, which vary by each computer model.

A.  Cold boot the PC
B.  At the hardware banner screen, press F10, or F12 or F2, to enter the BIOS Setup or Boot Setup menu.  Sadly, this varies.
C.  If you arrive at at UEFI Secure Boot screen, see the note below* before going further
D.  Enter the BIOS Setup (sometimes called simply "Setup").
E.  In the top BOOT menu, look for a choice that shows boot order.  Arrange the order so the CD is first to boot, then the Hard Disk.
F.  Most BIOS screens use a bottom-menu F10 to SAVE your changes.
G. Allow the PC to reboot.  Watch the screen for a Press any key to boot from CD


***UEFI Disks

Very new laptops, with Windows 8.x or 10.x have a UEFI encryption, which prevents viruses from writing boot-sector changes.  Unfortunately, this also blocks bootable CD's from seeing the disk (UEFI is actually a very good security feature -- it just stops some of these tools).  If your vendor has signed drivers, they can boot, but as of this writing, I have not found a vendor who can do this.

For example, if you have a UEFI disk, Microsoft's MSE claims to be able to boot and clean the disk, but I have not yet got this to work.  I am still researching this.

If you have a UEFI disk, I do not know how to use these bootable CD's.  Your only hope will be MalwareBytes.

Your comments are welcome.

No comments:

Post a Comment

Comments are moderated and published upon review.