LizaMoon infection: a blow-by-blow account

LizaMoon infection: a blow-by-blow account

By Fred Langa

A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links.

Fortunately, LizaMoon is easy to avoid if you know what to look for.

Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it’s pure malware.

If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can’t be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You’ll find lots more LizaMoon news coverage via Google.)

My encounter with LizaMoon started unexpectedly one evening when a suspicious warning popped up on my screen. As discussed in a previous Top Story, I use Microsoft Security Essentials and the Windows 7 firewall to protect all of my PCs. In over a year of constant use, I’d never had any malware trouble. But that abruptly changed.

That evening, I was searching for something through Google — I don’t recall what. When I clicked a link, a blank page overlaid with the dialog in Figure 1 popped up instead of the site I was expecting.

Figure 1. A real LizaMoon initial dialog, captured in the wild.

My mental alarm bells immediately started ringing — the dialog was identified as a Message from webpage. But why was a random, external webpage displaying what looked like a local security message?

Also, how could a random webpage know what was installed on my system (suspicious programs or not)? The warning made no sense.

There was plenty more to suggest that the dialog was bogus. For example, the third sentence is in fractured English — Microsoft dialogs aren’t like that. And the kicker: I keep my system very clean, so the odds that it would suddenly contain “a variety of suspicious programs” are virtually nil.

Then it struck me. I’d encountered a for-real LizaMoon page hijack, in the wild!

Typically, when you encounter any suspicious webpage dialog, the correct procedure is to immediately dismiss it via the red-X close box in the upper-right corner of the dialog box or to simply close the browser. (If needed, you also can use Windows’ Task Manager to kill offending software or its processes.)

Next, if you think you might have a security problem, you should manually launch known-good security tools directly from reliable sources. In no case should you ever launch unknown software triggered by visits to random websites.

In my case, however, this was exactly the kind of malware I’d been looking for to test. In the past few months, readers reported encountering new malware that masquerades as a security tool — malware that disables or bypasses Microsoft Security Essentials. I’d been trying to track it down for weeks. And suddenly, there it was.

Living dangerously: taking the malware’s bait

Given this unexpected opportunity, I took a deep breath and clicked OK, knowing full well that I was voluntarily giving the webpage permission to interact with my PC.

A new webpage opened, showed a flurry of fake “scanning” activity (most likely, just an animated .gif), and then reported a huge number of discovered viruses and security problems.

I knew my system was clean, so this report of widespread infection was clearly fake. But because the page layout and icons closely mimic those of familiar Windows tools, it could easily fool casual users into thinking that the alert was real.

After a minute of fake scanning activity, a new dialog opened — offering to “Remove all” the threats (see Figure 2).

Figure 2. Clicking “Remove all” on this fake security dialog starts the malware download. Find a way to close the dialog, as discussed in the text.

The new dialog set off more of my internal alarm bells. Windows normally identifies the software or subsystem involved in security alerts — such as the Action Center, the Security Center, Security Essentials, or whatnot. A dialog simply labeled “Windows Security Alert” is suspiciously generic.

And what’s this about “Windows Defender”? That’s Microsoft’s standalone anti-malware tool that ships with Vista and Win7 and is available as a free download (page) for XP. The forerunner of the more complete Microsoft Security Essentials, it’s deactivated when you install MSE. Since I have MSE active on my system, I shouldn’t be hearing from Windows Defender.

At that point, you’d normally try to dismiss the warning by clicking on the red X. To see what would happen next, I clicked “Remove all,” knowing I was inviting trouble.

(If you’re keeping count — and I did — you’ll know this was my second entirely voluntary action leading to infection.)

A real and quite legitimate Windows file-download security warning opened, as shown in Figure 3. But while the previous dialog discussed “Windows Defender,” this dialog box asked permission to download an installer for “Internet Defender.” What’s more, the dialog clearly showed that the file was from a site called update65.saceck.co.cc — not Microsoft!

Clearly, the LizaMoon authors are confident that people do not pay attention to these details.

Figure 3. This dialog box has several naming inconsistencies: the previous dialog mentioned Windows Defender, but this one offers something called Internet Defender. It also isn’t coming from a known address, such as Microsoft.com.

Ignoring yet another opportunity to bail out before being infected, I clicked the Save button and entering the location where the file should be saved (the third voluntary action on the path to infection).

My hard-drive light flickered briefly and I swallowed hard, knowing that a malicious payload had just been delivered to my personal PC. (Yes, my system was fully backed up and my sensitive data encrypted.)

Ready or not, the malicious payload arrives

I intended to disconnect my PC from the network before the malware ran, assuming that going offline would keep any system damage local and no personal data could be exported.

But there must have been a script running somewhere, because the malware installer immediately attempted to self-start. Fortunately, Windows reported an NSIS error (see Figure 4). NSIS is SourceForge’s Nullsoft Scriptable Install System, and the error means that an installation script failed an integrity check.

Figure 4. The first sign of trouble after downloading the malware

Following the link given with the NSIS Error opens a sourceforge.net page advising you to “Update your anti-virus software” and to “Scan for, and remove malware and viruses on your system.”

Microsoft.com’s “NSIS Error” page states that, among other possible causes, “Your PC is infected with a virus.” It adds, “Thoroughly scan your PC for possible virus or spyware infections.” The page even provides a direct link to Microsoft’s free online safety scanner (site) and to a discussion of how to remove viruses and malware.

I took none of that advice but did disconnect from the network. Taking yet another deep breath (and my fourth voluntary action), I clicked OK, which let the malware installer run to completion.

The malware goes active and disables my security

Immediately after I clicked OK, my system went haywire.

First, the Windows Security Center was compromised (see Figure 5), and I could not manually relaunch it — proof that my system was infected.

Figure 5. The infection immediately disabled the Windows Security Center.

Next, the downloaded malware opened a new, fake, scanning window. Calling itself “System Defender,” it claimed to have discovered numerous malware apps. Trying to learn what I could about the bogus software, I opened its Help/About menu, as shown in Figure 6.

Figure 6. Superficially, this dialog looks quite legit. But it fails closer inspection — it can’t even keep its name straight!

In previous dialog boxes, the malware identified itself as “Windows Security” and “Windows Defender.” Now it’s simultaneously “System Defender” and “Internet Defender.” No valid software product goes by four separate names in the same instance.

Of course, the point of all this smoke-and-mirrors chicanery is confusion — to extort you into paying to activate the software and “remove” the supposed infections. But the only real infection is LizaMoon itself.

I was certain that clicking the malware’s Remove All button would bring me to a payment site. But because I didn’t want to reconnect to the Net while the malware was still active on my machine, I left the above dialog alone and waited to see what would happen.

Every few minutes, the malware would pop up other warnings, such as the one in Figure 7. There were many others.

Figure 7. The fake virus warning got more urgent — and more illogical and ungrammatical. This nonsensical message states that a firewall has somehow detected keylogging in a social network.

Throughout this time, Microsoft Security Essentials was silent — a major disappointment. However, every few minutes the Windows Security Center would wave the flag (via a dialog box) and urge me to “Turn on Windows Security Center service (Important).”

LizaMoon blocked attempts to restart the Security Center service and hid itself from MSE. To clean up the mess, I needed to use another tool, Malwarebytes Anti-Malware (site/download), which disabled and removed most of the malware (Figure 8). When I rebooted the newly cleaned PC, I ran MSE again, which discovered more pieces (Figure 9).

Figure 8. Malwarebytes’ Anti-Malware disabled and removed most — but not all — of the malware.

Figure 9. MSE was able to remove the threats that Malwarebytes missed.

I followed up with scans using ESET’s online scanner, McAfee’s Security Scan Plus, TrendMicro’s HouseCall, and Microsoft Windows Live OneCare scanner. All agreed that my PC was now clean.

Just in case, I continued to run additional extra scans for the next few days. Nothing untoward turned up, and my system has behaved normally ever since.

Microsoft Security Essentials: first failure

I have to say I’m disappointed that Microsoft Security Essentials didn’t detect or prevent this infection. It should have, and I hope Microsoft patches MSE pronto.

On the other hand, deliberate choices and actions by a user can defeat any software. LizaMoon required my active, voluntary involvement four different times before the infection took hold.

LizaMoon wasn’t even subtle: I had plenty of warnings and opportunities to abort the process, the malware itself provided abundant clues to its own bogus nature (such as an inability to keep its aliases straight).

The lesson? Using security tools is no substitute for common sense. Malware like this is actually very easy to avoid, if you pay attention to what’s going up on your screen.

Thoroughly read all dialogs — especially unexpected ones and ones pertaining to installing new software. Ask yourself if the warning really make sense. If you have any suspicions at all, dismiss such dialogs via the red-X close box or, if that fails, by using the aforementioned built-in Task Manager (more info).

Immediately run your favorite suite of security tools, such as the ones mentioned above.

Remember: You won’t get infected with LizaMoon (and similar malware) unless you allow it!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987-91), editorial director of CMP Media (1991-97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Sometimes you wish your computer were joking

By Kathleen Atkins

Trouble started with disappearing desktop icons and then cascaded into much worse. Then Windows 7 wouldn’t boot, and the error moved into a second drive, taking out the system’s XP boot loader.

Forum member Diogenes had some ideas about what he might have done to complicate the process of returning his computer to working order, but it still felt like a bad April Fool’s joke to him.

After lots of investigation and assistance, he finally solved his problem. See how. More»

The following links are this week’s most interesting Lounge threads, including several new questions to which you might be able to provide responses:

☼ starred posts — particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Kathleen Atkins is associate editor of Windows Secrets.

The road most people don't travel (to the sofa)

By Revia Romberg Home is where the bike hangs out in the stairwell. It’s also where the iron, the thermos, and the laptop share space on the coffee table. If the helmets, ropes, and other climbing gear cozying up to the sofa don’t tell you enough about who lives here, just watch. This homebody keeps his feet firmly off the ground. Play the video

How to troubleshoot a PC-memory problem

By Fred Langa Free tools from Microsoft, other software publishers, and RAM vendors all can work together to solve your PC’s memory troubles. In Windows 7 and Vista, an easy-to-use Memory Diagnostic Tool is built right into the operating system; XP users have other choices.

New RAM and new OS — and new trouble

Reader Robert started having blue-screen reboots after he upgraded his XP PC:

• “There are not many things that beat me these days, but I do have an annoying problem. After testing Win7 on a very old computer, I thought it would be a piece of cake to install it on a much newer Acer Aspire E650 that was running XP.

  “So I installed Win7 and brought it up to 2GB of RAM.

  “Now it will go for a day or two, and then it Blue-Screens and reboots. I clean the Registry and use a file cleaner, and away it goes again. All the drivers seem to be fine. What would you do here?”

Your system apparently was running fine under XP, so let’s assume the original hardware was OK. That leaves us with two changed items to look at: your new operating system and your new RAM.

Possibly you have a subtle compatibility issue with your new Windows 7 setup. Most XP systems can run Windows 7 fine, and you did in fact get it up and running. But it still would be worth your while to back-check for trouble with Microsoft’s Win7 Upgrade Advisor (info/download).

If the Advisor finds trouble, your first task is to resolve that problem, whatever it is. But I suspect the Advisor will tell you that your system is fine — and that’s good. Now you can focus on the RAM, with some assurance that you’re on the right track.

Start with the physical RAM. Remove and reinstall your new RAM stick(s), making sure all the electrical contacts are clean, there’s no dust or lint in the socket, and that the RAM seats and locks properly when you reinstall it. (If you need or want more detail on these purely physical steps, HelpWithPCs.com has a nicely illustrated how-to article on replacing laptop RAM.)

Often, the simple act of removing and reinstalling RAM cures many kinds of minor installation issues. For example, a system’s unused RAM socket may be slightly oxidized, causing poor electrical contact. Removing and replacing the RAM scrapes through the oxide, restoring good contact to fresh metal.

While your RAM is out in the open, double-check its markings to make sure it’s really the right type and speed. Your PC manufacturer’s site should list the exact specs for your system.

If you can’t find RAM specs from your system maker, try a RAM vendor. For example, Crucial.com offers two useful RAM-specification tools (site), either of which can usually tell you the RAM specs for most PCs. Naturally, Crucial wants you to buy their RAM, but specs are specs, and you’re not obliged to make your purchase there.

If the RAM is the right type for your system and has no installation issues, it’s time to run some tests.

Windows 7 and Vista have a built-in tool named Windows Memory Diagnostics. To use it, click the Start orb, and then type the word memory in the Search programs and files or Start search box. Press Enter, and the tool runs, simple as that. (See Figure 1.)

Figure 1. The Windows Memory Diagnostic tool built into Windows 7 and Vista makes it easy to track down RAM errors.

When you reboot, the diagnostic software takes over — exercising all your RAM in several ways, running through the test two full times, collecting the results, and looking for problems. (See Figure 2.)

Figure 2. The actual memory testing takes place at reboot, before any other software loads.

When the testing is done, your system reboots itself normally. A minute or two after Windows is up and running, the Windows Memory Diagnostic tool opens a small tooltip balloon (see Figure 3) to tell you the results of the tests.

Figure 3. After reboot, the Windows Memory Diagnostic tells you, via a tooltip, what it found. In this case, the tested RAM was fine.

If you want more control over the testing, you can adjust the Memory Diagnostic Tool’s settings by pressing F1 when it starts. You’ll be presented with options for various test types, number of test passes, and so on; the choices are described onscreen as you use the tool. For more information on these options, see this Microsoft Help & How-to page.

XP users note: A standalone version of the Windows Memory Diagnostic is available on a Microsoft webpage. It works very similarly to the version built into Windows 7 and Vista.

You can also find numerous third-party, standalone memory diagnostic tools. For example, see PCsupport.com’s write-up of the “Top 5 free memory testing software tools” or ComputerHope.com’s article, “How can I test my memory to determine if it is bad?”

With luck, simply removing and reinstalling your new RAM solves the problem. But if the diagnostic tests show ongoing trouble, or if your random reboots continue, your best bet is probably to return the new RAM and get a replacement.

Wanted! Your top SMB security tips

Windows Secrets is planning a special issue focused on online security, specifically in small and home businesses.

What do you do to keep yourself and your work-related systems/data/financial info/etc. safe from Web attack?

Please share your security tips via tips_mail@langaonline.com (note the underscore).

I hope to select and publish a collection of your best tips in the special issue.

Thanks for your help!

Windows 7 SP1 Remote Admin Tools failure

Dave encountered an incompatibility among Microsoft’s own tools:

• “RSAT (Remote Server Administration Tools) does not work with Win7 Service Pack 1 yet, and you can’t roll back the Service Pack if you install from a slipstreamed package with SP1 integrated. Just ran into this problem at work.”

You’re right, Dave: thanks for the heads-up.

Microsoft says it will have a corrected release of the Tools available sometime this month (April 2011). In the meantime, a TechNet Blog post suggests this workaround:

• 1. Install Windows 7
• 2. Install the RSAT tools [info/download]
• 3. Install Service Pack 1 via the standalone package

The “Comments” section of the same blog page also offers some additional suggestions.

A separate but related “Community Content” section of TechNet’s “Remote Server Administration Tools for Windows 7” page offers several free workaround scripts.

Siphoning data off an old laptop drive

Howard Potash has a new laptop but kept his old drive.

• “I sold my older laptop (Windows 7 Ultimate 32-bit) but kept the hard drive.

  “My new laptop is the same brand but has Windows 7 Home Premium 64-bit software and two hard drives in it.

  “There is some info that I would like that is on the old drive, but it is 32-bit. Can I and should I get files off the old drive? Can I install the drive in the other bay?”

Laptops with open drive bays are rare, but if yours has one and the old drive fits, sure — give it a try. Turn off the laptop, open the bay, plug in the drive, close the bay, and restart. The system should still boot from the new drive, but “see” (and give you access to) the old one.

If that doesn’t work — or, more likely, isn’t possible — you can connect your old drive to the new PC via an inexpensive USB laptop drive adapter (that’s the phrase to search and shop for). The adapters typically cost $10 to $20 or so.

Once your new PC can see and access the old drive, you should be able to move (or copy and paste) your data files and personal information off the old drive without trouble.

Can’t revert to Firefox 3 if 4 fails?

John Hill needed a source for older versions of his browser after he ran into trouble with Firefox 4.

• “Just downloaded Firefox 4.0, and it deleted my Norton Internet Security toolbar. It’s incompatible with Firefox 4. Norton says they’ll ‘release an update for NIS/NAV 18.5 and Norton 360 v5 in early May that will address the problems found in both Internet Explorer 9 and Firefox 4.’

  “But I want it to function now, so I tried System Restore and soon found out that that’s not going to work. System Restore wiped out Firefox 4.0, but it did not give me a way to replace it with the version I was using, 3.6.15.

  “Went looking on the Net to see if I could find a 3.6.15. No luck. Everything directs you back to Mozilla’s 4.0 download.

  “So the reason for this message, besides ‘heads up on Firefox 4,’ is do you have a way for me to access a copy of 3.6.15?”

Older versions of Firefox are still available online, and they are still current. Mozilla even says, “Firefox 3.6.x will be maintained with security and stability updates for a short amount of time.” The most recently updated version of the 3.x series — currently Firefox 3.6.16 — is available on this Mozilla page.

Some independent sites, such as Oldversion.com and OldApps.com, also maintain complete back-libraries of browsers and of many other apps.

But don’t go too far back: Very old versions of browsers (and all the other software offered on those old-software archives) are mainly of academic interest: Ancient software is unsupported and may not be safe or current for today’s conditions and standards.

If you need installation help once you’ve found what you want, check out Mozilla’s instructions for “Installing a previous version of Firefox.”

You’ll then be all set until your toolbar maker finally catches up with browser tech!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Rustock takedown: #1 spam botnet bites the dust

By Woody Leonhard

For years, Rustock stood as the largest generator of spam on the Internet: Symantec’s MessageLabs estimates the Rustock botnet pumped out 14 billion pieces of spam per day in March.

On March 16, a coordinated legal attack on Rustock, driven by Microsoft, cut the bot off at the knees. The total amount of spam worldwide dropped by one-third. But the pressure on the botnet isn’t off yet.

Remember the story of Eliot Ness and his dogged pursuit of Al Capone? In the end, J. Edgar Hoover and the Feds didn’t take Capone out in a stormy midnight raid or in a hail of Tommy-gun bullets. Capone got nailed by lawyers. A conviction on tax evasion put Big Al in jail for almost a decade and brought down his empire.

Although the person who masterminded Rustock isn’t in jail — hasn’t even been positively identified — the lawyers stopped him. They brought down his operation with a lasso made of motions, depositions, and court orders. And therein lies a tale.

Rustock, another special-purpose botnet

In my Woody’s Windows column March 10, ZeuS Trojan reinvents itself as bots rock on, I talked about the ZeuS botnet, a hack-it-yourself kit sold with multilevel marketing techniques, aimed at pilfering financial information and delivering it into the hands of a franchisee. Rustock is almost as big as the ZeuS Trojan by some estimates, but it takes a mass-market approach.

As best as anyone can tell, Rustock was created and controlled by one individual or possibly by a very small group of individuals. Brian Krebs, in a phenomenal piece of investigative reporting, draws links to someone named “Vladimir Shergin.” For our purposes, let’s just call the creator and controller (or the group) “Vlad.”

Vlad reportedly started Rustock (also known as Spambot) five years ago as a fledgling botnet that installed rootkits on Windows XP PCs, primarily through infected e-mail attachments. Rustock was first identified in November 2005. It spread fairly quickly, but then the second major version (variously called, confusingly, Rustock.A or Rustock.B) hit in July 2006, and it took off.

The third major version embarrassed the antivirus community: it appears to have first hit in October 2007 but wasn’t actually identified until May 2008. The third Rustock was a marvel of PC engineering — fully self-modifying, hard-to-analyze spaghetti code, extremely difficult to detect. It didn’t send out copies of itself; it sent out a small downloader, which then phoned home to retrieve a copy of the full-blown version of the software, which it then installed. Frank Boldewin has a thorough analysis on his Reconstructer blog.

Starting with that strong base, Rustock morphed so many times in so many different ways, it’s hard to keep track. It infects by using e-mail attachments, by taking advantage of Windows security holes, by hanging out on infected websites, by tricking users into downloading fake codecs — a smorgasbord of infection techniques. Antivirus products catch some versions but not all. Estimates vary, but by the time Rustock was brought down on March 16, at least 800,000 machines had been infected.

Almost all of them are still infected.

How Rustock made money — by the bucketful

Unlike ZeuS, Rustock-infected machines aren’t after passwords or bank account numbers. They’re spam relayers. They connect to command and control (C&C) servers to receive new spam templates and lists of e-mail addresses.

You might think that Vlad would make his money renting out Rustock as a spamming gun for hire — maybe companies would pay Vlad to have a hundred million copies of a spam message sent out over the Rustock system. Not so. As noted in Brian Krebs’s article, Vlad made most of his money spamming “Canadian pharmacy” sites — the ones that sell name-brand little blue pills, supposedly from Canada. In fact, the pharmacies were more often than not in India or China, and the little blue pills may have looked genuine but were counterfeits (though often fully functional counterfeits) made in India or China.

Vlad collected commissions when folks followed the links in Rustock-delivered spam, took advantage of the “Canadian” pharmacies, and ordered drugs without a prescription.

Brian Krebs tracked down more than $2.3 million in commissions that apparently went to Vlad over a three-year period. Those commissions came from SpamIt, a huge rogue pharmacy operation, and from Rx-Promotion, SpamIt’s largest competitor.

Microsoft’s lawyers take a novel approach

Let’s say you’re Microsoft, and you want to get rid of Rustock — you want to take out one-third of all the spam in the world in one fell swoop. How do you do it?

By early March of this year, the Microsoft Digital Crimes Unit had amassed a great deal of information about Rustock, under the nom de guerre Operation b107. The ‘Softie gumshoes knew that Vlad was controlling hundreds of thousands of bots using more than a thousand domain names scattered across more than a hundred C&C servers. Surprisingly, all but two of the C&C servers were located in the United States. Apparently the server host companies didn’t have a clue that those servers were controlling Rustock-infected PCs.

Microsoft’s lawyers determined that they needed to seize the servers — physically take them and look at their hard drives to prove that the templates being used to dish out spam originated on the servers. Methods that the lawyers had used in the past to go after problematic servers wouldn’t work in this case because normal lawsuits don’t allow the complaining party to seize evidence. The lawyers hit upon a novel strategy: they claimed trademark infringement on Microsoft, on Pfizer — the manufacturer of the real version of those little blue pills — and on a few other companies. You can read the filing here (PDF). Under the provisions of the Lanham Act, plaintiffs in a trademark infringement suit are allowed in some circumstances to seize evidence.

Microsoft convinced a judge in U.S. District court that Rustock was in violation of the Lanham Act, and on March 16, U.S. Marshals raided the server host companies in concert with analogous law-enforcement authorities in the Netherlands. They seized the offending hardware and brought the bot down.

The action didn’t clean those infected PCs. The botnet’s rootkit is still on those million-or-so PCs. But the entire command network has been knocked out, so infected PCs don’t generate spam any more.

Symantec’s MessageLabs Intelligence Report for March (PDF) shows that the amount of spam MessageLabs tracks dropped by one-third overnight. Of course, you have to take numbers like that with at least a small grain of salt — identifying spam isn’t an easy task, and counting it is even harder. But the consensus is that a big chunk of spam that was flying around three weeks ago isn’t flying any more.

Vlad’s still out there — somewhere. It remains to be seen whether he can pull the pieces back together or whether he builds a Son of Rustock. In the meantime, other spam botnets are coming to the fore, and Rustock competitors are trying new approaches. Still, the good guys won a round without smoking a single Tommy gun.

Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies deliver the straight story in a way that won’t put you to sleep.

Fix that problem without reinstalling Windows

By Lincoln Spector It’s that tech-support nightmare. You’ve barely described your computer’s troubles when your “support” advises formatting the hard drive and reinstalling Windows. Hold on, don’t do that! If Windows at least boots before your problems begin, I’ve got six tricks you can try before reinstalling the operating system.

And if you can’t get Windows to boot, head over to my companion piece, “Reinstall Windows without losing your data.”

Make sure your PC isn’t hosting a virus

Given the number of malware threats these days, this should always be your first diagnostic step — especially if Windows acts unusually slow sometimes, if you can’t access certain websites, or if system programs such as msconfig won’t load. And if your regular antivirus program identifies an infection but can’t get rid of it, you almost certainly have one.

Either way, you need to scan your computer with an antivirus program other than the one you use every day. I’d start with Malwarebytes’ Anti-Malware (info). Although you can buy a full edition that has extra features, the free version has a good reputation for digging out the dirt. (See Figure 1.)

Figure 1. Anti-Malware by Malwarebytes should be in your toolkit.

Unfortunately, you have to install or update the app before you run its scan, and malware may interfere with that process. If your first attempt to install a new antivirus program doesn’t work, try one (or both) of these portable malware cleaners:

SUPERAntiSpyware Portable Scanner (info) doesn’t need to be permanently installed. And because the program file is updated regularly, it doesn’t even need this-moment Internet access to be up-to-date. You can download it on one computer, copy it to a flash drive, boot the problem PC into Safe Mode, and run this program there.

F-Secure Rescue CD (info) is an .iso file that you can burn to a bootable CD. Booting from the CD launches the scanner. You can also download the latest, up-to-date definitions and put them on a flash drive.

Your hardware might be the source of the problem

If your PC is frequently freezing up, shutting down, or giving you the Blue Screen of Death (Wikipedia definition), I can understand your impulse to scrap everything and start over with a fresh Windows installation.

But unless by “start over” you mean buy a new computer, it won’t help. Chances are you have a hardware problem, and nothing you do to the operating system will fix it.

Fortunately, fixing the problem is probably easier than reinstalling Windows and cheaper than buying a new PC.

Bad RAM is one likely culprit. You can find out with Memtest86+ (download), a self-booting RAM diagnostic tool. You can download the program either as an .iso file to burn a bootable CD or as an .exe Windows program with which you can create a bootable flash drive. (For more memory testers, see Fred LangaList Plus item, “New RAM and new OS — and new trouble.”)

To run it, boot your PC from your newly created CD or flash drive. Memtest starts automatically. Let it run for a few hours. (You can do this overnight.) If it finds errors, shut down the PC, remove all but one RAM module, and run Memtest again. Repeat with each module until you know which ones are defective. Replace them.

If the PC tends to shut down on its own at random times, it might be overheating. Try cleaning it out with a can of compressed air, which you can buy at any computer store. It’s easy to open up a desktop PC to spray out the dust. A laptop is harder and scarier. If you’re comfortable opening it up, do so. If not, try blowing air into the vents or bring it to a professional.

Roll back your system config with System Restore

If the problem has come up only recently, you may be able to fix it with System Restore. This built-in, automated system-backup tool can return the Windows operating system to an earlier known-good state — without affecting your data files.

Although it’s good at correcting bad driver updates, System Restore’s record of fixing other problems is mediocre at best. Still, it’s often worth a try.

Launch it from the Start menu by selecting All Programs, Accessories, System Tools, and then System Restore. Using it is pretty self-explanatory from there. (See Figure 2.)

Figure 2. System Restore gives you easy-to-follow instructions.

For more information on System Restore, see Fred Langa’s May 27 column, “Use Windows System Restore with caution.”

If none of the preceding suggestions fixed your problem, now (while you’re thinking about System Restore) would be a good time to create a new restore point. (In Win7, use System Properties/System Protection/Create.) You might need to use your restore point soon because one of the following suggestions could make things worse.

Clean out the Windows Registry

The Registry contains settings for Windows, your programs, your hardware, and who knows what else. It’s like that unmanageable drawer in your kitchen that you throw everything into — you’ve stuffed it with crucial utensils and unsurrendered garbage. The difference? There’s no danger of that drawer crashing your kitchen.

There are programs that can automatically clean out your Registry. Many people argue, with good reason, that these programs do more harm than good and should be avoided. But if you’re considering reinstalling Windows, you might as well try one of these programs first.

Start with CCleaner (info). It’s free and works reasonably well. (See Figure 3.)

Figure 3. CCleaner is a worthy if potentially harmful tool.

If your system is so messed up that you can’t install CCleaner, try the portable version (download page).

If you want something more powerful and are willing to pay U.S. $40 for it, consider Reg Organizer (info). This is a program for power users — it’s a Registry editor as well as a cleaner. It’s also the only Registry cleaner I’ve used that succeeded in saving me from having to reinstall Windows.

Remove software you don’t want or need

Any Windows program can conflict with some other program and cause trouble. Getting rid of the programs you don’t want and aren’t using reduces the potential for that kind of pain.

The good news is that every proper Windows program comes with its own uninstaller. The bad news is that many of these uninstallers leave junk behind. (Windows’ Uninstall or change a program tool merely launches the programs’ own uninstallers.)

I recommend two programs that run the unwanted application’s own uninstaller and then try to clean up the mess that the uninstaller left behind. Though not perfect, both generally do a good job.

Revo Uninstaller Portable (look for its link at the bottom of the download page) has the obvious advantages of being free and portable — meaning you don’t have to install it first. But it cannot uninstall 64-bit programs, although it can uninstall 32-bit programs from 64-bit Windows. Another problem: If an unwanted program’s own uninstaller requires a reboot (and many do), Revo won’t finish the job.

Total Uninstall (info) costs $30 after a 30-day trial period and has to be installed. On the other hand, it’s fine with 64-bit programs, and if an uninstall reboots Windows, Total Uninstall comes up after the reboot to finish the job.

Reduce the number of your autoloaders

Okay, so now you have only the programs you like on your PC. But do they all have to load every time you boot Windows?

Too many programs load with every boot, and each one slows Windows a bit and can fight with others. I’m not saying you should uninstall these programs — just keep them from loading automatically.

For a list of all of your autoloaders, click the Start orb (Start, then Run in XP), type msconfig, and press Enter. Then click the Start tab. Experiment with unchecking some, restarting, rechecking, and unchecking others to see which are causing problems.

There are two autoloaders that you must have: your antivirus program and your firewall (they may be combined into a single security suite). Don’t leave one of these unchecked, even if your tests prove that it’s the culprit. Instead, look around for a replacement.

I can’t guarantee that one of these tricks will solve your problem. But there’s a very good chance that one will.

If after all these recommended efforts, you have to restore Windows, see my how-to story, “Reinstall Windows without losing your data,” before you begin.

Lincoln Spector writes about computers, home theater, and film and maintains two blogs: Answer Line at PCWorld.com and Bayflicks.net. His articles have appeared in CNET, InfoWorld, The New York Times, The Washington Post, and other publications.