When a PC gets that bad the best option is to start again with a clean install, having first booted from a USB stick to get important data off, or what's left of it.
Microsoft has released a beta version of its Windows Defender antivirus tool that works even when computers are so badly infected that they are unable to fully access the internet. The program allows users to boot their sick machines from a CD, DVD or USB flash drive and use the most up-to-date definitions to fight the …
"When a PC gets that bad the best option is to start again with a clean install"
When a PC gets that badly infected its time to install a copy of Linux and move on.
Yeah starting again is usually the best option, especially if it's your own computer, but I recently had a problem like this with my aunt's PC. It had one of those anti-virus viruses that blocks all internet access except access to their site to buy their fake anti-virus product.
While I could have suggested a full re-install, she hasn't got a clue what files need backing up or where she keeps them on her computer and so I would inevitably get the blame for not backing up everything properly. Plus there's the onerous chore of waiting for her wheezing P4 to reinstall everything (assuming she can find the discs).
If MS can release something that will clean a system up to the point that I can get back on the internet and download other clean-up tools I think it will be my preferred route... because I'm lazy like that. ;)
I agree, but...
I agree with you, but there are many people for whom that is simply not an option because they don't have the requisite skills. Often these are the people who have machines that are totally borked. It's a nice option in the cannon of tools to fight the bad guys.
I once saw this badly infected XP box with a BSOD, and the words 'Nuke Me!" scrolling on the screen.
I felt sorry for that PC, so I inserted an Ubuntu Live CD, and dis-infected it.
As I booted it from the hard disk for the first time, I saw "I am one with the Penguin" appear on the screen just before Ubuntu loaded. Infection cured.
Certainly it's not a good idea to mend what is broken. I keep images on a LAN drive, I keep them on backup drives that are not connected, and I have a number of Swiss knives in the form of bootable CDs and USBs. I tried the Acronis (Linux) confection, putting it on a USB which can live update. As has been mentioned elsewhere - possibly here also - it's good to rehearse strategies, but the only real test is a genuine emergency with a genuine infection.
Maybe, but I just *hate* to accept that some scrote's got the better of me and admit defeat.
In some cases I've dealt with it might actually have been quicker to reinstall, but nowhere near as satisfying.
You write like Cory Doctorow.
"When a PC gets that badly infected its time to install a copy of Linux and move on."
"When a PC gets that badly infected its time to install a copy of Linux and move on."
When average Joe User installs Linux on their own machine, it will be the day the internet will be flooded with Linux viruses.
Remember, the average user won't have locked down the machine as tight as the experienced Linux user and will probably click on all those fancy popups and 'install me' links.
Agree, clean rebuild even if it means...
...data loss because people are too lazy to have backups.
I too get called when friends and family PCs get infected. However, even when I think I can recover the PC I tell them it means a rebuild and if they don't know what data to backup then tough luck, I just format and re-install. The beauty of this hardline approach is that now my friends and family take far more care when it comes to downloading files and clicking on links they are unsure about. No pain, no gain.
> the average user won't have locked down the machine as tight
Yes he will.
It's the default condition.
"Remember, the average user won't have locked down the machine as tight as the experienced Linux user and will probably click on all those fancy popups and 'install me' links."
No, that WILL NOT WORK. You may (unlikely) hose the user account but the system files will not be replaced by malware laden fakes.
Why don't you people understand? NOTHING IS EXECUTABLE UNLESS YOU MARK IT AS SUCH.
Just having a file extension of .exe does not mean a damn thing on Linux or UNIX. Try to get your head around that.
First of all, remember that not everyone uses Linux, so shouting and complaining that people cannot get their heads round something that they have probably not come across before is quite redundant.
Anyone who has helped relatives clean the spyware and viruses off a PC has seen countless programs downloaded and installed. It used to be fake copies of programs like bejeweled containing trojans but now there are 'boost your crops in farmvile' type nonsense around.
Having to click a few buttons extra to install won't stop your 'average' user with a set of instructions in big friendly letters beside the download link. Giving it rights to run as root will be part of it. Some will just do it. Others will with a bit of technobabble thrown at them.
A question to the people who think Linux is 100% idiot proof.
With key presses/mouse clicks from the person who installed the operating system, is it possible to run a downloaded program with full root access?
I hope this is a WinPE variant and we can therefore use GMER, TDSSKiller, ComboFix, MBAM, Rkill etc.
If it is, we can also take an image with ImageX.
AC #1 The only time I give up, is if there's a persistent rootkit that the above tools won't remove.
You could flash the BIOS, replace the MBR and start again, but I usually say nuke the fucker from orbit at that point.
Lately, it's been a great excuse to get some customers who desperately need it, to buy new PC's :D
If you will nuke it
If you've got users that are that much of a liability with the Internet, I think it's high time they were given a Mint pendrive and told it is a new version of Windows. It's not like they will know any better and it's going to save you/them an awful lot of heartache cleaning up after them by the sounds of it.
It will probably boot into DOS.
If it's old enough to have DOS on it, it's likely old enough that these tools won't help that much anyway, being probably too old to support USB properly.
Probably not DOS...
...as DOS isn't equipped to handle NTFS filesystems, but the modern Windows STILL has a console mode, and seeing it boot into that wouldn't be beyond the realm of possibility. Indeed, it may be encouraged in case the damage extends to graphics drivers.
@Eddit Ito: boot into DOS...
I don't care if it boots into OS/2- if it'll clear off the bugs that are infecting the system and restore at least minimal functionality, or let me copy the files off the system onto a temp drive for later restoration, then it really doesn't matter what OS the offline boot runs.
Gawd/ess. The mind boggles.
Even Apple's OSX can go into single-user from the console to fix shit.
Earth to Dave Cutler, are you paying attention? I still run TOPS-10 and -20 on vaxen for a few clients ... but personally, I'll stick with Slackware & BSD (occasionally ecomstation) for the duration :-)
TOPS-10/20 on VAX?
Curious how you do that, unless you use emulation.
I was at SAIL, and a DEC intern. We did weird stuff ;-)
Yes, today it's under emulation (Linux based, both on Celeron powered headless laptops with 256Megs of memory). One system runs about fifteen acres of greenhouses. The other runs a largish machine shop. The code I wrote over thirty years ago still works, and we see no reason to update it.
Jokes that aint funny!!!
You're joking, Microsoft would never think of a wise way of removing rootkits that they arent able to prevent in the first place! and definately never as technical as GMER, ComboFix, TDSS/TDL removal tools or even as simple as a portable edition of SFC with a cache folder
As for the EEPROM on the BIOS, or the MBR, well thats just asking for trouble if Microsoft were to incorporate that, no one would ever put their head on a chopping block.
Booting from removable media, provided you dont accidently boot into the OS and during its boot process it infects or corrupts the only removable media copy you have access to.
One word that I predict, I think the picture says it all...
> during its boot process it infects or corrupts the only removable media copy you have
This is why I always boot from CD, rather than USB drive, when I'm suspicious of the machine.
Go ahead, try to write to my CD :-)
I just make sure that the USB drive I'm using for this purpose has a little switch on the side. Slide the switch to the picture of a locked padlock and then plug-er in
Been around for a while...
... Microsoft Standalone System Sweeper Beta renamed? Why Windows Defender Offline and not Microsoft Security Essentials offline?
It doesnt matter. Viruses disable antivirus. So what is the point of having one that would work when you cant get online?? Windows Defender wouldnt even work if the virus was strong enough to take the pc offline.
I would say you have a 1 in 100 chance of a computer actually being able to open Windows Defender if the virus was sophisticated enough to disable the internet. It would have already taken out Windows Defender.
Except of course that this thing boots standalone. Thus your postulated virus that takes out Windows Defender isn't running at the time.
"Windows Defender Offline Beta walks users through the steps required to set up the boot disk."
... when you've downloaded it where? On your machine that's too sick to talk to t'internet?
Go and have a look at your local public library sometime. I know it's probably been at least a decade or two since you last visited it, and you might be surprised at some of the changes that have taken place since you were last there back in 1992...
There's also these shops called "Internet cafes" that now exist in most cities and towns, you might want to look one up near you and check out what they actually sell besides shitty coffee! ;)
You'd have to be a bit thick to generate the boot disk on the machine that's infected anyway.
Then again, you'd have to be a bit thick to have thumped the "yes please" button when that message came up offering to install a FREE!!111!!! Secuitry Scanrer......
Trust a public computer, eh?
I've put an SD card into a photo kiosk before, and it came out with an MMO-credential stealing trojan. I wouldn't put anything into a public computer and bring it back home without it first being sheep-dipped, and if you have a computer to sheep dip your removable media, you can use that to disinfect the hard disk of your other machine.
Good info. Thanks Register!
A better solution
A better solution might be to improve the security in the first place!
I tried nine linux based AV rescue disks about 6 months ago.
Most of them were useless so another alternative is welcomed.
Might save me some effort.
The best option isn't a clean install, its restoring from a recent full system partition backup, followed by extracting and disinfecting the user's files from a backup of the infected made prior to the restoration. Better yet the user has an external hard drive and software which syncs their personal files on a regular basis.
Unfortunately what I normally see is someone with no backup, who has critical software installed which cannot be reinstalled because they can't find the discs, and needs their PC up and running in about an hour because even though its been unusable for a week they waited until the day before their work assignment/homework/whatever is due to take care of it.
I normally try to boot into safe mode with networking with a fresh download of malware bytes on a usb stick. If that doesn't work I pop the drive into an eSATA dock and clean it up with from my PC.
Hopefully this will work in situations where booting from safe mode isn't an option or where I don't have access to a 2nd computer and the right adapter to connect a drive to it.
I can't believe they offered this as an "option".
Perhaps it's just me, but if you're going to disinfect a box (or at least try), the *FIRST* thing you do is take it offline.
Bitdefender? Really? Your box is hosed to the point it can't connect and Bitdefender is going to save you? Good luck with that, as the saying goes.
About! Fscking! Time!
I've been doing this for the last decade orso using a linux bootable USB stick, and the latest clamav, but that cannot always clean out all the windows crap.
If (and that's a big if) this does what it sais on the tin, it's a great, huge leap forward.
Microsoft finally distributing Knoppix, huh?
OK, I'll duck and run...
re: clean install
1. Some nasties can survive this
2. Some of your documents or needed files can get infected
I was asked to help a friend with a computer so badly eaten up with malware it was essentially a non functioning boat anchor.
Booted using an Ubuntu LiveCD, copied off his data files, wiped his C: drive with GPartEd, zero-filled the drive with the maker's software and reinstalled his OS. Took maybe an hour.
It's just a waste of time to try and repair some computers.
There's also various self updating ISOs available from big AV manufacturers. I usually remove the disk and dump it into a fully updated PC, scan it and recover data that way.
Don't they already know that most of these problems are fixed by booting up with a *nix bootable USB? Maybe because they are trying make this more difficult with the next version of their OS.
doesn't Microsoft Standalone System Sweeper Beta do the same thing?
It amazes me that people (especially those who call themselves IT experts) even accept or tolerate this sort of nonsense in the first place. No OS should be so defective by design as to even need this constant attention and mollycodling all the time, far less so *constantly* demand it. And Windows fans actually just shrug and regard this a a minor, quirky feature of their chosen OS -- and utterly fail to understand why this is -- babbling on instead about "market share" or "Windows has these problems because its so 'popular'"!
Microsoft needs to get acquainted with the idea of a *nix-style file system, users, groups, permissions and the true meaningful definition of the word "executable" in proper context -- then do some actual software engineering instead of popping out these useless, palliative measures which just annoy the user in the end and in the long run never even attempt to cure the underlying malady. It might "break" backward compatibility (actually I don't believe that) but would instantly cure a lot of the recurring problems associated with Windows. I speak as someone who has and still does write software for Windows and have done so since 1993 so it isn't even as if my opinion here is entirely baseless. This isn't MS bashing. I'm simply stating a fact.
If it were any other product other than software they wouldn't be allowed to sell it. It would be classed as dangerous.
Why so many people still go on just blindly and unquestioningly accepting that this product behavior is even remotely *normal* in software -- and then spend so much unproductive time patching and re-installing their crippled OS is utterly beyond reason. Its simply nucking futs!
Einstein, I think, said anyone who keeps doing the same thing over and over again, expecting a different outcome is insane. Gosh, it must be true.
Could not agree more!
Windows users have been guilty of accepting Microsoft's marketing that 'every' computer system has viruses and that they should pay again and again for keeping their machines secure.
If Microsoft hadn't thrown in the towel security-wise decades ago, the whole computer security landscape would be utterly different, and people would gasp in amazement at the thought of a new virus, just like they still do when some security company tries to insist that there might be an Apple virus 'real soon now'!
Yes, seriously grateful that this is the case, most off the shelf OSes are crap, or otherwise I would have to do some other kind of work.