Tuesday, August 19, 2008

Virus recovery tools & techniques

I wrote this article to share what I learned as a result of having to deal with a computer virus recently. Basically, my familiarity with virus recovery tools and techniques has been forcibly upgraded.

It has been a long time, perhaps more than 5 years, since I have had to deal with a virus infestation in our household. We had been using Grisoft AVG Free for anti-virus, Javacool SpywareBlaster to prevent spyware, and Lavasoft Ad-Aware to detect and remove any spyware/adware that made it past SpywareBlaster. I was fanatical about keeping all of those programs updated, and this has worked very well for us.

However, this past Saturday it became apparent that my wife’s desktop computer had become infected with a browser hijacker. AVG antivirus has active website scanning enabled, so my wife had received a pop-up warning from the program that there was malware on a website she visited recently, but it appeared that the program had contained the threat.

Apparently it was one of the newer Trojans, and made it past our AVG antivirus software. Browser windows started popping up, pestering her with ads. This thing disabled Windows Update, reset her browser Privacy setting to Low (Allow All Cookies), disabled the updater for AVG antivirus and Ad-Aware, and made it impossible to reach desired websites – the browser was constantly redirecting. Experience and research further indicated that malware was being actively invited in on an ongoing basis and that a key logger might have been employed, necessitating a reset of all passwords.

I’m going to spare you all the details of the many steps I took, involving many hours over three plus days, to resolve the issue and fast forward to lessons learned and hopefully someone can benefit from this incident.

However, I assume no responsibility for your data or your computer security; this article is for informational purposes only, and you should do your own homework and come to your own conclusions. As always, you should back up your valuable data regularly. And should you become aware of a virus or malware infection on the source computer, scan all back-up data carefully before using in any way.

Lessons learned

- AVG Free did not prevent, detect, or remove this infection (seriously, no one’s perfect, and I imagine it must be hard to keep up with all the new viruses that are constantly coming out)
- Ad-Aware could not remove this infection
- Bitdefender and Kaspersky antivirus both get high reviews from a variety of sources, but I cannot recommend Kaspersky because it refused to install when it detected traces of the previously-installed AVG – Kaspersky would not work for me when I really needed it to, so I’ve gone with bitdefender, and I’m happy with it so far
- it’s better to be prepared than to have to scramble for a solution
- what removed the infection for me was a combination of Malwarebytes' Anti-Malware and Simply Super Software Trojan Remover
- keep your hard drive defragmented, and buy the fastest hard drives you can afford – having to scan your entire hard for viruses is a time-consuming process

Disaster recovery preparation

After a lot of trial and error, here’s the virus disaster recovery kit I came up with:

- a CD with the BartPE ISO burned onto it, and
- a USB thumb drive full of malware removal tools

Although it wasn’t useful for this purpose, I also recommend having a copy of Ultimate Boot CD laying around for computer emergencies: http://www.ultimatebootcd.com/

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD: http://www.nu2.nu/pebuilder/

BartPE is a CD bootable environment that has some Windows functionality. Basically it allows you to bypass your infected hard drive and run Windows executable programs from the thumb drive. You will need your Windows install CD to create the ISO as it uses Windows system files.

Theoretically you could create plug-ins to include your favorite programs with the BartPE ISO, but I found this wasn’t as easy as it looked or sounded. Although there are a number of sites offering BartPE plug-ins for antivirus/antispyware, all the ones I found were so old as to be practically useless.

That doesn’t matter; the basic BartPE ISO is all you need to boot to an environment from CD that allows you to run the virus removal tools from the USB thumb drive. It’s easier to keep adding updated antivirus tools to a thumb drive anyway – download the latest one every month.

The moment you suspect your computer has become infected with a virus, worm, Trojan, or any other kind of malware you should unplug it from the network immediately. Pop in the BartPE CD, shut it down and leave it off for 30 seconds, plug in the USB thumb drive and restart it, making sure that the CD drive is ahead of the hard drive in the BIOS boot sequence.

Start by running these standalone programs – these do not require installation; they can run in BartPE from the thumb drive:

Trend Micro CWShredder: http://us.trendmicro.com/us/products/personal/CWShredder/
McAfee Avert Stinger: http://vil.nai.com/VIL/stinger/
avast! Virus Cleaner: http://www.avast.com/eng/avast-virus-cleaner.html
SmitFraudFix: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Trend Micro Sysclean: http://www.trendmicro.com/download/dcs.asp (DOS executable)

If you know exactly which virus has infected your computer and if you have another computer you can use, you can go to one of these sites and download the specific removal tool for that virus:

Kaspersky Virus Removal Tools: http://www.kaspersky.com/removaltools
Symantec Virus Removal Tools: http://www.symantec.com/business/security_response/removaltools.jsp

Once your computer is clean enough to restart in Safe Mode, you can install and run these programs:

bitdefender: http://www.bitdefender.com/ - excellent!
Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php - excellent!
Simply Super Software Trojan Remover: http://www.simplysup.com/ - excellent!

Here are some anti-virus reviews:


I hope this helps, and I welcome any feedback. Thanks!

Sphere: Related Content

1 comment:

FreedomJoyAdventure said...

No, Karl, you may not spam my blog with your ads for cheap RAM.