How to remove stubborn PC viruses
This article was prompted by my experience the past two days with disinfecting one of my customer’s computers. He had managed to pick up the Trojan:Win64/Sirefef.Y infection, which typically produces this dialog box:
It also prevents the Windows Security Center from running, shuts off the Windows Firewall, and protects itself from removal by normal methods. One of the infection vectors is the use of an outdated Java runtime; more about that later.
So, over the course of the day, I tried the following:
- Microsoft Security Essentials: Detected but failed to remove due to the built-in protections.
- Malwarebytes Anti-Malware: Detected and removed, but failed to remove the built-in reinstaller.
- SuperAntiSpyware Portable: Failed to detect anything except adware cookies.
- Assorted other malware removers from Kaspersky and others.
So, with no effective results under my belt at this point, in desperation I turned to Microsoft. Now, anyone who knows me, knows I am not Microsoft’s biggest fan. In fact, I’d have been perfectly happy of Bill Gates had sold used cars (along with Steve Jobs) instead of founding a software dynasty; but this article is credit where credit is due.
First, I had to download Windows Defender Offline (aka “WDO”) and burn it to a CD. Other options are making a DVD, or using a USB flash drive. Note: If you do this, be sure to do it immediately before using it, to ensure you have the latest updates. It should go without saying that you do this on a known “clean” (e.g., uninfected) PC.
Then I booted from the freshly-burned CD and did a full scan. The original Sirefef.Y infection was found and cleaned.
Ah, but we weren’t finished yet!
I copied services.exe from the C:\Windows\System32 folder on a “clean” machine onto a USB stick. Then, booting from the Ultimate Boot CD for Windows I overwrote the one on the infected PC. This might not be a necessary step, but I work on the “belt and suspenders” theory; that made me confident that the file itself was not infected. Then, using UBCD4Win, I searched out and deleted all other copies of services.exe, to prevent the automatic reinstallation of the same virus.
Now the tricky part: I booted from the WDO CD again, and ran another full scan. It found and removed another 8 or 10 infections that had been hidden by the Sirefef.Y trojan! Without the second scan, I’d have unwittingly put the PC back into service and probably have found myself tearing my hair out, trying to find the subtle problems these other malware packages caused.
Next, I booted into the freshly-cleaned system, and used the System Protection applet to remove all existing restore points and create a new one.
Finally, after checking to make sure the Windows Security Center was running and Windows Firewall was on, I updated Microsoft Security Essentials and run a full scan with that. No malicious software found!
Right now, I am making sure the same vulnerability is not exploited; I’ve deleted all Java runtime installations, and installed the latest (Java 7 Update 5), and Windows Updates are underway.
All in all, about 10 hours of work to fix a problem that would not have existed if Java had been kept up-to-date. I am a sad, but much more diligent, panda.