How to Remove Malware (Part 2): Booting from a CD
Using a boot CD to remove malware can be more effective than simply running an anti-malware software program.
Editor's Note: This article is the second in a three-part series.
In the first part of this article series, I made the case that scanning for malicious software (malware) is best done from outside the infected operating system. This negates whatever defenses the malware may have, by not letting it run at all.
We treat the C disk as a data disk rather than as a bootable system disk. The downside, however, is that this approach is harder than simply installing anti-malware inside the infected system and letting it scan away.
One approach to scanning from outside the infected system is to remove the infected hard drive and connect it another computer. But there is a simpler way to accomplish the same thing: boot the infected computer from an operating system on a CD or USB flash drive. This lets us treat the infected hard drive as a data disk without moving it or touching it.
Many Linux distributions can boot and run from a CD or USB flash drive, but my preference is to use a CD-resident copy of Windows. One reason is that anyone with an infected computer is running Windows and thus they are already familiar with it.
Even having narrowed down the decision tree to booting Windows from a CD there are still two choices to be made.
The first is which bootable Windows CD to use. I know of two programs that can be used to create a bootable copy of Windows, Bart's Preinstalled Environment (BartPE) and the Ultimate Boot CD for Windows (UBCD4WIN). This article is about using Benjamin Burrows' Ultimate Boot CD for Windows.
The second choice is whether to run anti-malware software directly from the CD or from another computer over a network. This article is about the network option for a couple reasons.
For one, it lets you run any anti-malware software. Both BartPE and UBCD4WIN are limited in the anti-malware software that can be included on the CD. Also, the anti-malware programs run and update themselves normally. The only thing that's different is pointing them to a shared network drive (more on this below). Running software from a CD is somewhat different from the normal Windows environment and takes a bit of getting used to.
That said, no matter what your approach to removing malicious software from a Windows computer, I strongly suggest starting off by making a disk image backup. Something can always go wrong. Even the best software, written with the best of intentions, can delete a critical file that Windows needs to run properly.
A disk image backup copies everything on the hard drive and most imaging software lets you restore individual files from the image backup. Hopefully that won't be necessary, but it's good to be prepared.
As noted in Part 1 of this article, I'm not going to cover the process of creating the UBCD4WIN CD. (Instructions are available on the web site.)
What follows are instructions for booting from a UBCD4WIN CD and sharing the infected C drive over the network. Then, from a clean machine with anti-malware software installed, safely scan the infected C disk. The screen shots are from version 3.50 of UBCD4WIN, which is the latest version.
Networking with the Ultimate Boot CD for Windows
The first screen you see when booting from an Ultimate Boot CD for Windows disc offers many choices. Experienced UBCD4WIN users can press Enter to start the system booting. If you are new to this, feel free to read the other options.
The system will continue booting in 30 seconds if you don't touch the keyboard. Be patient, booting from the CD is slow (there are instructions for creating a USB flash drive rather than a CD, but I haven't tried it).
During the startup you will prompted about starting network support. Say yes.
Next Page: The Network Profiles window
May 19, 2009
Much of today’s malware uses very technically sophisticated defenses against detection, making it far tougher for users to remove.