How to Remove Malware (Part 2): Booting from a CD: Page 3
Using a boot CD to remove malware can be more effective than simply running an anti-malware software program.
In the example above, it is sharing A, B, C and X. B is something special created by the Ultimate Boot CD for Windows software and we're not interested in it. X is the UBCD4WIN CD itself, which we also don't need to bother with. Most computers don't have a floppy disk, this example does, only because it was run in a virtual machine.
We want to access the C disk on the infected machine. Obviously, on the clean machine we can't refer to the infected C disk as the C disk – every Windows computer already has a C disk. Instead we refer it with another letter, a process known as mapping.
Which letter? It doesn't matter, any letter not in use on the clean machine will work (for permanent network connections, which this is not, letters near the end of the alphabet are better - they avoid potential conflicts with Windows).
To start the mapping process, right click on the C disk, in the list of shared drive letters, and select Map Network Drive.
This brings up the window shown below.
The Z in the drive box means that we are about to create a Z disk on the clean computer. The folder box shows the true source of this mapped Z disk - the infected C disk. There is no need to have it reconnect at logon.
The newly created Z disk can be seen in My Computer (below) where it is classified as a network drive. This simply means that the Z disk files are on another computer on the network.
Now that the clean computer has a safe view of the infected C disk, run your favorite anti-malware programs and point them at the Z disk.
I say "programs" because no one anti-malware program is perfect. Not even close. At a minimum, I suggest running three programs. If you can though, the more you run the better. You may very well find that the fourth and fifth programs find things the first few missed. And if they don't, that's fine too.
One free anti-malware program that all Windows users have is Microsoft's Malicious Software Removal Tool. A few months ago, I wrote about running it manually. It has a customized scan that be run against a single drive letter.
If you are ambitious, you can save some time by deleting unnecessary files from the infected computer before scanning it.
Among the unnecessary files are the recycle bin, web browser cache, temporary files and old restore points. These files can be deleted either from within the infected machine (if it's still bootable) or externally using either the Ultimate Boot CD for Windows directly, or the mapped Z disk.
Deleting them from within the infected system is the easiest approach, as you don't have to know the underlying folder names. I would start with the disk cleanup feature. In Windows XP, right click on the C disk in My Computer, get the Properties, then click on the Disk Cleanup button.
If you make a disk image backup first, as noted earlier, then you should be able to safely remove all the old restore points.
In Windows XP you do this by turning off the System Restore feature (Control panel -> System -> System Restore tab). The Disk Cleanup feature can remove all the old restore points but leave the most recent one. You can also delete some old restore points by minimizing the amount of hard disk storage allocated to System Restore (Control panel -> System -> System Restore tab).
From inside the infected system, you may also want to disable hibernation, if it's being used. (Control Panel -> Power Options -> Hibernate tab). This deletes a very large file from the C disk.
Before scanning from a clean computer, you can safely remove the pagefile.sys file in the root directory of the infected hard drive (the mapped Z disk). This file holds temporary data while Windows is running. And since Windows is not running on the infected computer, it is not used. Windows XP will automatically create a new pagefile.sys when it starts up.
In the next article in this series, I write more about my experience removing malware from outside the infected system -- and I highlight comments from some anti-malware software companies on the difference between scanning from within vs. outside an infected copy of Windows.
Next: The Clean-Up.
May 19, 2009
Much of today’s malware uses very technically sophisticated defenses against detection, making it far tougher for users to remove.