MS Security Essentials vs AVG vs Avast: Round 2
Earlier, in a post comparing MS Security Essentials, AVG and Avast, I recommended taking a look at MS Security Essentials as your best free antivirus. Since then, I've seen a lot of customers get re-infected with this antivirus solution installed. Meanwhile, Avast has made their registration process a lot easier. I now recommend Avast. Although Avast 5 Free lacks extra features like antispam, a sandbox, a Script shield, and a firewall, it's not crippled like AVG free because it still detects rootkits.
Anyone think Avira beats out Avast 5 Free? Leave a message in the comments if you have anything to add regarding these two.
BSOD Virus Recovery
After a virus removal, your computer may BSOD on the next boot due to registry changes that the virus made. Windows is looking at a corrupt registry, and it may point to a virus-infected file that was removed. At this point, restoring to the earliest registry backup on the system can be a quick fix.
Update: Thanks, drew010 for suggesting the Ultimate Boot CD's Registry Restore Wizard: "It just looks for registry backups taken by system restore and in two clicks allows you to restore the registry to any available restore date. It has saved me many times."
MS Security Essentials vs AVG vs Avast
Is it time to begin recommending Microsoft Security Essentials over AVG and Avast? AVG is easy to use, but the free version is somewhat crippled (no rootkit detection). Avast includes rootkit detection, but does not seem to scan the registry and has a user-unfriendly UI.
Microsoft Security Essentials screenshot
MS Security Essentials won't nag users to upgrade, has minimal required user interaction, and includes rootkit protection.
Safe PC Online Scan: Bogus Alert
Today I ran into a new fake antivirus scanner, "Safe PC Online Scan". It's just like the other fake online alerts but now with 50% more trickery and deception. On visiting, I'm redirected to an alert dialog. Following screenshots 1 through 4, (click them to see the full-sized images), watch how it works.
-
- 1. The first message I saw. I clicked the “X” to close it.
-
- 2. My browser goes full-screen, giving the impression I’m now in Windows Explorer! It looks like a virus scanner is running. Again, I clicked “X” to close the new dialog…
-
- 3. OMG! Is Windows telling me I’m actually infected? Browser popups can’t look like this so it must be Windows, right? On attempting to close the dialog, I initiate a download.
-
- 4. By clicking “X”, I was actually initiating a download!
Unlike other fake online AV scanners, this one managed to resize Firefox 3.5 to full-screen, creating the impression that Windows Explorer just opened. It creates a very convincing illusion of an AV scanner running, and if that doesn't convince the victim, it follows up with a fake Windows security alert. Clicking just about anything causes a download to initiate. Even attempts to close dialog boxes initiate downloads, bypassing normal Firefox security mechanisms.
Additional Tools
In addition to the recommended virus removal tools, bring the following to on-site jobs:
- a Linux Live CD
- an external hard drive
- your laptop
Your Live CD and external hard drive can help you to recover files from crashed computers on site.
Recommended Virus Removal Tools
Your virus removal arsenal consists of tools for detecting and removing viruses, spyware and adware, rootkits, keyloggers, and every other nasty program and process known as "malware" (malicious software).
Ultimate Virus Removal Arsenal
The ultimate virus removal arsenal can be downloaded for free. The catch is you have to create and maintain it yourself.
Anti-Virus, Adware, Spyware
- Avast Home - Avast includes rootkit detection abilities. It includes boot-time scanning.
- AVG Free installer - Anti-Virus and Spyware in one, but no rootkit detection in the free version. You might choose to leave this installed on your client's computer if she doesn't already have antivirus software.
- Malwarebytes' Anti-Malware - Catches malware that others often miss. Quick.
- SuperAntiSpyware - An up-and-coming malware remover.
- Spybot Search and Destroy - a malware scanner / remover.
- Lavasoft Ad-Aware - another malware scanner / remover.
- Kaspersky - One of the best. Try their free scanner trial.
- Nod32 - Second only to Kaspersky. Get their free trial.
- HijackThis - Unlike the other utilities, this program works by comparing the computer to a clean, spyware-free environment, and shows what's different. Removal is up to you.
- Spyware Doctor - get their free trial; it should be used to confirm that you removed everything, since the free version will not perform removal.
- Virus and Spyware Definitions - in case you travel to areas without Internet access, bring the latest definitions with you (often available as a separate download for each program).
Anti-Rootkit
- F-Secure Black Light - easy to use rootkit scanner. The online scanner includes removal capability.
- GMER - an application that detects and removes rootkits.
- IceSword - A hard-core tool - instructions for use.
- Panda AntiRootkit - Rootkit detection and deactivation.
- Darkspy - test version available (risky).
- Rootkit Revealer - from trusty Windows Sysinternals, this program requires manual interpretation of the results (but you can usually Google for the meaning). Also, it does not perform cleaning - it's a detection-only utility.
- Sophos Anti-Rootkit - Simple detection and removal.
General Utilities
- Process Explorer - a system monitoring utility like Task Manager, only more powerful and helpful with virus removal!
process explorer shows you what's running
- Autoruns - find out what programs run automatically.
- Ultimate Boot CD - This includes as many diagnostic utilities as possible to fit on a single CD. You can't always be sure what's causing the problem (is it malware, faulty RAM, or a bad hard drive)?
These utilities will help you with virus removal practice in your own lab environment. Check the licensing agreements to see how you are permitted to use these tools first.
Create a Virus Removal Lab and Practice… a Lot.
Practice virus and spyware removal on your own systems first! Learn to become a malware removal expert in your own lab environment, and get the confidence and skill to take on the latest threats. Here's what you'll need:
- a Windows XP computer (512 MB RAM P4 recommended)
- internet connectivity
- (optional) a removable hard drive and backup software like Norton Ghost or Acronis
If you have these supplies, the rest are free. Setting up your lab consists of:
- Installing Windows XP
- Creating a Utilities CD
- Backing up Your System
Installing Windows XP is self-explanatory and there are plenty of guides available.
Creating a utilities CD involves finding and installing the latest malware removal tools. See the Utilities CD link on the right.
Backing up Your System with Acronis or Ghost happens after you make absolutely sure you have no personal data on the computer. Get your system in a state where you are ready to load a virus on it, but don't do anything yet before backing up to a removable hard drive.
Now for the fun and danger. It's dangerous because you do not want to be connected to any Network, or you might inadvertently spread the virus to others. That's why you must follow three separate steps:
- Downloading the virus
- Disconnecting from the Network
- Executing the virus
Limewire: the easiest way to catch a virus.
Dowloading the virus can be done using P2P software like Limewire. Typically, a large portion of these files are viruses, especially files labled "keygen". You can use a free scanner like AVG to determine which of your downloads are viruses, and then save and label these samples on a CD or thumb drive (just be careful what you do with them).
Disconnecting from the Network. This means unplugging Ethernet cables, phone cables, and any other networking gear from your computer. Make sure to remove Wireless capability completely. You don't want to get blamed for spreading viruses, or even worse, hosting illegal material as a result of the virus infection.
Executing the Virus. This step is easy - run the really-harmful-virus.exe file on your quarantined lab computer. I recommend working on one virus at a time, so you can learn from your mistakes in a predictable, repeatable environment. If any certain virus gives you trouble, you can learn the best way to remove it, and you'll know which virus is causing you difficulty.
Next, you get to practice:
- Virus Detection
- Virus Removal
Virus Detection. Once you've executed the virus, you might be able to confirm that it is running in a new process is running using Process Explorer, a free tool. Or, if uses rootkit cloaking mechanisms, then you get to explore your rootkit detecting tactics.
Virus Removal. For special virus removal tactics, see the Removal Tactics link on the right.
If your lab computer ever becomes too corrupted, you can restore it to its earlier state using the optional backup software. Alternatively, you can format and reinstall Windows.