Microsoft’s Standalone System Sweeper

Sometimes, despite our best efforts, it seems impossible to remove the spyware and other malware from our computers. Despite their efficacy, there are just some times that the traditional and proven malware killers will not be able to neutralize the malware on our computers. While some of the so-called “experts” simply give up and reformat the hard drive, resulting in the loss of any programs and files on the computer (unless properly backed up), this is not an appropriate step in trying to restore the computer.There are a variety of utilities, both free and commercial, that can create a bootable CD or USB drive that contain the necessary files to boot the computer, and then detect and remove any malware from the infected computer. The reason for booting from a special CD or bootable USB flash drive rather than Windows is that the substitute bootable media does not load the full version of Windows, but instead loads a substitute for Windows. Because this clean substitute for Windows is not loading any drivers or other files from the infected computer (including a possibly infected Windows itself), there are no malware files loaded into memory (RAM) that interfere with the cleaning process or otherwise protect themselves from detection and destruction. A variety of security software companies, including Kaspersky, Avira, F-Secure, Panda, BitDefender, DrWeb, AVG, and Spybot Search & Destroy have published free utilities that can create bootable media that will run and remove malware, without the need to load Windows. When I am called to clean badly infected systems, I routinely create at least a pair of updated bootable CDs from a variety of the above companies, such that if I encounter a difficult to clean computer, one or both of the bootable CDs will likely be able to detect and remove the offending malware. Just recently, Microsoft has joined this august group of software publishers. Its new utility is the Microsoft Standalone System Sweeper Beta (Beta means that it is functional, but not a final release).

Microsoft Standalone System Sweeper Beta (connect.microsoft.com/systemsweeper), like the other utilities mentioned above, can be used to boot an infected computer and perform a malware scan that can identify and remove malware and rootkits. This is especially useful when the malware on a computer prevents the installed security software from running, as many of the contemporary malware titles explicitly destroy the legitimate security software installed on the computer. Many of the current crop of malware infections also make it impossible to run already installed detection and removal utilities, as well as prohibit Web access to online services that may be capable of detecting and removing the controlling malware. Some malware also prevents the infected computer from booting, making it nearly impossible to run any of the traditional scanning utilities. For this reason, it is sometimes necessary to be able to boot the computer into some operating system other than the full Windows and run a scan utility.

This is explicitly what Microsoft Standalone System Sweeper Beta and the other bootable scan utilities are intended to do.

Microsoft Standalone System Sweeper Beta is available in both 32 and 64 bit versions, and the proper version for the compromised system should be downloaded to another uninfected computer from connect.microsoft.com/systemsweeper. Using that clean computer (not the infected machine!), the user needs a blank CD, DVD or USB flash drive (with at least 250 megs of free space) to create the bootable media. According to Microsoft, “ The architecture of Microsoft Standalone System Sweeper Beta does not have to be the same as the Windows operating system of the computer used to create the bootable media. It does need to be the same architecture (32-bit or the 64-bit) as the Windows operating system of the computer infected with a virus or malware.”

The initial download is a small installer (576 kb for the 64 bit version), which is used to start the media creation process. This small installer file is run, and a series of windows appear that walk the user through the media creation process. The first window informs the user of the need for some appropriate media and Internet access to create the bootable media, followed by the EULA (End User License Agreement). The third screen gives the user the option to use a blank CD, DVD, USB flash drive, or to create an ISO image that can later be burned to a CD using an ISO file burner to create the bootable CD. I chose to use a blank CD, but any of the appropriate options would be adequate choices. Since virtually all Windows XP SP3, Vista and Windows 7 computers can be booted with a CD and run the System Sweeper, regardless of the operating system that was on the computer that was used to create the bootable media, I prefer the bootable CD media. Many computers, especially older ones, cannot easily boot from a USB flash drive, which is why I create a CD. Just be sure to create the media with the correct 32 or 64-bit version; you need the setup file that matches the infected computer’s architecture, not the architecture of the clean computer.

The actual file that was downloaded from Microsoft by the small installer was 206 mb, which took a few minutes to download. Once downloaded, it only took a few more minutes to create a bootable CD containing the Microsoft Standalone System Sweeper Beta, as well as its latest malware signature database. While there are some methods that can be used to update the malware signatures, I prefer to create a fresh CD with the latest signatures prior to each use.

After the bootable CD, DVD or USB drive is created on the clean machine, the media is used to boot the infected computer. Once booted, the interface looks very similar to the established Microsoft Security Essentials, and uses a similar scan engine to detect and remove malware. I would suggest that the user selects a full scan, and allows the software to neutralize whatever it finds. Once the scan and clean function has been completed, remove the bootable media, and reboot the computer into Windows. If the computer still will not function properly, as it appears that it is still infected after running the System Sweeper, one of the other bootable scan utilities listed above may be necessary to remove the infection. If it does boot successfully, I choose to perform a redundant scan with a third party utility such as Malwarebytes (malwarebytes.org) or SuperAntispyware (superantispyware.com). Since much of the malware in circulation destroys the installed security software, it may be appropriate to reinstall the real-time security software of your choice.

The Microsoft Standalone System Sweeper Beta is only intended to boot and clean a badly infected system, and provides no permanent protection, which is why it should not be used as a substitute for a good security suite. Since blank CDs are cheap, it would be a worthwhile precaution to frequently create a bootable CD using Microsoft Standalone System Sweeper or one of the other bootable utilities, label it with the date, and keep it on hand just in case it is needed.

Listen to Ira Wilsker’s weekly radio show on Mondays from 6-7 p.m. on KLVI 560AM.

shadow

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
By submitting this form, you accept the Mollom privacy policy.