Editor's Note: This article is the first in a three-part series.
There are only two ways to remove malicious software from an infected Windows machine: with the infected operating system running or not.
The easy way, of course, is from within the infected copy of Windows. Just download anti-malware software, install it, run it and get on with your life. The problem is, this may not work.
Much of today’s malicious software features very technically sophisticated defenses against detection. Recently researchers at the University of California at Santa Barbara took control of the Torpig botnet and wrote a paper about the experience. Their description of how the software infects a computer is fascinating. The sophisticated approach makes the malware very hard to detect by any software running within the corrupted copy of Windows.
Steve Gibson, in his Security Now podcast, offered another lesson about the many defenses malware (in this case the Conficker worm) employs to prevent detection. It's frightening and impressive and makes plan B, scanning from outside the infected operating system, the obviously better approach.
Given this, there are, again, two ways to go.
When I first broached this subject, I suggested removing the infected hard disk and connecting it a USB port on another computer using a special cable. But, there's another approach to access the infected hard drive while still bypassing the infected operating system, one that lets the hard drive remain inside the infected computer.
Boot the infected computer using a CD, DVD or USB flash drive and run another operating system off the bootable media.
It takes Windows where it was never meant to go – to a CD. That is, it creates a bootable CD that runs a stripped down copy of Windows XP.
Although UBCD4WIN runs XP, the computer on which it runs can have any version of Windows installed. Like a normal copy of XP, the version that runs off the CD can read/write any hard drive partition formatted with the NTFS, FAT or FAT32 file systems.
The original intent of the Ultimate Boot CD for Windows was to run assorted diagnostics against the host computer (my term). Included in these diagnostics are a handful of antivirus and antispyware applications such as Avira's AntiVir, McAfee's Stinger and Super Antispyware.
There are some problems, though, with running anti-malware software from the Ultimate Boot CD for Windows.
For one thing, running anything off a CD is slow (the forums have instructions, which I didn't test, for creating a USB flash drive rather than a CD). Then too, the list of available applications is small. This is because removing malware is not the only purpose of the CD, space is limited (unless you burn a DVD) and the software must be free.
Also, the applications run a bit differently from the CD than they do in a normal copy of Windows. For example, finding the date the software was last updated can be an adventure. And, if something goes wrong, you need to know that there is a RAM drive on B that sometimes needs to be cleared.
All these issues can be avoided, however, by running your favorite anti-malware programs on a normal copy of Windows and accessing the infected C disk over a LAN.
I spoke to Mr. Burrows about this idea and, surprisingly, he hasn't gotten much feedback from users doing this. Beats me why.
Setting up networking and file sharing on the computer that booted the Ultimate Boot CD for Windows is a bit different from normal Windows XP networking. Part 2 of this article will offer detailed step-by-step instructions.
What will not be covered are instructions for creating the Ultimate Boot CD for Windows. There are many steps involved and you need a Windows XP CD (an OS CD rather than a recovery CD/DVD). Build instructions are available on the website or see this series of videos.