Advanced Malware Cleaning

Found this video the other day on Technet of an updated video of Mark Russinovich teaching techies how to clean malware: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

NOTE: If you want an offline copy, use URLSnopper to get the hidden URL, then use a trial version of  Hidownload to download it.  I’ve provided a local copy on my web site here.  Make sure to right-click the file, do a target save-as to save it to your PC instead of streaming it.

– Soli Deo Gloria

More Tools to Fight Malware and Viruses

As time passes, viruses and malware are getting very hard to clean up when Windows is running.  Therefore, we need some tools that do offline virus scanning.  Correction: FREE tools.  After doing some reason, I have found some very decent products for doing this.

One is the F-secure Rescue CD version 3.01.  This is a Linux based rescue disc that can read/write NTFS partitions. The CD supports updating the virus definitions either via the Internet or a USB stick.  It appears that F-Secure is using the Kaspersky engine for detecting viruses and according to VB100: Kaspersky ranks up there with ESET.  The CD will rename infected files with a file extension of .virus, but will not delete or disinfect them.  I tried the manual update routine by downloading http://download.f-secure.com/latest/fsdbupdate.run to a USB stick.  I placed the USB stick in the computer, booted from the CD and it found the updates right away during the boot process.  This is very useful, especially if the CD fails to find a NIC driver for your PC.  I tried the Internet auto-updating on a Dell Optiplex 745 and GX280: both worked flawlessly.

A similar CD is available from BitDefender called BitDefender Rescue CD 2008.  The CD actually boots to a screen that says BitDefender 2009. This CD is also Linux based.  The virus tests run by VB100 show a less stellar product then F-secure.  The CD, however, has a bit more functionality.  The CD boots to a XWindows environment with Firefox and a file manager called Midnight Commander. You can also manually update virus definitions by running a script from the desktop.  It appears, however, you have to have Internet access to update the virus definitions whether using the manual script or automatic update.  BitDefender gives you options for each suspect file found: leave alone or delete.

Since I was already using a WinPE 2.0 disc to push out images, I wanted to find a free solution I could add to this disc.
(WinPE 2.0 is available for free in the latest WAIK: see http://www.svrops.com/svrops/articles/winvistape2.htm)

Sophos has a free commandline scanner called Sophos SAV32CLI at http://www.sophos.com/support/knowledgebase/article/13251.html.  Sophos ranks very well at the VB100. I suggest throwing it on a network share and then just mapping a drive to that network share.  You can also use USB drives in WinPE 2.0, so you can also place the files on a USB stick.   The readme.txt lists all of the command line options you can use, but I simply use “X:avsophossav32cli.exe -di -dn C:”. This tells Sophos to show the filenames that it is scanning and to disinfect all the files it finds. There’s also a logging option “-p=” you can use to pipe the results to a file or simply put a pause statement after this command if you are running the program from a batch file. Virus updates are available at http://www.sophos.com/downloads/ide/.  Use the ZIP file version as the self-extracting file does NOT work on Vista/Server 2003.  The command line version goes out of date after 3 months, so make sure you download a new copy or the new IDEs won’t work after a while.

Mcafee has a command line scanner and virus definitions in their SuperDat virus files.  Download the SuperDat exe from ftp://ftp.nai.com/pub/antivirus/superdat/intel/.  Then extract the SuperDat file using the “/e” switch, for example: “sdat5569.exe /e”.  To scan the C: drive, you can use “scan c: /clean /winmem”.  There is a GUI wrapper included with BartPE for the Mcafee scanner if you want a GUI.

Update: As of 4/1/10, this trick no longer works.  They removed scan.exe, messages.dat, etc. from the SuperDat file.  You must now download vscl-w32-6.0.1-l.zip (Mcafee Commandline Tools) from Mcafee’s site using a grant number to get scan.exe.

Trend Micro has a program called Trend Micro System Cleaner.  This is a portable program that uses the regular spyware and virus definitions that their regular AV programs use.  Trend Micro is not rated at VB100, but seems like a very decent product. You will need manually download the virus and spyware definitions yourself.  Their web page is a bit confusing for updating the virus/spyware definitions, but upon running the program for the first time, it will give you the URL locations of what to download.  Currently, the virus definitions are lpt$vpn.XXX in ZIP format as lptXXX.ZIP from http://www.trendmicro.com/download/viruspattern.asp. The spyware definitions are ssapiptn.da5 in ZIP format as ssapiptnXXX.ZIP from http://www.trendmicro.com/download/spywarepattern.asp.

Upon running the scan from TSC in WinPE 2.0, I got an error message saying installation failed, but the program went on without any problems.  You will, however, need to run this from writable media, such as a USB stick or a network drive with write access.

EmsiSoft has a neat command-line scanner called a2cmd.  a2cmd can be downloaded here.   You can run a scan by running a2cmd C: /deep /dq.  To update the signatures, you simply need to be connected to the Internet and then run a2cmd /u.

Microsoft released a new standalone virus scanning tool in April 2011 called the Microsoft Safety Scanner. The download expires after 10 days.  It did not work in the WinPE 3.0 disc I tried, but it did work in the disc I built from the Win7PE project from reboot.pro

Still in beta, but handy none the less: Microsoft Standalone System Sweeper. This tool will download WinPE + the standalone system sweeper and definitions (the same one that that comes with Microsoft DaRT 6.x and beyond) and build an ISO for you, for FREE! Now you can boot from a clean WinPE CD and disinfect your PC in safety.

Now that described the elaborate ways to download the programs and the signatures that go along with them, there is a real easy of having it done for you: Multi-AV Scanning Tool.  This web site is in another language, but you should be able to find the download link (look for Download von www pctipp.ch on the bottom of the page). You run the program which will extract to C:AV-CLS.  From there, just run the menu options for each and it downloads the programs and the signatures automatically.

There is an Avira command line scanner that is available with this toolkit with a hbedv.key license file generated specifically for this tool.   The Kaspersky version that comes with this version is the DOS version and won’t run on WinPE or under x64 operating systems (the author says he will remove it in future versions).

There is another program that does nearly the same thing, but unforunately it deletes the signatures when it is done scanning the drive.  This program is called AVERT.  I prefer using the Multi-Av Scanning Tool for this reason.

These products do not work in WinPE 2.0, but can be quite useful within Windows:

MalwareBytes Anti-Malware: One of the best spyware scanners I have found. Malwarebytes Anti-Malware can be found at http://www.malwarebytes.org/.  Note that the free version just has the scanning ability.  If you want the realtime access protection, you will need to purchase the program

SUPERAntispyware Portable: Simliar to Malwarebytes, but in a portable version.  I like the speed at which it scans and how it empties the recycle bin after cleaning the files so you don’t find the dormant infection again.

– Soli Deo Gloria