Tuesday, July 30, 2013

Howto: Recovery from a Windows virus

Over the weekend, I was called into service to help a relative. Her machine had been infected with a virus and she didn't have the skills to clear it up, so she called me. I'm happy to help and am quite capable of helping. I've been imaging computers for more than 14 years.

I have no experience with virus removal and I don't think I need it. Here's the reason why: viruses are unpredictable. Once infected, there is no way of knowing for certain that the virus is gone. I know this from reading over the years how virus writers cover their tracks, find unique hiding places to evade detection and prepare to re-install again on the next boot.

There is a story about Steve Ballmer and viruses, and no, this isn't about his love for Linux. His neighbor came to him with a computer one day. The computer was very slow and the neighbor asked Ballmer if he could repair the computer. Ballmer took the computer in and spent a couple of days trying to clean it up. Then he surrendered the computer to his IT staff and asked them to clean it up. But there was no possible way to clean it up as there were hundreds of viruses on the system.

So I began in earnest with a plan to help restore my relative's computer:

  • Backup the data.
  • Wipe the computer.
  • Install Windows.
  • Run updates until there are no more.
  • Install Office.
  • Run updates until there are no more.
  • Install antivirus.
  • Run updates until there are no more.
  • Restore personal data.
  • Image the disk so that we don't have to do this again.
There is a general rule of thumb I follow with any suspect machine. When backing up personal data, NEVER use the host operating system to do the backup. The reason for this is simple: viruses can infect USB drives. To backup the files, I always use a Linux live CD like Ubuntu Gnome, or Knoppix Live CD. This way, I can safely copy the files to another disk.

Once the backup of personal data is done, I'm ready for the next step: wiping the disk. Viruses can hide almost anywhere on a disk. But they can't live on it without structure. Structure on the disk is the file system and the partition table. Viruses have been found in the partition table, the file system table and in the boot sector of a hard drive. The partition table tells the hardware where to find data on the disk. The file system tells the operating system where to find files. Installing Windows again with the partition table, boot sector and file system intact is a big NO-NO. Wipe them out and the virus has no other place to hide.

Wiping the hard disk is not that hard to do. Boot the computer with Knoppix to get started. I use Knoppix because unlike Ubuntu, Knoppix gives me ready access to the root account and I can run the shred command from there. Once Knoppix is loaded, l open a command line and type the following commands:

su - (this makes me root)
shred -n3 -z -v /dev/sda (this command wipes the hard drive)

The su - command takes me right to root without a password. The shred command will write random 0s and 1s from the beginning of the hard drive to the end. For re-installs, I only do one partial pass, but the command above is what I'd use to wipe a hard drive clean before letting anyone else have it. To deal with the virus, I let the shred process run over a couple of gigabytes of space for good measure, then I'm done and can move on to the next step, installing Windows XP.

Some of you may already be familiar with this part. I've done this many times, more than I wish to recount. But it needs to be done here. So I boot to a Windows XP installation CD. I learned the hard way that it's important to disconnect all other external media from the machine during the boot process. By mistake, I did that and Windows proceeded to install on drive E. No, it didn't erase my external drive. I had disconnected that before the boot process was complete. But the installation program did assign the letter E to the boot disk in the computer. I didn't realize this until it was too late and had to start over again.

The next time I started the install, I verified that the boot drive was assigned letter C and allowed it to proceed. About 40 minutes later, Windows XP was installed.

This was a Dell machine and the owner had saved all of the disks, so I could easily install all of the drivers. I started with chipset, video, audio and saved the network for last. Once the network drivers were installed, I began testing the network. 

For some reason, Comcast does something funny with DNS and it just doesn't work. So I use Google DNS (, to ensure that the network adapter can see the internet.

Now I'm ready to run updates. But they don't work and I'm not sure why. I recall that Windows XP Service Pack 2 is no longer supported. I download and install Service Pack 3. Run updates again and they still don't work. I do some research from my phone to discover a tool offered by Microsoft to solve this problem. But when I navigate to the page hosting that tool with Internet Explorer 6, I am invited to install Internet Explorer 8. I download that and install it.

Now Windows Update works. I run updates for about an hour. There were 121 updates to download and install. I reboot. I run Windows Update again, and again with a few reboots, until no more updates are available.

Then I install Microsoft Office. Again, I run Windows Updates until there are no more available. I have to reboot here, too.

At this point, I'd like to point out a contrast between Windows and Linux. With Windows, I spent more than two hours updating an installation from CD. With Linux, this would not happen. With Linux, after running updates just once after an installation from CD, all of the updates are complete. With Windows 7, the update times are shorter, but they will grow longer over the years. With Linux, there is no need to install years of updates to the operating system. The developers keep it up to date.

Now that Windows and Office are installed, it's time for the antivirus. My relative has paid for Norton Antivirus, so I'm going to install that. The install is uneventful. Everything works fine. I see that Norton AV has changed a lot. They've gone black for that bad-ass look. I run updates until there are no more available.

Now I use Norton to scan the files I recovered from the computer before re-installing Windows. I plug in the external hard drive and run a scan. It's clean so I can restore the files to her user profile.

Now it's time for the image. I don't want to lose all of my hard work so I run an image of the computer to an external hard disk, the same one I used to store the data I recovered data from the computer before. I like to use Clonezilla. It's very reliable and it's open source software. In less than 20 minutes, the image process is complete and I have a bit for bit image of the computer.

If there is another virus, I can use this image to restore all that work from before with much less effort since it's been captured in the image.

This time, though. The odds of another virus have been slimmed down. Previously, my relative had been running her computer as a local administrator of her computer. This means that she has full run of the computer. Administrator rights means, you can install software, hardware or even damage your computer with no protest from the operating system.

If you're running as admin on your computer and you come into contact with a virus, you won't know that your computer has been infected. Most viruses install silently, without notice. The virus has all the rights you have. Even if you have antivirus installed, the antivirus software won't stop you from clicking "I agree" to install a virus on the computer.

For this install, my relative will now run her computer as a normal user and use the admin account to install software or hardware. 95% of the threats to Windows XP have no power unless you/re an admin. That's a huge decrease in risk.

So that's how I like to install Windows after a virus infection. I use the nuclear option against the virus and re-install Windows. If you like this article, please share it with your friends and leave a comment below.
Post a Comment