Scan a Windows PC for Viruses from a Ubuntu Live CD

Getting a virus is bad. Getting a virus that causes your computer to crash when you reboot is even worse. We’ll show you how to clean viruses from your computer even if you can’t boot into Windows by using a virus scanner in a Ubuntu Live CD.

There are a number of virus scanners available for Ubuntu, but we’ve found that avast! is the best choice, with great detection rates and usability.

Unfortunately, avast! does not have a proper 64-bit version, and forcing the install does not work properly. If you want to use avast! to scan for viruses, then ensure that you have a 32-bit Ubuntu Live CD.

If you currently have a 64-bit Ubuntu Live CD on a bootable flash drive, it does not take long to wipe your flash drive and go through our guide again and select normal (32-bit) Ubuntu 9.10 instead of the x64 edition. For the purposes of fixing your Windows installation, the 64-bit Live CD will not provide any benefits.

Once Ubuntu 9.10 boots up, open up Firefox by clicking on its icon in the top panel.

Navigate to http://www.avast.com/linux-home-edition.

Click on the Download tab, and then click on the link to download the DEB package.

Save it to the default location.

While avast! is downloading, click on the link to the registration form on the download page. Fill in the registration form if you do not already have a trial license for avast!.

By the time you’ve filled out the registration form, avast! will hopefully be finished downloading.

Open a terminal window by clicking on Applications in the top-left corner of the screen, then expanding the Accessories menu and clicking on Terminal.

In the terminal window, type in the following commands, pressing enter after each line.

cd Downloads
sudo dpkg –i avast*

This will install avast! on the live Ubuntu environment.

To ensure that you can use the latest virus database, while still in the terminal window, type in the following command:

sudo sysctl –w kernel.shmmax=128000000

Now we’re ready to open avast!. Click on Applications on the top-left corner of the screen, expand the Accessories folder, and click on the new avast! Antivirus item.

You will first be greeted with a window that asks for your license key. Hopefully you’ve received it in your email by now; open the email that avast! sends you, copy the license key, and paste it in the Registration window.

avast! Antivirus will open. You’ll notice that the virus database is outdated.

Click on the Update database button and avast! will start downloading the latest virus database.

To scan your Windows hard drive, you will need to “mount” it. While the virus database is downloading, click on Places on the top-left of your screen, and click on your Windows hard drive, if you can tell which one it is by its size.

If you can’t tell which is the correct hard drive, then click on Computer and check out each hard drive until you find the right one. When you find it, make a note of the drive’s label, which appears in the menu bar of the file browser.

Also note that your hard drive will now appear on your desktop.

By now, your virus database should be updated. At the time this article was written, the most recent version was 100404-0.

In the main avast! window, click on the radio button next to Selected folders and then click on the “+” button to the right of the list box. It will open up a dialog box to browse to a location.

To find your Windows hard drive, click on the “>” next to the computer icon. In the expanded list, find the folder labelled “media” and click on the “>” next to it to expand it. In this list, you should be able to find the label that corresponds to your Windows hard drive.

If you want to scan a certain folder, then you can go further into this hierarchy and select that folder. However, we will scan the entire hard drive, so we’ll just press OK.

Click on Start scan and avast! will start scanning your hard drive.

If a virus is found, you’ll be prompted to select an action. If you know that the file is a virus, then you can Delete it, but there is the possibility of false positives, so you can also choose Move to chest to quarantine it.

When avast! is done scanning, it will summarize what it found on your hard drive. You can take different actions on those files at this time by right-clicking on them and selecting the appropriate action. When you’re done, click Close.

Your Windows PC is now free of viruses, in the eyes of avast!. Reboot your computer and with any luck it will now boot up!

Alternatives to avast!

If avast! and a liberal amount of Googling doesn’t fix your problem, it’s possible that a different virus scanner will fix your obscure issue.

Here are a list of other virus scanners available for Ubuntu that are either free or offer free trials. See their support forums for help on installing these virus scanners.

• Avira AntiVir Personal for Linux / Solaris
• Panda Antivirus for Linux
• F-PROT Antivirus for Linux
• ClamAV installation and usage guide from Ubuntu
• NOD32 Antivirus for Linux
• Kaspersky Anti-Virus 2010
• Bitdefender Antivirus for Unices

Conclusion

Running avast! from a Ubuntu Live CD can clean the vast majority of viruses from your Windows PC. This is another reason to always have a Ubuntu Live CD ready just in case something happens to your Windows installation!

Use Autoruns to Manually Clean an Infected PC

There are many anti-malware programs out there that will clean your system of nasties, but what happens if you’re not able to use such a program?  Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.

There are a few reasons why you may need to remove viruses and spyware manually:

• Perhaps you can’t abide running resource-hungry and invasive anti-malware programs on your PC
• You might need to clean your mom’s computer (or someone else who doesn’t understand that a big flashing sign on a website that says “Your computer is infected with a virus – click HERE to remove it” is not a message that can necessarily be trusted)
• The malware is so aggressive that it resists all attempts to automatically remove it, or won’t even allow you to install anti-malware software
• Part of your geek credo is the belief that anti-spyware utilities are for wimps

Autoruns is an invaluable addition to any geek’s software toolkit.  It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer).  Virtually all malware is designed to start automatically, so there’s a very strong chance that it can be detected and removed with the help of Autoruns.

We have covered how to use Autoruns in an earlier article, which you should read if you need to first familiarize yourself with the program.

Autoruns is a standalone utility that does not need to be installed on your computer.  It can be simply downloaded, unzipped and run (link below).  This makes is ideally suited for adding to your portable utility collection on your flash drive.

When you start Autoruns for the first time on a computer, you are presented with the license agreement:

After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:

To temporarily disable a program from launching, uncheck the box next to it’s entry.  Note:  This does not terminate the program if it is running at the time – it merely prevents it from starting next time.  To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)).  Note:  This does not remove the program from your computer – to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).

Suspicious Software

It can take a fair bit of experience (read “trial and error”) to become adept at identifying what is malware and what is not.  Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you.  Here are some tips to help you differentiate the malware from the legitimate software:

• If an entry is digitally signed by a software publisher (i.e. there’s an entry in thePublisher column) or has a “Description”, then there’s a good chance that it’s legitimate
• If you recognize the software’s name, then it’s usually okay.  Note that occasionally malware will “impersonate” legitimate software, but adopting a name that’s identical or similar to software you’re familiar with (e.g. “AcrobatLauncher” or “PhotoshopBrowser”).  Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as “Diskfix” or “SearchHelper” (both mentioned below).
• Malware entries usually appear on the Logon tab of Autoruns (but not always!)
• If you open up the folder that contains the EXE or DLL file (more on this below), an examine the “last modified” date, the dates are often from the last few days (assuming that your infection is fairly recent)
• Malware is often located in the C:\Windows folder or the C:\Windows\System32 folder
• Malware often only has a generic icon (to the left of the name of the entry)

If in doubt, right-click the entry and select Search Online…

The list below shows two suspicious looking entries:  Diskfix and SearchHelper

These entries, highlighted above, are fairly typical of malware infections:

• They have neither descriptions nor publishers
• They have generic names
• The files are located in C:\Windows\System32
• They have generic icons
• The filenames are random strings of characters
• If you look in the C:\Windows\System32 folder and locate the files, you’ll see that they are some of the most recently modified files in the folder (see below)

Double-clicking on the items will take you to their corresponding registry keys:

Removing the Malware

Once you’ve identified the entries you believe to be suspicious, you now need to decide what you want to do with them.  Your choices include:

• Temporarily disable the Autorun entry
• Permanently delete the Autorun entry
• Locate the running process (using Task Manager or similar) and terminating it
• Delete the EXE or DLL file from your disk (or at least move it to a folder where it won’t be automatically started)

or all of the above, depending upon how certain you are that the program is malware.

To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:

• Autoruns – to see if the entry has returned
• Task Manager (or similar) – to see if the program was started again after the reboot
• Check the behavior that led you to believe that your PC was infected in the first place.  If it’s no longer happening, chances are that your PC is now clean

Conclusion

This solution isn’t for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.

Keep in mind that some malware is harder to remove than others.  Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry.  Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry.  When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.

Shortly we will be publishing an article on how to identify, locate and terminate processes that represent legitimate programs but are running infected DLLs, in order that those DLLs can be deleted from the system.

Download Autoruns from SysInternals

The Microsoft Security Essentials is Excellent Edition

Earlier this week, Microsoft released their completely free anti-virus/anti-spyware solution, and we already gave it a thorough review—but it deserves our official endorsement, and that’s right here.

That’s right, we’re officially recommending Microsoft Security Essentials as our free Anti-Malware utility of choice. Not only is it simple, easy to use, and effective—it also barely slows down the computer compared to some of the giant “suites” out there.

As a real-world test, I installed MSE and started downloading from some really shady sources—pirated video games, crack files, etc. I simply opened up the directory containing the files, and MSE had already detected the threat and offered to quarantine the files.

The same thing happened again when I tried to extract a pirated piece of software that contained a virus. (I specifically downloaded one containing a virus to test… but please, don’t try this at home). 

Of course, it should go without saying that you should STILL BE CAREFUL! when downloading files—you can’t simply trust your anti-malware utility to protect you all the time, because new threats come out daily. Don’t download from shady sources, don’t install crapware on your computer, and whatever you do… make sure to use a custom install and be prepared to uncheck the options for junk software when installing.

Download Microsoft Security Essentials from microsoft.com

How To Remove Internet Security 2010 and other Rogue/Fake Antivirus Malware

If you have a PC infected with Internet Security 2010, you’re probably reading this article so you can understand how to get rid of it. Thankfully we’ve got the instructions to help you get rid of this awful thing.

Internet Security 2010 is just one of many fake antivirus applications like Antivirus Live,Advanced Virus Remover, and others that hold your computer hostage until you pay their ransom money. They tell you that your PC is infected with fake viruses, and prevent you from doing anything to remove them.

Note: If you just want the instructions to get rid of it, you’ll want to scroll down a bit.

Anatomy of an Infection

Normally these infections start with a popup message like this one, coming from a rogue site or malvertisement—and they are often served up from porn sites, though these viruses are not exclusively from there.

IMPORTANT NOTE

If you’re a regular How-To Geek reader, you’re probably savvy enough to know how to avoid actually installing these things, but there’s a good chance that your mom isn’t. If you’ve got a relative that doesn’t know what they are doing, here’s what you should tell them to do when they get a popup like this one:

HOLD DOWN THE POWER BUTTON FOR 10 SECONDS!

Seriously. If they really are infected with a real virus, powering off won’t be any worse. Some of these things are tricky and will try and install themselves no matter which way you click, and they look just like a real Windows error message. Powering off is just the simplest and best option for non-tech-savvy users. And yes, this is exactly what I tell my mom to do.

Moving Forward…

Once you click the popup message, you’ll be presented with a page that looks like your My Computer view, telling you that your PC is infected. Nevermind that no real antivirus looks like this, regular PC users don’t know any better.

After a few seconds of this, you’ll be presented with a popup dialog in the web page that says your PC is infect, and you can click the button to Remove all. The dialog looks real, and can even be dragged around the page—in my research, this seems to be the point where most regular users get confused.

Once you’ve clicked it, you’ll be prompted to run an installer—which you might note has a number of warnings.

As soon as the installer is able to execute, you are infected.

You won’t be able to open up any applications…

And you can’t remove it from Control Panel.

Removing Rogue Fake Antivirus Infections (General Guide)

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

• Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
• If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
• Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
• Reboot your PC and go back into safe mode with networking.
• If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
• Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
• Reboot your PC again, and run a full scan using your normal Antivirus application (werecommend Microsoft Security Essentials).
• At this point your PC is usually clean.

Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).

Let’s Get to Removing Internet Security 2010

The first thing we’ll want to do is kill the virus that’s currently running on the system, and there’s a really easy way to kill Internet Security 2010 without downloading any special software just to kill it (we’ll still need to download something to clean it, however).

Open up the Start menu, click the Run button (or use the Win+R shortcut key), and then type in the following:

taskkill /f /im is2010.exe

 

Hit the Enter key, and the main virus window should go away. After you’ve done that, you’ll want to quickly execute the following commands:

taskkill /f /im winlogon86.exe

taskkill /f /im winupdate86.exe

At this point the virus isn’t currently running on your system—but it’s still lurking in the shadows, but you can actually run any malware removal tools that you’d like.

Use SUPERAntiSpyware to Clean the Malware

Now that we’ve killed off all those processes, we’ll get to removing the actual malware from the system by downloading SUPERAntiSpyware and installing it. You should be able to grab the full version, or you can use the portable variety that we’ve already recommended.

If you grabbed the full version, make sure to use the Check for Updates button, and then click the Scan Your Computer button… make sure to perform a Complete Scan, and select all of your drives. 

It should easily find and kill all of them. You’ll probably note that on this particular machine that I was using in the screenshot, there was a lot of other bad stuff that it caught as well. Woot!

Once it’s done, it’ll let you remove them all in a click, and then prompt you to reboot… you shouldn’t reboot yet. Job isn’t done, however!

Install Malwarebytes and Scan 

Next you’ll want to install MalwareBytes and run it, making sure to run a full scan. The main reason to do this is because there’s no way a single malware removal tool can know about every single piece of malware out there, and you may as well make sure your system is clean.

Install Microsoft Security Essentials

You should definitely install Microsoft Security Essentials and run another full scan once you’re done.

Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.

Sidebar Note 

Here’s an interesting fact for you—the two processes that we killed earlier are actually fromAdvanced Virus Remover, another awful malware we’ve previously told you how to get rid of. Clearly they are both developed by the same jerk.

The winlogon86.exe seems to be mostly used to show messages like this one:

While winupdate86.exe is responsible for blocking you from opening other apps, and re-launching the main Internet Security 2010 window.

Note: Robert, one of our excellent readers, wrote in mentioning that you can often just leave this window open, and then continue to install any malware removal tools you like. Here’s what he had to say:

There is one little trick that you missed, that I mentioned on a different post that was similar to this one. When it pops up with the error message saying; “Application cannot be executed. File is infected.” ..etc… Simply *MOVE* that message box to the corner of the screen, and you can install SuperAntiSpyware just fine.

There appears to only be one instance of that “error message” that will run at any given time. You will get multiple errors, you won’t get that obnoxious sound that computer makes when it tells you that you can’t do that…. Now, if you hit “OK” you’re just asking for a headache.

Great tip Robert, and thanks for helping out the cause! I’ve tested this out, and it appears to be the case depending on which virus you are infected with—some of them are smarter and shut you down all the way.

What About You? Had any Virus-Killing Experiences?

Have you had any experience lately killing this virus, or other similar ones? Let us know in the comments, or feel free to email into the tips line at tips@howtogeek.com with your best method for killing these viruses. We’d love to hear your expert feedback!

Update

Looks like there might be some stronger versions of this thing out there – I would advise not rebooting after you run the initial SUPERAntiSpyware scan, and installing and running MalwareBytes right away. Also, you should check out the advice from all the readers in the comments below.

Enjoy Safer Web Browsing with WOT

Need a quick and easy way to tell if a website is bad news for you to visit?  With a quick installation, WOT (Web of Trust) provides security and peace of mind while browsing the Internet.

Note: At the moment, the fully functional version of WOT is only available for Mozilla Firefox and Internet Explorer. There is a limited function bookmarklet version available for Opera and Safari (link provided at bottom of article).

Bonus: See the result below for adding WOT to Google Chrome (version 3.0.190.4)!!

Setup in Firefox

The extension for Firefox installs in the same method as other extensions and once you have restarted your browser, you will see the following window asking you to accept the “WOT End-User Software License Agreement”. Click “Accept” to activate the WOT extension.

Once you have accepted the license agreement and Firefox has started, the WOT button will be located at the left side of the address bar (default location). As with other aspects of the Firefox interface, you can easily move the WOT button to a new location that best suits your needs.

The first thing that you will see in your browser window is the option to choose the level of protection that you desire. For our example, we have gone with the Basic (recommended) level. Click “Next”.

After choosing the level of protection that you desire, you will be given the option to create a WOT account. Not only will this give you access to all features, it will also give you the opportunity to rate websites that you browse or run across in your searches on the internet.

Note: You may click on the Red X to close the second window and WOT will still work without problems, but you will not have access to all available features.

For our Firefox example, here is the rating shown when visiting the How-To Geek website.All green and definitely all good!

For a more comprehensive look at how a website has been rated, click on the WOT button to show the WOT ratings window.

Setup in Internet Explorer

The setup process for Internet Explorer is similar to Firefox and uses an msi file. Before you can begin installation, you will have to accept the “End-User License Agreement”. The install process is then very quick and easy to finish up.

As with Firefox above, Internet Explorer will start and you will be asked to choose the level of protection that you desire. Click “Next”.  The location of the WOT button can be moved around the same as other toolbars on the Internet Explorer interface. For our example, it has been located on the right side below the address bar.

As above, you will have the opportunity to create a WOT account.

Note: You may click on the Red X to close the second window and WOT will still work without problems, but you will not have access to all available features.

Instead of visiting a singular website after installing WOT in Internet Explorer, we used Bing to conduct a web search for “anti spyware” in our example. As you can see, WOT is displaying a rating for each link shown in the search window (extremely nice!). This can certainly save you from getting an ugly surprise with a less than reputable website.

Here you can see the whole range of colors displaying with the links (green for the 1st, white for the 2nd, red for the 3rd & 5th, and yellow for the 4th).

Note: WOT also works nicely with other search engines as well (i.e. Google)!

A look at the WOT ratings window for Bing.

Setup in Opera and Safari

To add WOT to Opera and Safari, visit the link provided below and drag the bookmarklet into your browser’s Bookmarks Toolbar. In our example, the bookmarklet was added to Opera’s regular Bookmarks Menu and to the Bookmarks Toolbar in Safari.

To use the WOT bookmarklet, you will need to click on the WOT Bookmark to activate the WOT ratings window and then click on the WOT Bookmark again to deactivate it. Simple as that!

Note: The WOT bookmarklet worked very well whether it was located in the Bookmarks Toolbar or in the regular bookmarks in our example.

Here is a quick look at the bookmarklet version of WOT in Opera…

And in Safari…

An Experiment in Google Chrome

Out of curiosity, we decided to see if we could get the WOT bookmarklet to work in Google Chrome. The result? Success!

To get the bookmarklet to work in Chrome, right click on the Bookmarks Toolbar and select “Add page…”. You will see the following window open up. Name the new bookmark “WOT”, copy the link address for the Opera/Safari bookmarklet, and paste it into the URL area. Click “OK”.

Here is our new WOT bookmarklet working very nicely in Chrome! The bookmarklet works on the same “click to activate and click to deactivate” principle as in Opera and Safari.

Note: This works equally well in the newest release of Iron Browser (version 3.0.189.0)!

Different Levels of Warnings

As you visit different websites, you will run across different color ratings for those sites. What can you expect to see when the website in question causes the WOT button to display a different color than green? Here is a quick color reference guide…

If you see a Yellow color for a website, the page will display normally as shown below. You can continue to browse the website in question or close that particular tab or window. It will be a matter of your personal comfort levels with the website in question.

A quick look at the WOT ratings window for the website shown above.

If you happen to visit a website that displays a Red color, the entire browser window will look like the one below. This is a lot like the User Account Control window shading in Windows Vista and Windows 7.

Here you can see a display of the individual category ratings and the options to “Rate the site as safe” or “Ignore the warning and continue”. The best thing to do is close that particular tab or window and stay away from the website.

A quick look at the WOT ratings window for the problem website shown above. Ouch! Not good at all!

Here you can see a website that displays the White/Unknown color rating. Expanding the WOT ratings window shows that some categories have already been rated, but not enough ratings data has been collected on the website yet to give it a full color rating on the WOT button itself.

 

Conclusion

WOT is an extremely easy to use and valuable addition to any browser that only takes a few minutes to set up. Your peace of mind is definitely worth it. Relax and enjoy safer browsing!

Links

Download the WOT Extension for Firefox (Mozilla Add-ons)

Download the WOT Extension for Firefox (WOT Website)

Download WOT for Internet Explorer (WOT Website)

Get the WOT Bookmarklet for Opera and Safari Browsers

If you would like to help add to WOT’s website database, sign up for an account!

Register for a WOT Account (Not required to use WOT)