Monday, January 25, 2010

Manually Killing Viruses, Part 1

This is mostly for Windows XP, since I've never personally seen OSX, Vista, or Windows 7 with a virus. The latter three can get viruses, but they tend not to because they have a far better OS design.

I was recently presented with the most virus-infested junk-heap I've ever seen. First, it was clogged with cat hair and dust. Second, it REEKED of cigarette smoke! Every time I turned it on, I gagged.
This computer was running Windows Media Center Edition SP3, but it was unbootable. It kept prompting to restore from the Sony recovery partition that would reformat the hard drive. This would have nuked about 2,000 songs, video clips, and movies. It would also have taken several licensed products with it, including Office 2007.

Geek Squad wanted $200 just to "look" at it. No offense - they're just making a living. I'm sure they would have just reformatted and handed it back with a $300-$400 bill. I fixed it for $40, since she was a friend and co-worker.

My primary tool in these situations is the Ultimate Boot CD 4 Windows. This developed from BartPE, which is almost an historical name, now. But those of us who participated in developing it felt like pioneers. I may have been the first person to build a bootable USB stick, with Windows XP on it, but the computer I was trying to use wasn't USB-bootable as Dell had claimed. Two weeks after someone else had succeeded, I got a Dell D800 that I successfully booted my USB stick to - the same one that had been built three weeks before.

Enough nostalgia...
Booting to the UltimateBootCD4Win allows you to be a virtual god. The viral hard drive is dormant - nothing on the hard drive is running.
I boot from a 4GB USB stick. The boot-image is only 512MB - the USB boot-image limit. But that doesn't matter. The boot image ends up being drive X: and the rest of the space on the USB stick is whatever drive letter is available after the other drives have been enumerated.

The strategy/mentality is thus... Every virus in the past 10 years seems to be a "blended threat", meaning you never get infected with just one bug. You end up with a virus, a few worms, and a Trojan or two. There's often a root-kit installed, too.
So, booting from the UltimateBootCD4Win, I browse to the C: drive.
- Save time and delete all temp files...
-- C:\Windows\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\ (delete all folders and index.dat, but leave desktop.ini)
Do a searching delete of all files ending in .tmp, .del, .dmp, .chk, or beginning with tilde (~).
Now look at all the old Windows patch folders that collect in the Windows folder. Delete every old folder and log file that you know you'll never want to uninstall. Usually that means keeping anywhere from 3 months to a year - no more.
This saves time from then on when running scans and searches because now there are fewer files on the hard drive. And you probably broke several viruses in the process.
- Next, analyze the contents of C:\Windows\ and C:\Windows\System32\, sorting by date/time. Some legit files update every second, like the Windows XP licensing file wpa.dbl, so this is an example of an important good file. Many of the others will be viruses. Don't just start deleting everything unless you know for sure. If you don't know for sure, then try moving them to a folder, like C:\Suspicious\. Recreate the folder structure inside there. Wherever you take a file, drop it in the same folder, like C:\Suspicious\Windows\System32\. That way when you're finished, and you decide some files are safe, you can put them back.

This concludes part 1 - the easy preliminary steps. It gets more complex in following chapters.

No comments:

Post a Comment