This is a series of notes on dealing with PC malware (viruses, worms and the like) gathered because I’m looking into it and published as a way of reminding myself about this stuff. Bear in mind that I’m not an expert but neither am I a complete dunce – I’m normally a Unix or Linux person but I’ve been keeping half an eye on Windows infections for years.<\/p>\n
Some links to tools are contained within. However you should be aware that tool recommendations change over time; you will need to check how outdated this document is before following any recommendations blindly.<\/p>\n
At present this blog entry is a work in progress … lots of testing needs to be done before being confident this is right.<\/p>\n
This is not :-<\/p>\n
The process of removal can be destructive, and in the worst cases you can end up cleaning the malware and ending up with a brick. So make an image of the hard disk as it is. Two basic ways this can be done :-<\/p>\n
This will be slow<\/em>. So be it. Cleaning an infected PC is not going to be a quick job whatever you do. The best you can hope for is that there are many periods where you can leave it churning away and get on with something else.<\/p>\n There are those who tell you that there is no need to boot off a known uninfected disk to clean an infected machine; their anti-malware\/virus product can clean an infected machine “live”. There are others who claim that the only way to be sure is to boot off that disk and clean the machine that way. Both are wrong.<\/p>\n If you are paranoid (and in the presence of malware paranoia is fully justifiable), you will do both.<\/p>\n As suggested previously after booting off a rescue disk and cleaning, boot the infected machine and clean again.<\/p>\n The following is a list of rescue CD’s that have been suggested :-<\/p>\n Some of the above are Windows based; some are Linux based. The choice of which to use should be based on results<\/em> not whether they tickle your prejudices (or mine!).<\/p>\n The following is a list of “live” tools to be installed that have been suggested :-<\/p>\n Nothing to do with the main subject. Merely some notes worth mentioning.<\/p>\n It seems that at least some malware can detect it is running within a virtual environment. In some cases it ceases to do anything, and in others may try to “break out”. This indicates that analysing malware within a virtual environment may not give sensible results, and in some cases may be dangerous! That is not to say that using a virtual environment is no longer of any use, but you may need to take special case such as running the virtual environment under Linux and\/or ESX rather than Windows. And be careful about negative results.<\/p>\n","protected":false},"excerpt":{"rendered":" This is a series of notes on dealing with PC malware (viruses, worms and the like) gathered because I’m looking into it and published as a way of reminding myself about this stuff. Bear in mind that I’m not an expert but neither am I a complete dunce – I’m normally a Unix or Linux […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[489,226],"tags":[43,817,844,370],"class_list":["post-1815","post","type-post","status-publish","format-standard","hentry","category-security","category-working-notes","tag-linux","tag-malware","tag-rescue","tag-windows","category-489-id","category-226-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-th","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/1815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1815"}],"version-history":[{"count":9,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/1815\/revisions"}],"predecessor-version":[{"id":1819,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/1815\/revisions\/1819"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}2. Boot A Rescue CD<\/h3>\n
3. Boot Infected Machine and Clean<\/h3>\n
Tools<\/h2>\n
\n
\n
Asides<\/h2>\n