Heal and Inoculate Your PC

Posted 11/19/2007 at 5:19pm | by Paul Lilly

5

Comments

Print

Change Your Boots

Severe infections can render a normal Windows install completely unusable, but we have a couple of tricks up our sleeve for infiltrating a broken OS.

1: Boot into Safe Mode

Sometimes you need to attack malware before it has a chance to load, and by the time Windows boots to the desktop, it’s already too late. It might be that your system no longer responds to your input or does so with a sluggishness that makes even accessing the Start menu a time-consuming chore. Or it may be that the infection’s interfering with your AV and spyware scanners, shutting them down before they can run. It may seem dire, but by booting into safe mode, you can frequently squash the scourge wreaking havoc on your PC.

Reboot your system and hit F8 before the Windows splash screen comes up. This takes you to the Windows Advanced Options Menu, where you can select Safe Mode with Networking using your keyboard. Windows will proceed to load with only basic drivers, allowing you to disinfect your system while the offending programs lay dormant. Perform any scans as you normally would, and make sure to update your virus or spyware definitions beforehand. Because you chose the Networking option, you’ll have Internet access in case you need to download additional programs.

2: Make Your Own Boot CD

When all else fails, enlist the help of Bart. No, not Bart Simpson, BartPE. Bart’s Preinstalled Environment is a bootable live CD that every tech should carry in his toolbox. Sometimes a system gets so mucked up, you can’t even get into safe mode. Booting off a BartPE CD allows you to access the infected hard drive and run diagnostics, scan for viruses and spyware, or in more extreme cases, extract data in preparation for a fresh install.

To get started, grab your original Windows installation CD. Download the self-extracting installer (free, http://nu2.nu/pebuilder/) and install it on a clean system. The app will prompt you for the location of your Windows CD, and you’ll want to check the Burn to CD/DVD radio button. Next, click the Plug-ins button, bringing up a list of optional add-ons to include on your CD. Many of the entries are outdated and some are second-rate programs, so we’re going to add our own. Head over to http://tinyurl.com/3bg68a and download the Spybot S&D plugin. Unpack the RAR file and move the contents to C:\pebuilder3110a\plugin, or wherever you installed BartPE. Next we need to find a working, up-to-date virus scanner that’s easy to install, and the open-source ClamWin fits our criteria. Download the plugin from http://oss.netfarm.it/winpe/ and extract the contents to the same location. Now return to the BartPE window and hit the Refresh button. Both of your new plugins should be displayed, and if they’re not enabled by default, highlight each one and click the Enable/Disable button. Finally, close the window and click Build.

Insert your new BartPE CD into the infected system and in your BIOS configure the PC to boot from the optical drive. You do this by hitting the delete key during POST (if that doesn’t work, try F1, F2, or ESC). Dig around for the boot device priority menu and make sure the optical drive is listed before your Windows hard drive. Hit F10 to save and exit, and the computer will take over from there.

From within BartPE you can even run anti-spyware apps like Ad-Aware

After BartPE loads, you’ll be greeted with a snazzy GUI similar to Windows’s, complete with a Start menu alternative. Click the Go menu and select Programs to access the plugins you installed. Spybot can be run right away, but for ClamWin to work, you first need to select “Unpack Current Virus Definitions to Ramdisk,” then proceed to scan your system. By default, ClamWin only reports the infections it finds. To quarantine viruses, select Preference from the Tools menu and select the Quarantine option under the General tab. If you need to browse or extract data from your hard drive (and now would be a good time to do that), navigate to Programs and select “A43 File Management Utility,” which will look familiar to anyone who’s ever used Windows Explorer.

Restore and Repair

You cleaned your system of malware, but did the infections leave your system broken? Let's fix it!

1: Check for Errors

By and large, the majority of malware writers are amateur programmers who create sloppy code that can do more damage than originally intended. Maybe your hard disk suddenly makes a clicking or grinding noise, or perhaps Windows told you it found corrupt files and suggested running the check disk utility. That’s good advice to follow anytime you’ve finished a malware disinfection, even if there are no visible symptoms of disk corruption.

Under My Computer, right-click the hard drive that contains your OS (presumably the C: drive) and select Properties. Click the Tools tab and then the Check Now button under the Error-checking section. A new window will open with two check boxes asking if you want the utility to automatically fix file-system errors and scan for bad sectors. Check both of these boxes and click the Start button. Because of the deep access needed, you can’t run this scan while logged into Windows; another window will pop up asking if you’d like to schedule the scan to run the next time you reboot. Select Yes, and then restart your system. The larger your hard drive, the longer the scan will take, so now would be a good time to grab a bite to eat or clean out the garage.

2: Fix a Broken Boot

We’ve all had that sinking feeling in the pit of our stomachs when Windows suddenly refuses to load. At first you’re in denial, and then panic sets in as you realize that no amount of hard resetting is going to bring about the desired result. To add insult to injury, Windows may taunt you with the dreaded “NTLDR is missing” error message. It’s likely that a virus corrupted either your boot sector or master boot record, but there’s an easy fix.

Grab your Windows CD and boot from it, just as you would if you were installing Windows from scratch. But instead of performing a fresh install, XP owners will hit R to bring up the recovery console. At the prompt, type fixboot and hit Enter; then try rebooting your system. If Windows still won’t load, go back into the recovery console and type fixmbr. Vista owners needn’t fuss with any commands—simply boot from the install DVD, select Repair, and follow the prompts. Vista will automatically fix boot errors and may restart several times before it finishes.

3: Reinvigorate with Restore

Earlier, we promised we wouldn’t throw in the towel, and we meant it. Instead, we’ll try heroic measures to return Windows to a state that predates any damage caused by malware infestation.

The first method uses Windows’s built-in System Restore utility, which works best when run from within safe mode. If you’re running XP with Service Pack 2 installed, make sure your Windows install CD has SP2 already integrated onto the disk. If it doesn’t, you’ll need to first create a slipstreamed copy; you can do this by following the steps at http://tinyurl.com/4n7y5.

Restore is like having a virtual time machine, without all that expensive flux capacitor upkeep. Best of all, using System Restore won’t cause you to lose any saved documents or emails. How’s that possible? System Restore takes snapshots of key parts of your system at various times—for example, just before installing unsigned drivers or software—allowing you to undo changes that may have caused your PC to malfunction. To roll back your installation, navigate to the Start menu > All Programs > Accessories > System Tools and select System Restore. Follow the prompts, and be sure to go back to the last time your PC operated correctly.

If you disabled System Restore or don’t have a snapshot that represents a healthy system, you still have one more option at your disposal: a repair install. A repair install does just what it says; it fixes Windows by restoring critical system files from the install DVD, but it won’t overwrite your installed programs, saved data, or system settings.

To initiate a repair install, boot from your Windows CD. Do NOT choose the option to repair from within the recovery console; instead hit Enter to install XP. After accepting the user agreement, you’ll be asked to select the installation of Windows you wish to repair (you’ll only see one unless you’re dual-booting). Select the install you need to repair, and then sit back and let the CD work its mojo. When it’s finished, you should have a functioning copy of Windows, albeit an unpatched one. Head over to Windows Update and plug up all those security holes again, just as you would on a fresh installation.

Sidebar: Top 5 Virus Hoaxes and Pranks

Viruses are no laughing matter, but some of the hoaxes and pranks making the rounds are good for a giggle

1. Good Times Users were warned that simply opening an email with Good Times in the subject line would erase their hard drive, destroy their processor, demagnetize any nearby electronics, and kill their dog.

2. 48 Hours This relatively recent hoax claimed that hovering your mouse cursor over the infected email was enough to activate it, wiping out not just your hard drive, but your rig’s BIOS too.

3. Life Is Beautiful Emails circulated warning of a PowerPoint presentation called Life is Beautiful that, if clicked, would erase your hard drive and give the sender your username, email, and password.

4. Honor System This email contained no payload, instead asking recipients to manually delete all files on their hard drive and to forward the message to everyone in their contact lists. Participation, of course, was completely voluntary.

5. Lion’s Den Aptly named, Lion’s Den originated from a porn site looking to draw hits. The email warned of a new deadly virus, providing a link for more information. Instead, recipients got an eyeful.

Next: Protect Against Future Attack - Build a Wall, Change Your Habits, Rage With A Virtual Machine, and the Top Five Security Myths!