http://www.washingtonpost.com/wp-dyn/content/article/2010/04/05/AR2010040502436.html?wpisrc=nl_pmtech
The Cleanest Malware Scan
Lincoln Spector
PC World
Monday, April 5, 2010; 1:19 PM
Michael Gersten wants to be absolutely sure malware can't interfere with his
security scan.
No matter how good your security software, and how well you keep it up to date,
there's always that nagging doubt: "What if some malicious program is
interfering with my antivirus, protecting itself while hurting me?"
That's a legitimate question, and it's one of the reasons I frequently
recommend that people use a second malware scanner to supplement their main
antivirus program (see One or Two Anti-Malware Programs? for details). But even
that suggestion involves running a program already installed on your PC (and
thus, possibly compromised), while something evil may be running in memory.
I'm going to recommend two ways to scan for infection in a clean environment.
Pick which makes the most sense to you, or--if you're really paranoid--use
both.
Only the minimum, basic code loads when you boot Windows into Safe Mode. It's a
good bet your malware infection won't be running in this environment.
On a safe computer, download the SUPERAntiSpyware Portable Scanner and save it
to a flash drive. This self-contained malware program (in the form of a DOS
.com executable file with a Windows user interface) gets updated regularly, so
you can assume the version you just downloaded is up-to-date.
Then boot the suspect PC into Safe Mode. Press just before Windows starts
loading (it may take a few tries to get the timing right), and select Safe Mode
from the resulting menu. If you don't see a Safe Mode option, press .
Once the PC is booted, insert the flash drive. Unlike Windows' normal mode,
nothing automatic happens when you plug in a drive, but if you select Start
then Computer (or My Computer) the drive will very likely be there. Open it,
double-click the program file with a name that starts with SAS and ends with
.COM. Once the program is up, click Scan your Computer.
It's possible that your PC won't see a flash drive in Safe Mode--some do, some
don't. If yours falls into the second category, boot it normally, then copy the
SAS...COM file onto your desktop. Then boot into Safe Mode and run the scanner.
If Safe Mode doesn't seem quite safe enough, you can skip Windows, altogether.
To do so, on a safe computer download the F-Secure Rescue CD.
This "CD" comes in the form of an .iso file (which itself comes inside a
compressed .zip file). It's important that you run the .iso file in a program
that knows what to do with it; merely copying the file to a CD will not have
the desired effect. When you double-click the .iso file, there's a good chance
that some program on the computer will automatically load and ask for a CD-R
onto which it can burn the file's contents. If that doesn't happen, download
and install ISO Recorder.
Once the disc is complete, place that disc in the PC you wish to scan and boot
your PC off the CD. It will boot a text-based version of Linux. Using a wizard,
F-Secure will update its database over the Internet, then scan your PC.
At least, it can do that if it can find the Internet. Linux may not have access
to any special drivers for your networking hardware, and certainly won't have
your WiFi password. Your chances of getting through are greatly enhanced if you
use ethernet.
If you can't get an Internet connection, there's a workaround: On a healthy
computer, you can download the latest update and put it onto a flash drive. The
F-Secure Rescue CD manual (a .pdf in the .zip file) explains how.
But the F-Secure Rescue CD comes with a very serious warning. If it has to
alter Windows system files to clean your system, it may render Windows
unbootable. That's something to consider before you decide to take this route.
Add your comments to this article below. If you have other tech questions,
email them to me at ans...@pcworld.com, or post them to a community of helpful
folks on the PCW Answer Line forum.
[Non-text portions of this message have been removed]
