This section assumes that either you or the virus scanner has identified the infected files.
Get up on the Web and learn as much about the virus as you can from a reliable source to help in its extraction.
Viruses like Remote Explorer install
themselves as a Windows NT service. If you have identified the
malicious service’s name, go to Control
Panel
→
Services
→
Startup
→
Disable. This
will prevent the malicious service from automatically re-starting
during a reboot.
Like in the detection process, we are trying to keep the virus out of memory so we can disinfect it. In Windows 3.x, 9x, or NT with FAT partitions, consider booting from a known clean DOS disk and getting to a DOS prompt. NTFS partitions will require a clean NT boot diskette.
If a virus scanner
doesn’t clean the virus out of the host file, you should delete
the file and restore from a clean source. Often I’ll rename
suspected or identified virus files with a .VIR
extension. With that extension, they are not likely to cause further
harm, but it allows me to reverse the process if I’m mistaken.
If a virus has modified your startup
areas (i.e. registry, WIN.INI, SYSTEM.INI, AUTOEXEC.BAT,
CONFIG.SYS, WINSTART.BAT, DOSSTART.BAT,
or
Startup group), you will want to clean up those areas. In
Windows 98 you can use MSCONFIG.EXE to disable
any malicious startup programs. In the other platforms, you will have
to manually edit the necessary files.
Most people are not registry
experts and don’t feel comfortable making customized changes to
the registry. In these cases, it may be easier to restore a
previously saved copy of the registry over the virus-modified version
in order to stop virus programs from launching on startup. The
Registry menu option in
REGEDIT.EXE allows complete copies, or just
parts, of the registry to be exported and imported.
Warning
Restoring an older copy of your registry can cause problems because legitimate changes are also wiped out.
- Windows 95 registry restoration
The copies of the Windows 95 registries, SYSTEM.DA0 and
USER.DA0, can be copied over their respective registry cousins,SYSTEM.DATandUSER.DAT. You will need to make sure you used a boot disk to be able to overwrite the registry. The Windows 95 CD-ROM includes a utility calledEmergency Recovery Utility (ERU).It can be used to create a Windows 95 emergency boot diskette with copies of your registry and startup configuration files, such asAUTOEXEC.BATandCONFIG.SYS.- Windows 98 and ME registry restoration
Windows 98 and ME include the
Registry Check(Start→ProgramsAccessories→SystemTools→SystemInformation→Tools→Registry Checker), which can be used to backup your registry at any time. It is also run at each bootup, and if it finds a corrupt registry, it will replace the bad version with a copy. TheRegistry Checker (SCANREG.EXE)keeps your five most recent registry versions. You can boot to DOS and runSCANREG/RESTOREand restore any of the five copies.- Windows NT registry restoration
Windows NT’s registry editor,
REGEDT32.EXEcan be used to save and restore parts of, or whole, registries. You can also use theRDISK.EXEprogram with the/Sparameter to back up the registry database to an Emergency Repair Disk. Then you can use NT’s Repair option to restore the registry from disk. Unfortunately, Windows 2000’s RDISK command does not backup the registry as it too large to fit on a single diskette.
Unlike 9x’s ability to automatically make a backup copy of the
registry and save each copy to a file after each successful restart,
Windows NT stores only part of the registry as a backup. Even
stranger, the backup copy is stored in the current registry. The
different copies of the HKLM\System hive, which documents which
devices and services to start during the NT bootup process, are
stored in separate Control Sets. NT usually
maintains three different control sets, CurrentControlSet,
ControlSet001,
and
ControlSet002
under the HKLM\System hive. During boot up, NT prompts you with the
message, “Select L to load Last Known Good
Configuration.” If you choose this option, NT will load the
registry settings listed in ControlSet002. Otherwise, ControlSet001
is loaded and becomes the CurrentControlSet.
Using most Windows system recovery tool requires that you take the steps to back up, save, and record the system while it is in clean health. These tools do to little to help you after a malicious code attack if you haven’t done your prework first in preparation of a disaster recovery event.
First, always make a system startup diskette during the
system’s installation, or at least have one copy on hand from a
similar machine. With most Windows operating systems, you can make an
emergency recovery diskette that records critical system files and
settings. Windows 9x allows you to make one during install. NT 4.0
uses
RDISK.EXE
/S. Windows 2000
uses
Start
→
Programs
→
Accessories
→
System
Tools
→
Backup
→
Tools
→
Create
an
Emergency
Repair
Disk. The registry in
Windows 2000 is too large to fit on one disk. In order to backup the
registry, make sure to perform a full tape back up (including backing
up the system state). Startup disks can be used to boot the machine
and access the disk partition while minimizing the chances that a
virus is in memory. The ERD can be used to restore some system files
and the registry (not in 2000).
- Backing up the system state
Windows 2000, ME, and XP have the ability to backup and restore crucial system files. Windows ME does it automatically, to the disk, every 10 hours of up-time with the System Restore feature. Windows XP does it after every driver replacement or system upgrade. In Windows ME choose
Start→Programs→Accessories→SystemTools→SystemRestore→ChooseaRestorePoint, and then choose a date when you know your system was clean. Windows will bold all dates that contain a system restore point.The Windows 2000
system statefeature is a part of the MS Backup program and will backup boot files, system files, the registry, and all files protected by WFP. To back up the system state in Windows 2000 useStart→Programs→Accessories→SystemTools→Backup→Backup→SystemState. You can then back up the system state with the MS Backup program. When you restore the system state it is an all or nothing decision. The system state restoration cannot be done on a selective file by file basis.
- Windows Recovery Console
The
Windows 2000 Recovery Consoleis a text mode command-line tool that allows an administrator to access the hard disk of a Windows 2000, regardless of the file format used. The Recovery Console allows you to manage files and folders, stop and start services, and repair critical system files (including the registry, boot sector, MBR, and partition table). It is an excellent tool for removing computer viruses. In order to be used, you must install the console after Windows 2000 is already running. Place the Windows 2000 install CD-ROM in your drive, and chooseStart→Run→<CD-ROMdriveletter>\i386\WinNT32.EXE/cmdconsand hit Enter. Follow the instructions and restart your PC when prompted.In certain situations, like a corrupt registry or boot sector, Recovery Console will start automatically and carry out repairs. The console contains many other commands, like
CHKDSK, FIXBOOT, andFIXMBR(which are covered elsewhere). Type inHELPat the console prompt for a complete list of commands. After you install the Recovery Console for the first time, it becomes a menu option you can access during bootup by hittingF8.
Get Malicious Mobile Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
