Discussion on:

Rescue CDs: Tips for fighting malware

You're going to see a lot of "nuke and rebuild, it's the only way to be sure" responses.

Neither approach will always work, and what you do may depend on the quality of the original installation. If that was well-setup and patched, falling back to a baseline patch level with duuuhfault settings and no av etc. may be more likely to be re-infected than a well-setup, well-cleaned system is to be fully disinfected.

The collateral damage of "just" wiping and re-installing is huge, especially with the typical one-big-doomed-C: setup. Are your backups OK? Drivers for all hardware? Installation disks and product keys for all software? Know all your passwords? Does your OS install disk actually work safely on your PC? If that's XP Gold and your hard drive is over 137G, the answer is No.

If you can shrug and walk swiftly away from the above, leaving it as the user's problem to sort out, then sure; you may prefer "just" wipe and rebuild.

The problem is that a freshly-rebuilt system has to go online in an unpatched and undefended state, and is thus more likely to be re-infected than the original set up that was infected before. This is all the more true if the malware involved has an awareness of co-infected systems, and will actively re-assert the infection when these re-appear after being rebuilt.

Does that happen in real life, yet? I don't know. I haven't read about it, but it would seem an obvious thing for malware to do.

Having "just" wiped and rebuilt, you've also lost all forensics as to the original infection. You know zero about your attackers, whereas your attackers may know a great deal about the system as it was, and will be.

So, if you want to be ready for "it's infected again!", then the best may be to build a new system on alternate hard drive, patch and av-install it OFFLINE, then use that while you scan the original hard drive "from orbit" (offline, non-HD-boot).

In my case it depends on whether it's my computers or a clients. It also depends on whether the client is using a generic load and the users can not personalize their systems.

Yep, you hit the nail on the head.

In a pro-IT environment, there's a pro sysadmin to ensure that all the data that matters is on the server, and that this is backed up. The users are not supposed to "personalize" their PCs (for sound organizational reasons) and such PCs can be easily re-imaged from what has been set up to work best for the organization.

In consumerland, it is very different. Not only do you have dubious data backups, and a PC that has evolved in a unique way with no easy way to rebuild this, you may also have the entire family's IT infrastructure in that one box.

If you were to advise a business to "just" wipe not only the infected PC, but every PC and server throughout the organization (and perhaps backups as well), you'd prolly be told to take a hike, no matter how effective this may be at killing the malware.

Yet in effect, this is the usual advice dished out to consumers - partly because it is pro-IT that have the loudest and most respected voices, and partly because of an arrogant assumption that end users can't possibly posess any material that "matters".

with "that a freshly-rebuilt system has to go online in an unpatched and undefended state" because both antimalware/antivirus and patches can be applied (and often are) before going online with a fresh install. It only makes sense to upgrade a system as much as possible before going online. I install much of my protection software from a USB stick which is in my pocket everyday except Sunday, my day off.

Yes, I know what you mean - you can and should patch as far as possible, install an av and update it, and ensure the firewall is on and wireless is secured before going online for the first time.

In practice, it's easy to attain the latest baseline SP level and install an av. It's more fiddly to apply all subsequent patches offline, and update the av offline, too.

The point I was trying to make, but failed to contextualize properly, is that there's no "100% effective free lunch" here. The skills you need to rebuild an arbitrary consumer's PC back the way they'd like it without promptly having it re-infected, approach those needed to clean it.

In both cases, it helps if the original installation didn't suck. However, the usual duhfault installation will fail to separate incoming crud from user data (default web browser download target "My Documents", emaul attackments hidden in mail stores, IM attachments also arriving in "My Documents", etc.) and this can bring back the problem when the PC is blindly wiped, rebuilt, and "data" is restored from backups.

How do you maintain an up-to-date all-inclusive collection of OS patches? Do you use USB flash drives, or write-protectable SD cards?

Where USB storage is concerned, I can set a PC so it doesn't auto-infect itself from USB storage (not as simple as it should be) but I can't prevent writable USB storage from being infected by malware'd systems. I'd definitely want to do that, to protect my offline update repository!

Hello,

Here a couple more titles to add to your list:

PC Tools' AOSS:
http://www.pctools.com/aoss/details/

Panda SafeCD:
http://research.pandasecurity.com/panda-safecd-3-4-3-5-released/

I've used each software title on different malware clean-up jobs and both of them worked with very good success.

Cheers!

I like it that I am getting more choices.

These scans can take hours, so how do you draw the line on how much time you spend on the customer site? I try not to spend too much time on-site and try to get the machine back to my shop. To do the job right can take many hours of research,scanning and updates, only to have to do a data-save and reinstallation anyway.

I spend very little time on site, if the problem is not clearly defined and therefore requires a re-establishing of all "assumed OK" levels of abstraction.

So PCs that "just don't work", "won't boot", "became very slow", crash in varying ways, mysteriously can't update their antivirus or use unexpectedly high outgoing Internet bandwidth, get pulled and worked on off site.

I don't bill clock time, but productive hours. I have enough old 14" CRT monitors to run several PCs in MemTest or other low-res environments, and newer monitors to run more in hi-res environments.

So hours of unattended "click and wait" don't cost the client much, and are great CYA for me; I seldom have to apologise for losing the contents of a hard drive because it was failing and I hadn't checked that, or because I "just" re-installed Windows without discovering the RAM was bad.

The full process takes some days, sped up by separating the hard drive from the rest of the PC. In-house monitoring of RAM test results (i.e. leaving PCs to MemTest86 for as long as they aren't needed, and noting how many throw thier first error after what was previously considered "long enough" to test) suggests 24 hours is close to exclusionary (only 1 PC threw its first error after that, in the last several years). By that time, the hard drive has often completed all its tests, so no extra clock time is wasted.

Sure, it's quicker to "just" wipe and rebuild, and only go "duh, maybe the hardware's bad?" when that fails to complete, and maybe if you're working for a large box-pusher or OEM under pressure from management, that's what you have to do.

It's also cheaper for the client to lean over the fence for free neighborly advice, which may go further in quality terms.

So if you're claiming to add value, i.e. be worth paying to do this properly, you should be going that extra mile IMO.

Many of my clients have files too important to back up, just to wipe and reinstall. So spending some time trying to reduce the virus probablility is worth it, before backing up these needed files. Some of them don't even mind running with malware still active on the PC, as they have no personal information on the PC in the first place; and have no data needing to be backed up. I figure it is the clients decision as long as the personal ID risks are discussed. They figure as long as the PC runs well, they can deal with the infection later.

Many times I bother to remove the malware just so I can continue to learn this; it has improved my troubleshooting skills also. I actually like doing this - however, so I can't blame IT types for nuking the drive.

When I worked as an employee on contract, our CIO didn't want us wasting time removing malware, so we would simply start over. However, we had a server image we could work with, and sometimes the individual machine actually ran better after restoring the image. This image was fully updated of course.

This way we didn't have to reinstall all application, etc. The only thing extra to do was point the clients My Documents to the network share, where their files were actually stored - unless they had a shared printer, but that wasn't too bad.

My primary mission is to try as hard as possible to prevent infection with a deep defense. This has worked pretty well, as my clients rarely need help after I get them up to snuff with the latest in security tech.

Hiren's boot cd has several malware removal programs installed. They are updateable through a wireless connection, and has firefox installed.

I have used that Live CD before and it has an amazing number of apps. It never gets tested, though. I assume it's because the Live CD doesn't have a major AV application. But, MBAM and GMER should be just fine.

I was "rescued" recently by using the Avira AntiVir CD, to eliminate a rootkit infection on my wife's Toshiba laptop. I was not able to use a USB drive as this is not an option in the BIOS. But for the one-time use that I required, burning a CD with the current (at that time) database was sufficient, and solved the problem that no other virus scan under Windows was resolving. (The Vista laptop had current AVG 9 antivirus software, but this did not stop the infestation by Koopface, which also corrupted the AVG files "to protect itself?") Creating my own Rescue CD also saved me $150 that the GeekSquad would have charged to remove the virus/rootkit. Thanks AVIRA!

I love hearing experiences like yours. Thank you for sharing.

My experience using an Avira Rescue CD is that it can do online updates over a wired connection but not over wireless. Also, keep a Windows installation CD nearby because if any system files are infected and you choose to rename them or delete them (these are options you choose before scanning) then you may not be able to boot your computer after it's been cleaned. In this case I suppose a repair installation would be required and thats what the Windows installation CD is for.

I agree completely, very good advice.

wholeheartedly. Great practice.

The easiest way to replace the infected system files is the recovery console (in Windows XP) or the WinRE recovery disk (in Vista and 7). Both can be accessed from the Windows CD or DVD (if you are lucky enough to get one).

Recovery Console is particularly useful for fixing early-boot issues such as bad boot records and Boot.ini, but isn't an OS, in that it can't run other programs.

It also needs pre-applied settings if it is to access drives other than C:, and even then, it can't do wildcard copies, so it's not useful as a way to evacuate a system before "just" wiping and rebuilding it.

In contrast, WinPE is a bootable subset of Windows that should be able to run more programs than it does in practice. Getting WinPE was obstructed by licensing issues until Vista; since then, you can download the massive Windows AIK that includes it.

Bart PE is a free alternative to WinPE, developed by Bart. It's a small download, and has a well-developed plugin architecture to integrate other software, but it is bound to the XP code base. Unlike WinPE, it has a GUI as well as command line interface.

WinRE is an offshoot of WinPE, replacing XP's Recovery Console as it includes similar "fix it for me" tools.

If you didn't get shafted by the big-brand practice of "recovery" disks (or worse, hard drive material and no disks at all) then your Vista or Windows 7 DVD can function as a "WinPE", offering as it does the same command line OS. Long overdue!

Windows NT won't work (boot) if you copy it as loose files from one hard drive to another, even if you copy all files, assert the correct boot records and code, etc. For this reason, you should use a partitioning image tool to back up C: (and is a good reason to keep C: small).

BING (Boot It NG) can do this, as can DriveImage XML (free). BING is a bootable disk in itself; DriveImage runs from Bart. I haven't tried DriveImage from 32-bit or 64-bit WinPE and related MS bootable disks.

There's a very real risk that a formal (Rescue CD, or other methods that ensure the infected code base does not run) cleaning will knock out crucial files and prevent the system from booting thereafter.

But even when a repair install is possible (XP or older, a full installation disk is to hand, the product key is known, the disk is safe for the size of the hard drive), it has undesibale effects, such as losing patches, spawning new user accounts, resetting activation status and needing device drivers.

A cleaner approach is to ensure you log all the files that are cleaned, and re-apply these via your Rescue CD, or (at a pinch) the Recovery Console.

If the OS is XP or 2000, you can use the Nirsoft ProduKey tool from a Bart Rescue CD via the RunScanner plugin, to get the installation's product keys as required when you "just" do the repair install.

Unfortunately, what happens in a lot of shops, is not only does the tech resort to "just" re-installing Windows far too easily, but a warez XP install disk is used to avoid activation hassles. And because all warez costs the same ("zero"), they use XP Pro even if your installation (and license) was XP Home.

Then you sit with WGA hassles, and a very messy path to clrean this up.

My daughter's computer was infected with a search links redirect so that when she clicke on a link in Google it would take her somewhere else. We tried everything we could to remove it (MWB, SuperAntiSpyware, Spybot, etc., etc) and none of the could fix the proble.

The Avira Rescue CD found one file and renamed it and the computer would no longer boot. A windows XP repair install and 2 service packs later + the re-installation of all hardware drivers and the computer booted up and the Windows version of Avira caight a file called pci.sys.xxx and quarantined it. That was the infected file that I could not get rid of when Windows was running and it was the file that the Rescue CD had renamed.

I tell you all this because I could have saved a lot of time if I had scanned with the rescue CD first to see what file was infected and then scanned to rename or remove it and then used my Windows install cd to go to the command console and restore that particular file.

That would have saved me hours worth of work but you live and learn.

Are all files really being scanned? If you make a user private in XP or give them a password you cant browse the drive if you connect it to a host PC via a USB converter.

I have used UBCD4WIN several times before with great success. Bootable Rescue CDs have been a system saver on numerous occasions. Excellent list of available options, Michael.

Check out Trinity Rescue Kit (TRK). It contains several AV and Malware tools in one kit and most can be updated online. TRK can be made as either a CD or bootable USB drive. It is not easy for a beginner as it is all command line driven. Definitely print out the manual before hand.

The comma after, "Before,.." -- I took it to be the "oops" you were talking about.

Two other things: (1) Yes, I'm reading closely with great interest, and (2) 'splain to folks your insistence that I do this.

Thanks for the correction.

Great article and wonderful comments! Information such as this is so very beneficial to all. Thanks so much!

A good option is to make yourself a UBCD4WIN, it uses diverse malware scanners which you can update before creating the CD, and again before you need the scanner (that definition of course is lost at next reboot). This tool includes many other free tools like registry editors etc which will often come in handy.

http://ubcd4win.com

It is another good choice.

Is that it doesn't update over the Net. You have to burn a new copy before each job, this isn't a problem for me but here Michael specifically said that he wanted to list Rescue Cd's that don't require reburning.

However I've found the UBCD4Win to be an excellent choice and it's part of my tool kit along with the Trinity Rescue CD, F Secure, Avira Rescue CD, Ubuntu Rescue Remix, and Bit Defender. I don't rely on just one when I have a nasty one though I do prefer to start with the latest version of UBCD4Win then the Trinity Rescue Kit.

The bigger guns get pulled out if I need to dig any deeper.

Col

I would like to hear your thought on the AVG rescue CD or if you could try it some time and get back to us. You see more action than I do in this regard.

I'm certainly no expert on these things I just Muddle my way through problems as I hit them, unfortunately way too often for my personal liking. These problems are very time consuming to cure and I personally prefer to clean the systems and then save any data before wiping and reloading/reimaging if I'm given the chance.

But I haven't used the AVG Rescue CD so I'll add it to the list and give it a go.

Col

From reading your many musings, I feel otherwise and am fortunate that you comment on my work.

That said, please let me know what you think about AVG. Members seem to be all over the map about them.

Hello HAL 9000,

Would you mind offering more info as it relates to UBCD4 not updating over net? Are you using Ethernet or wireless connectivity that's failing to update? Which specific viral tool are you using from UBCD?

Thanks,


bremc

I would venture to say that it might also be that not all hardware is supported by the UBCD4Win. I've had instances where it has not updated because it did not have drivers for the specific hardware. Workaround for this is to either use D-Link's USB-Ethernet adapter or a generic Realtek NIC (I carry both with me always).

The burnt Copies do not update over the Net like for instance F Secure do You need to make a new Disc before you go out to a job to use the cleaners so when you go into the Build Option you can update the Cleaners before going any further. Or at least the cleaners that I use like Malware Bytes and so on.

With the UBCD 4 Win I always burn a new Disc before going to a new job and I tend to not bring the burnt Disc back after I finish that particular job.

Maybe the UBCD4Win has changed with any recent changes as I've had this copy for a while now and have got used to making a new Disc whenever I get hit with one of these jobs. I don't know but the version that I'm using works very well but it's different to some others like the Trinity Rescue CD which is a burn once and use forever or in my case till I loose it, as it updates the Definitions over the New well the wired connection and loads the updates into the created RAM Drive that is lost when the system is shut down. Not too sure about WiFi Drivers or how well this one works with them as I don't use WiFi all that much.

Col

and do agree it is a great tool to have in the kit. By the way I'm on my final setup of what I've wanted for some time. I have a 32GB stick which I've loaded with all sorts of ISO files of live CDs like we're discussing in this thread. The stick is setup to boot using the Pendrive method and will try to use the PLoP disk to help boot up the systems that refuse to boot straight from the stick.

And have been impressed so far. It allowed me to boot a very old notebook.

I've been setting up my latest USB 32GB with Pendrive loading it with all my CDs and DVDs and having a PLoP CD handy for PCs/laptops as you mention that won't boot a USB. So far I'm enjoying. It does take a bit of setup of the Pendrive list as older CDs must be updated there in order to boot and have begun adding more that are not on the list, such as the CDs you have listed and some others mentioned in this forum. Also have a folder with my own tools that sometimes are necessary for troubleshooting, testing, installing, etc.

Most of these options sound great until you get dirty. I am now realizing the PLoP CD has to be rebuilt more than I thought. So definitely not the answer.