There were most likely times when you had to help someone rid their computer from all the evil viruses and malware they've contracted. Problem was, you never really had a good starting point. Just when you thought it couldn't get any worst, you find out that the computer won't even boot correctly! So you're thinking no problem, I'll just boot into Safe Mode! Well, as luck would have it, Safe Mode doesn't work either! What would you do then? You could back up all important data using this method I've described here and reformat the computer to start from scratch (or using a good backup image copy) but what if you wanted to actually tackle the problem and clean up the system? In that case, you need a good rescue CD to help you boot into a live operating system. Doing so helps you scan and remove those malicious files even when the computer seems completely lifeless. In this article, we'll go over just how to do that.
Whenever you are trying to clean a system full of viruses and malware, you always have to expect for the worst and not being able to boot the computer properly is certainly a worst case scenario. Or, it could be that sometimes the computer would automatically restart as soon as you log in. This prevents you from running known antivirus and other malware removal tools and utilities. In actuality, even if the infected computer does boot properly, it's often recommended by other professionals to scan the computer in Safe Mode instead. This is recommended because when a infected computer is being scanned, the actual malware can hide themselves in other processes which makes actually detecting them a bit difficult. Also, the malware can lock up certain files which once again, makes deleting them that much more difficult as well.
The solution to this problem is booting into Safe Mode and then proceeding with the usual malware scannings. By booting into Safe Mode, Windows will only load the absolute necessary drivers and services. No third party software is loaded. By doing so, there is a better chance that the malicious malware will not be loaded and therefore, can be more easily detected and removed. But, like I mentioned earlier, there will be times when the system will not even boot into Safe Mode. In these situations, we need ourselves a couple of good rescue CDs to step in and do the dirty work.
What is a Live Rescue CD?
A live rescue CD (LRC) is a bootable CD that you can use to boot into a separate operating system environment that is totally independent from your hard drive's operating system. Confused? Don't worry. Think of it like this. When you turn on your computer, the system boots your operating system (Windows XP, Vista, 7) from your hard drive. With a LRC, the system boots the 'operating system' from the CD/DVD instead. This way, it shouldn't matter how corrupted your hard drive becomes because it's not being used to boot the operating system. However, when booting to a LRC, you usually still have access to the hard drive and all of its files. As you can see, this makes using a LRC a very attractive choice when scanning for malware. You can use the tools bundled in the LRC to scan for the infected files. This is the next best thing when compared to a offline scan (physically disconnecting the infected hard drive and scanning it as a slave on another good system). As always though, this LRC method is not 100% guaranteed to work in completely recovering your system. However, it does raise your chances of doing so that much more. If you can't even boot either normally or into Safe Mode, I don't really think you have much choice anyways!
You can use these links to jump directly to a specific section:
Hiren's Boot CD
F-Secure Rescue CD
Kaspersky Rescue CD
Manually Creating Your Own
Creating Pre-Built Live Rescue CDs
If you quickly need or want to build a LRC to scan a computer, than look no further to pre-built CDs. These pre-built LRC usually already have tools built-in that can be used free of charge. With these pre-built LRC, all you need to do is download the .iso file, burn it to a CD or DVD and then boot from it.
As a side note, many LRC can be used for much more than just malware scanning. With the right built-in tools, you can do things like partition your hard drive, scan your memory and hard drive for defects, export your data files to another drive, recover deleted files, reset user passwords and much, much more.
In the resulting tutorials, you will need:
- A free CD/DVD burning application to burn the downloaded ISO's. Windows 7 can do this by default.
- To be able to manually set your computer to boot from the CD/DVD drive first.
Hiren's Boot CD
This is certainly one of the best emergency boot CD's out there. Hiren's Boot CD has a bunch of built-in tools that allow you to perform a myriad of things besides just scanning your system for malware.
1. For some strange reason, the official home page for Hiren's Boot CD is located here. However, I can't seem to locate the download file! However, it does list all of the tools included with the build so check it out to see what you're getting. Scroll to the bottom to view a list of all the antivirus tools included with the CD. This other website is dedicated to hosting the newest build of Hiren's Boot CD so I recommend you go here instead to download the latest build, which is at the moment at 10.1 The site is a little slow so give it some time to load.
2. Once you have downloaded and extracted the .iso file, it's time to burn it to a blank CD or DVD.
3. It's now time to test out our LRC. Pop it in and set up your computer to boot from the CD/DVD drive first. Once it loads, you will then be presented with the main menu screen. You can now either choose to start the Hiren's BootCD or start in their Mini XP Mode. If you would rather work in a GUI interface, than select the Mini XP Mode. It will then proceed and you will be presented with a nice Windows XP interface. Remember though, this is NOT booting from your hard drive and everything was loaded from the boot CD so don't be alarmed!
4. Now we will begin with our malware scan on the infected hard drive. To access all of the tools built into Hiren's Boot CD, simply double-click on the HBCD Menu icon. Rather than click on the Browse Folder button, you'll want to instead click on the Menu toolbar. You'll then get to select the tool you want to use based on category. In our situation, we are interested in the Antivirus/Spyware category.
5. You are now free to select the tool you want to use. I highly recommend using the Kaspersky Virus Removal Tool, Malwarebytes, SmitFraudFix, Spybot Search & Destroy and Super Antispyware. You might find that some tools might not be able to run when in Mini XP mode so you might have to restart and select the other option instead when in the main menu.
F-Secure Rescue CD
Sometimes, it's not really necessary to download an entire LRC with all of those bundled apps that you know you're never going to use. If all you want is a simple LRC to scan for viruses, than there are two options you can choose from. The first is from antivirus company, F-Secure.
1. You can download the F-Secure Rescue CD from here. Note: this rescue CD doesn't have any other tools other than their antivirus scanning software.
2. Burn the .iso file to a blank CD/DVD.
3. Set your computer to boot from the CD/DVD drive first. You'll then be presented with the main menu. Here, you'll want to obviously select the Next button to continue with the scan. F-Secure will then proceed to download the virus definition database. Remember, a antivirus is only as good as its definition files. Therefore, make sure you are connected to the Internet. You can also use a USB drive to hold the definition files. Read the PDF manual on their site for more information on how to do this.
4. Once the updates are completed, we can now proceed. As usual, just hit the Next button to go over the licensing.
5. You'll then arrive at the Items to Scan section. Be sure to select the master boot record option as well as selecting your main hard drive. Do so by selecting the drive and hitting the spacebar. Then start the scan by hitting the Enter key.
Kaspersky Rescue CD
The Kaspersky Rescue Disk is very similar to the F-Secure Rescue Disk. Kaspersky is known as being one of the best antivirus vendors out there today.
1. You can download the Rescue CD from here. Note: this rescue CD doesn't have any other tools other than their antivirus scanning software.
2. Burn the resulting iso to a blank CD/DVD.
3. Insert disk and configure computer to boot from the CD/DVD drive first. You'll then be presented with the main menu. Press Enter to begin.
4. Once the GUI interface has loaded, head over to the update tab. Kaspersky will then begin updating its definition files. Be patient because this can take a while.
5. Once the update has completed, you can now scan your hard drive. This will take even a longer time so be patient! You might even want to let it run overnight if you have a lot of files.
Manually Creating Your Own Toolkit
If you're more of a do-it-yourself person, than you can also manually create your own malware scanning toolkit similar to what have been discussed so far. I've recently stumbled upon a random Microsoft article detailing the procedure and so I have decided to share it here. I have to say that while doing this might sound cool, it actually might not be as effective as say, using the Hiren's Boot CD as you have to manually choose your own tools to use and those tools must be mainly portable for it to work well as you'll see later on.
Here is the article details: Malware Removal Starter Kit
Basically, what we're doing is manually creating a PE (pre-installation environment) so that we can load our tools for use. The PE can be treated as a LRC because it boots and loads from the CD/DVD. The hard part is not building the PE itself but actually deciding what tools work and what tools will not.
1. First off, I highly recommend you to read over that Microsoft article. It provides a lot of basic information about malware and how they can get into systems. Even if you don't want to read everything, you'll still need to download it because the article provides the necessary command line arguments we will be using to create our malware removal kit. I'll still provide all the commands here though for those of you who don't want to download the manual.
One of the first and probably most hassle part of this guide is to download the Windows Automated Installation Kit. This download weighs in at about 992MB and it requires you to possess a validated Windows copy. So, I hope all of you have a fast connection! When that finishes, you'll have to burn that iso to a DVD and then install it onto your computer. Yes, I know. I've also wondered why they couldn't just make it into a executable file just like every other program. If you have DVD-RWs lying around, this is the perfect time to use them. Also, if you will be experimenting with different tools and utilities to add to your malware removal kit, using DVD-RWs is also perfect for testing your different builds. Otherwise, you'll be wasting a lot of DVDs.
2. Next, we will be gathering a set of tools to include in our malware removal kit. The Microsoft article suggests some really good stand-alone tools that we can integrate with our kit so we'll go ahead and download them.
-Avast! Virus Cleaner
-McAfee Labs Stinger
-Microsoft Software Removal Tool
-Spybot Search & Destroy
Those four tools are most likely to work. You can add in other tools but the problem here is that due to the environment that these tools will be running in, a majority of them will not work. Basically, the more portable the software is, the higher the chance of it working. If it relies on a lot of system files and whatnot, than it will most likely fail. I've tried a lot of different tools and here are some that have worked for me, although I can't guarantee their success in your case. I recommend you dump all of these tools in the same folder for easy gathering later on.
-Clamwin Portable = This is a must add. It is a full virus scanner. Other tools just inspect your files to see if a specific type of malware is present but this tool goes beyond that. Once downloaded, install it on your desktop and dump it in the folder along with all of the other tools listed here.
-A-Squared Free = This tool will have to be installed before being able to run, similar to Spybot's Search & Destroy.
-Kaspersky Virus Removal Tool
-Dr.Web CureIt! = This did crash my virtual machine with a BSOD. However, it could be because my virtual machine was practically empty when I tested this tool on it. Use this one at your own risk.
-SmitFraudFix
3. Once you have gathered all of your tools, it's finally time to build our kit. Head over to your Start Menu and find the Microsoft Windows AIK folder. Within it, you should see the Windows PE Tools Command Prompt. Right click on it and select Run as Administrator. You might not have to do this if you are running XP.
You'll then be greeted with a command prompt like so:
4. Next, we will be entering a lot of commands into this command prompt. Please do not worry about what's being entered! You don't have to understand one bit of it. Just keep copying, pasting and entering one line after the other and you'll be fine. The command lines are written in the guide but I'll go over them here as well. Remember, you don't have to decipher one bit of this!
It's recommended that you copy the command here, and paste it into the command prompt by right clicking inside it and choosing Paste followed obviously by hitting the Enter key. Also, remember to let each command finish processing before proceeding with the next.
copype x86 c:\WinPE
imagex /mountrw winpe.wim 1 c:\WinPE\Mount
reg load HKLM\_WinPE_SYSTEM c:\WinPE\Mount\windows\system32\config\system
reg add HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 96 /f
reg unload HKLM\_WinPE_SYSTEM
mkdir c:\WinPE\mount\Tools
At this point, we need to copy our downloaded tools into a certain directory. Head over to C:\WinPE\mount\Tools. Copy our security tools downloaded earlier into this folder. You'll want to copy rather than move them because the tools will be gone after we create the iso image so if you still want them, don't forget this important part! Once done, we enter in more commands. When asked a Yes or No question, type in Yes. You'll need to do this for two of the commands here.
peimg /prep c:\WinPE\Mount
imagex /unmount c:\WinPE\Mount /commit
copy c:\WinPE\WinPE.wim c:\winpe\ISO\sources\boot.wim
oscdimg -n -bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE_Tools.iso
5. Once this part is completed, we are now ready to burn our newly created iso image! The iso file can be found at C:\WinPE and will be labeled WinPE_Tools.iso. Once again, use a free burning application or Windows 7 itself to burn it to a blank CD or DVD.
6. Insert the disc and set your computer to boot from the CD/DVD drive first. It will then load the Windows PE. Once you have a working command prompt, you are in business! To access all of your tools, simply type this in the prompt and hit Enter:
cd x:\tools
To see a list of all the tools, type in 'dir'. To start any of the tools, type in their complete file name along with the extension. For tools with spaces in their file names, you'll need to use quotation marks. For example, "Kaspersky Tool.exe".
Once you have burned the iso to a disc, you can safely throw away the WinPE folder. Anytime you want to add new tools to your kit, you have to start over and build it again.
As you probably have realized by now, the malware business is not something you should take lightly now days. More often than not you'll stumble into more infected computers than clean one's. By keeping one of these LRC handy, you can have a quick, easy and most importantly, an effective way to scan those computers. The next time one of your buddies or family members bug you for help, you'll know what to do.
