Editor's Note: This article is the second in a three-part series.
In the first part of this article series, I made the case that scanning for malicious software (malware) is best done from outside the infected operating system. This negates whatever defenses the malware may have, by not letting it run at all.
We treat the C disk as a data disk rather than as a bootable system disk. The downside, however, is that this approach is harder than simply installing anti-malware inside the infected system and letting it scan away.
One approach to scanning from outside the infected system is to remove the infected hard drive and connect it another computer. But there is a simpler way to accomplish the same thing: boot the infected computer from an operating system on a CD or USB flash drive. This lets us treat the infected hard drive as a data disk without moving it or touching it.
Many Linux distributions can boot and run from a CD or USB flash drive, but my preference is to use a CD-resident copy of Windows. One reason is that anyone with an infected computer is running Windows and thus they are already familiar with it.
Even having narrowed down the decision tree to booting Windows from a CD there are still two choices to be made.
The first is which bootable Windows CD to use. I know of two programs that can be used to create a bootable copy of Windows, Bart's Preinstalled Environment (BartPE) and the Ultimate Boot CD for Windows (UBCD4WIN). This article is about using Benjamin Burrows' Ultimate Boot CD for Windows.
The second choice is whether to run anti-malware software directly from the CD or from another computer over a network. This article is about the network option for a couple reasons.
For one, it lets you run any anti-malware software. Both BartPE and UBCD4WIN are limited in the anti-malware software that can be included on the CD. Also, the anti-malware programs run and update themselves normally. The only thing that's different is pointing them to a shared network drive (more on this below). Running software from a CD is somewhat different from the normal Windows environment and takes a bit of getting used to.
That said, no matter what your approach to removing malicious software from a Windows computer, I strongly suggest starting off by making a disk image backup. Something can always go wrong. Even the best software, written with the best of intentions, can delete a critical file that Windows needs to run properly.
A disk image backup copies everything on the hard drive and most imaging software lets you restore individual files from the image backup. Hopefully that won't be necessary, but it's good to be prepared.
As noted in Part 1 of this article, I'm not going to cover the process of creating the UBCD4WIN CD. (Instructions are available on the web site.)
What follows are instructions for booting from a UBCD4WIN CD and sharing the infected C drive over the network. Then, from a clean machine with anti-malware software installed, safely scan the infected C disk. The screen shots are from version 3.50 of UBCD4WIN, which is the latest version.
Networking with the Ultimate Boot CD for Windows
The first screen you see when booting from an Ultimate Boot CD for Windows disc offers many choices. Experienced UBCD4WIN users can press Enter to start the system booting. If you are new to this, feel free to read the other options.
The system will continue booting in 30 seconds if you don't touch the keyboard. Be patient, booting from the CD is slow (there are instructions for creating a USB flash drive rather than a CD, but I haven't tried it).
During the startup you will prompted about starting network support. Say yes.
Next Page: The Network Profiles window
This brings up a Network Profiles window. The default mode of operation, DHCP, should work for most people, so just click on the OK button.
There will be a few messages about assorted services starting up and then you'll see the PE Network Configurator.
Every computer on a network is assigned a unique number. On networks running TCP/IP (which almost all do) the number is referred to as an IP address. The DHCP mode of operation means that something on each network (often the router) is in charge of handing out numbers.
If you click on the DHCP Details button, you can see the IP address that was assigned to the computer running UBCD4WIN. A sample of the DHCP details is shown below. Make a note of the IP address, we'll use it later.
Next, we need to enable file sharing, so click on the File Sharing tab at the top.
To enable file sharing, simply click on the Start Sharing button at the bottom of the window. Fairly quickly, the yellow "Stopped" tab in the black status window above the button should change to a green "Started."
The last thing we need to do on this computer is assign a password to the administrative account. This is done in the middle of the window.
Enter your chosen password twice and click on the Set Password button. There is no need for a complicated password, as this is a temporary network connection. I found that "abc" worked just fine. We'll need to enter the password in a minute, so you may want to write it down.
Now, it's time to shift over to the clean computer, the one with your favorite anti-malware software installed. The screen shots below are from a Windows XP machine but Vista should work just as well.
The first step in connecting to the infected machine running UBCD4WIN is to ask it for a list of resources it's sharing on the network. The only shared resource we care about is the infected C disk.
To do this, click Start -> Run and in the Open box enter the IP address of the infected machine preceded by a pair of backslashes (see below). Then click the OK button.
At first nothing happens, but shortly you are prompted for a user name and password. The default user name of "administrator" does not need to be changed. Enter the password you just specified for file sharing and click OK. There is no need to remember the password.
The networking software on the UBCD4WIN computer responds with a list of shared disk drive letters.
Next page: Accessing the C disk
In the example above, it is sharing A, B, C and X. B is something special created by the Ultimate Boot CD for Windows software and we're not interested in it. X is the UBCD4WIN CD itself, which we also don't need to bother with. Most computers don't have a floppy disk, this example does, only because it was run in a virtual machine.
We want to access the C disk on the infected machine. Obviously, on the clean machine we can't refer to the infected C disk as the C disk – every Windows computer already has a C disk. Instead we refer it with another letter, a process known as mapping.
Which letter? It doesn't matter, any letter not in use on the clean machine will work (for permanent network connections, which this is not, letters near the end of the alphabet are better - they avoid potential conflicts with Windows).
To start the mapping process, right click on the C disk, in the list of shared drive letters, and select Map Network Drive.
This brings up the window shown below.
The Z in the drive box means that we are about to create a Z disk on the clean computer. The folder box shows the true source of this mapped Z disk - the infected C disk. There is no need to have it reconnect at logon.
The newly created Z disk can be seen in My Computer (below) where it is classified as a network drive. This simply means that the Z disk files are on another computer on the network.
Now that the clean computer has a safe view of the infected C disk, run your favorite anti-malware programs and point them at the Z disk.
I say "programs" because no one anti-malware program is perfect. Not even close. At a minimum, I suggest running three programs. If you can though, the more you run the better. You may very well find that the fourth and fifth programs find things the first few missed. And if they don't, that's fine too.
One free anti-malware program that all Windows users have is Microsoft's Malicious Software Removal Tool. A few months ago, I wrote about running it manually. It has a customized scan that be run against a single drive letter.
If you are ambitious, you can save some time by deleting unnecessary files from the infected computer before scanning it.
Among the unnecessary files are the recycle bin, web browser cache, temporary files and old restore points. These files can be deleted either from within the infected machine (if it's still bootable) or externally using either the Ultimate Boot CD for Windows directly, or the mapped Z disk.
Deleting them from within the infected system is the easiest approach, as you don't have to know the underlying folder names. I would start with the disk cleanup feature. In Windows XP, right click on the C disk in My Computer, get the Properties, then click on the Disk Cleanup button.
If you make a disk image backup first, as noted earlier, then you should be able to safely remove all the old restore points.
In Windows XP you do this by turning off the System Restore feature (Control panel -> System -> System Restore tab). The Disk Cleanup feature can remove all the old restore points but leave the most recent one. You can also delete some old restore points by minimizing the amount of hard disk storage allocated to System Restore (Control panel -> System -> System Restore tab).
From inside the infected system, you may also want to disable hibernation, if it's being used. (Control Panel -> Power Options -> Hibernate tab). This deletes a very large file from the C disk.
Before scanning from a clean computer, you can safely remove the pagefile.sys file in the root directory of the infected hard drive (the mapped Z disk). This file holds temporary data while Windows is running. And since Windows is not running on the infected computer, it is not used. Windows XP will automatically create a new pagefile.sys when it starts up.
In the next article in this series, I write more about my experience removing malware from outside the infected system -- and I highlight comments from some anti-malware software companies on the difference between scanning from within vs. outside an infected copy of Windows.
Next: The Clean-Up.