How do you remove malicious software (malware) from a Windows computer?
A Marx Brothers fan might say, "wrong, every time". That is, the correct strategy may well be not to attempt removal, but instead backup all the files by booting to a Linux Live CD and then restore a non-infected copy of Windows, be it from a recent image backup or factory fresh state.
But Star Trek fans want that third alternative. Something better than running anti-malware software inside the infected operating system (where the malicious software can defend itself), yet less drastic than a total re-install of the operating system.
Software such as Avira's AntiVir Rescue CD is that third alternative. Rather than try to poke a hole in the defenses setup by the malicious software, an end-around approach is used. The infected copy of Windows never boots, instead Linux is run from a bootable CD and that clean OS treats the internal hard drive as data and scans it for viruses, Trojans, and the like.
I'm a big fan of this approach and wrote a series of articles* last year about using The Ultimate Boot CD For Windows (UBCD4WIN) which not only includes a handful of anti-malware programs, but can also enable networking of the infected system so that it can be scanned by your favorite antivirus programs over a LAN. Of the included anti-malware applications my favorites are SUPERAntiSpyware and AntiVir. Among the others are McAfee's Stinger and Spybot Search and Destroy.
But, there are a couple downsides to UBCD4WIN. One is that it can be confusing to create the CD. At the least it will be an unfamiliar process to many.
What got me to try the Avira AntiVir Rescue CD was that the last time I built a UBCD4WIN CD, the included copy of AntiVir refused to run (something about a licensing issue that I didn't feel like debugging).
Both UBCD4WIN and Avira's Rescue CD are free. But the process of creating Avira's CD is straightforward; you download a 78MB ISO file and burn it to a disc. Windows 7 makes this even easier, as all you need to do is right click on the ISO file to see an option to burn it to an optical disc. If ISO files are intimidating, Avira also offers an EXE based CD creator.
RESCUE IN ACTION
I tested Avira's Rescue CD on a Windows XP SP3 system. The machine was infected with a ransomware program and as a result it wouldn't do anything other than let the victim pay for the scam software. Even starting up Task Manager was intercepted.
The initial Avira screen is shown below, it's the only text mode screen you encounter, the rest of the user interface mimics that of their Windows software.
I was impressed with the screen resolution options. The rescue CD is Linux based and should there be a problem with the Linux video hardware detection, these options let you force it to use a safe low resolution.
The second line ends with a date. In the example above, the CD was created December 1, 2010.
An online search that I ran ahead of time turned up a Tutorial for Avira Rescue CD at the Avira support forums. It's a good thing I read it beforehand since the user interface defaults to German. Clicking the British flag in the lower left corner changes it to English.
A number of things, however, seem to be lost in translation.
For one, the user interface tallies "records". As far as I can tell, this seems to be the number of virus infected files. Also, the "required time" appears to be the elapsed time of a scan.
Another important fact to know up-front is that the default behavior is to report on detected malware, but not to remove it.
This can be changed by clicking on the Configuration button, but, here too, language fails us. The default behavior is described as "protocol malware records only". Clear as mud. To remove viruses, change this to "Try to repair infected files" and opt to rename files that can't be removed.
My scan encountered quite a few errors.
Many of the errors were that a file could not be read. This is probably a defensive tactic put in place by the malicious software. Still, it seems reasonable to expect an antivirus application to be able to get around this sort of thing. Especially since it's running Linux, not Windows.
At the very least, Avira should report the name of the files that couldn't be read. It did not.
There was also an error (number 2) that it couldn't read a "record". Even their own tutorial shows examples that include this error. Again, what's a record?
When it did find a virus, none of the infected files could be deleted. Fortunately, it was able to rename them.
I'm not sure why this would happen, but it must be a common occurrence as Avira provides a file rename option for repair type scans.
This might be an NTFS file name issue. I have seen Windows XP create files with strange names that it later can't delete. No malware involved at all.
In this case, I had copied the "C:/Documents and Settings" folder to an external hard drive and then moved it to a clean system with the intention of scanning it with another anti-malware application. First though, I went to delete the Internet Explorer cache files, only to find that many of them would not go away. Whatever this issue is, it's not unique to AntiVir.
In the end, I gave up on repairing the system in question and restored it to factory fresh state.
When the scan finished, the summary reported 15 alerts and 1 suspicious file, but the main user interface reported 16 records. I'm guessing they are the same.
The end of scan summary also included a message that it did not scan a file on "hdc" called initrd.gz because it was too big. What is hdc?
In Linux, "hd" refers to a hard disk and what comes afterwords is a drive sequence letter and a partition number. The C disk on the internal hard drive was "hda1". Perhaps hdc was the CD drive?
All told, I'd rather run AntiVir from the Ultimate Boot CD for Windows. That said, I'm very grateful to Avira for providing their virus scanner as a free, self-booting CD.
Why AntiVir? I have recommended AntiVir both in print and in person. Just a few days ago, PC World reviewed antivirus programs and said AntiVir had "excellent malware detection and blocking". And I will never forget the first time I installed a recent copy of AntiVir and it warned me that I was running with Administrative rights. That is indeed a security risk and one that users should be warned about.
If you're wondering, the Avira Rescue CD can download updates over the Internet, but I didn't test this feature.
*The Best Way to Remove Viruses and Malware:
The version of AntiVir that I tested was 2.1.12_318. The VDF version (virus definition file?) was 126.96.36.199