So you’ve found yourself fighting a machine loaded to the gills with crap. Lucky you. Hopefully this helps make the job a little easier. I deal with spyware on pretty much a daily basis. I hate it. The only ones who like it are the ones making money off of it, and I don’t mean the poor techs stuck cleaning up the mess.
This article is geared more toward Windows XP/2k, though it can apply to earlier releases. Some of this may be useful to the home user, but it may be more helpful to those who have to work on many machines (for work, for family, for the neighborhood). I’m open to comments, I’d love it if someone would suggest better methods to accomplish any of the tasks I describe. I’d also appreciate hearing about other utilities that are used.
Please remember that these are not rigid instructions that should be followed to the letter. This is not a how-to that anyone can pick up and follow. Do not blame me if anything you do messes up the PC you are working on. This article’s main purpose is to provide tips to those who may not have heard of some of these tools or who want a better way of dealing with spyware. This is also a work in progress. I’ll clean it up a bit as I smooth out the details.
Section 1: Learn to love BartPE
“I say we dust off; nuke the site from orbit – it’s the only way to be sure.”
– Ripley, Aliens.
If you know a drive is infected, why trust anything on it including the OS? A handy BartPE image with an installation of ClamWin (plugin) and up-to-date definitions helps a lot. You can boot off the CD, scan the HDD and be reasonably confident that the worst of the files are gone. The downside is that the system needs to have a decent amount of RAM, and a working CD-ROM that your BIOS can boot from — These are not problems for any reasonably modern PC. Before something like BartPE came along, I’d yank the whole drive out and hook it up to another PC and scan there.
Building the BartPE image and adding ClamWin are left as exercises for the reader. BartPE has plenty of documentation, and it’s not as hard as it may seem at first. You can forget about BartPE unless you have access to Windows XP installation media.
Remember to unpack the ClamWin definitions before running the program. If you have a broadband connection, you can even use the online update to get the latest defs right from within BartPE.
Unless you change the clamwin.conf for the plugin before burning the image, you will need to manually set it to move/delete the files. I have it move them into a quarantine directory. I use something like c:\quar or c:\qtn – just in case it’s a critical file that gets moved, and also to keep the files around if they are needed for further analysis.
While ClamWin scans, go watch a movie or do something much less stressful than cleaning up a PC. It will take a while anyhow.
When the scan is over, make sure to save a copy of the log to the HDD, and note what viruses were found. It’s a good idea to look them up and check out what, if any, other changes may be needed to remove them entirely.
After a good scan with ClamWin, you can also use a file manager to browse around looking for suspicious files. Looking at the Windows and System32 directories sorted by date can make some malicious files show up easily. Knowing what’s good and what’s bad still takes a trained eye, but it will give you a list of files that you can look up, inspect closer, or move out of the way temporarily (perhaps to the quarantine directory made for ClamWin). You may also want to take a look around the Program Files directory, and the Common Files directory under there. A less common place for them to hide is in the Application Data folder under individual users, but it’s worth checking out.
If you’re a fan of McAfee Stinger, you can also run that from BartPE. I haven’t had as much success with it as I have with others. I prefer ClamAV/ClamWin and Trend Micro Damage Cleanup. I have had issues running TMDC under BartPE, so I run that in safe mode.
If you’ve found any other interesting BartPE plugins or if you have anything else you want to do while booted from BartPE, do it now. As you may have noticed, BartPE ignores the ACLs on the hard drive, so you can see everything. Because of that, tow is a good time to clean out the temporary files. You can try this little tempcleaner program I scripted up quick in Python, but it may not work for everyone. If you run it from BartPE it’s a good idea to run it again in Safe Mode. The script I wrote will clean out the temp directories for each user as well as the system-wide temp directories. It also clears the Temporary Internet Files folders. Another side effect of being booted off the CD, it will actually remove the index.dat’s that you can’t delete if you’re logged in.