SECURITY DAILY NEWSLETTER GET SECURITY NEWS IN YOUR INBOX EVERY DAY |

SHARE

Editor's Note: This article is the second in a three-part series. In the first part of this article series, I made the case that scanning for malicious software (malware) is best done from outside the infected operating system. This negates whatever defenses the malware may have, by not letting it run at all. We treat the C disk as a data disk rather than as a bootable system disk. The downside, however, is that this approach is harder than simply installing anti-malware inside the infected system and letting it scan away. One approach to scanning from outside the infected system is to remove the infected hard drive and connect it another computer. But there is a simpler way to accomplish the same thing: boot the infected computer from an operating system on a CD or USB flash drive. This lets us treat the infected hard drive as a data disk without moving it or touching it. Many Linux distributions can boot and run from a CD or USB flash drive, but my preference is to use a CD-resident copy of Windows. One reason is that anyone with an infected computer is running Windows and thus they are already familiar with it. Two Choices Even having narrowed down the decision tree to booting Windows from a CD there are still two choices to be made. The first is which bootable Windows CD to use. I know of two programs that can be used to create a bootable copy of Windows, Bart's Preinstalled Environment (BartPE) and the Ultimate Boot CD for Windows (UBCD4WIN). This article is about using Benjamin Burrows' Ultimate Boot CD for Windows. The second choice is whether to run anti-malware software directly from the CD or from another computer over a network. This article is about the network option for a couple reasons. For one, it lets you run any anti-malware software. Both BartPE and UBCD4WIN are limited in the anti-malware software that can be included on the CD. Also, the anti-malware programs run and update themselves normally. The only thing that's different is pointing them to a shared network drive (more on this below). Running software from a CD is somewhat different from the normal Windows environment and takes a bit of getting used to. That said, no matter what your approach to removing malicious software from a Windows computer, I strongly suggest starting off by making a disk image backup. Something can always go wrong. Even the best software, written with the best of intentions, can delete a critical file that Windows needs to run properly. A disk image backup copies everything on the hard drive and most imaging software lets you restore individual files from the image backup. Hopefully that won't be necessary, but it's good to be prepared. As noted in Part 1 of this article, I'm not going to cover the process of creating the UBCD4WIN CD. (Instructions are available on the web site.) What follows are instructions for booting from a UBCD4WIN CD and sharing the infected C drive over the network. Then, from a clean machine with anti-malware software installed, safely scan the infected C disk. The screen shots are from version 3.50 of UBCD4WIN, which is the latest version. Networking with the Ultimate Boot CD for Windows The first screen you see when booting from an Ultimate Boot CD for Windows disc offers many choices. Experienced UBCD4WIN users can press Enter to start the system booting. If you are new to this, feel free to read the other options. The system will continue booting in 30 seconds if you don't touch the keyboard. Be patient, booting from the CD is slow (there are instructions for creating a USB flash drive rather than a CD, but I haven't tried it). During the startup you will prompted about starting network support. Say yes. Next Page: The Network Profiles window

This brings up a Network Profiles window. The default mode of operation, DHCP, should work for most people, so just click on the OK button. There will be a few messages about assorted services starting up and then you'll see the PE Network Configurator. Every computer on a network is assigned a unique number. On networks running TCP/IP (which almost all do) the number is referred to as an IP address. The DHCP mode of operation means that something on each network (often the router) is in charge of handing out numbers. If you click on the DHCP Details button, you can see the IP address that was assigned to the computer running UBCD4WIN. A sample of the DHCP details is shown below. Make a note of the IP address, we'll use it later. Next, we need to enable file sharing, so click on the File Sharing tab at the top. To enable file sharing, simply click on the Start Sharing button at the bottom of the window. Fairly quickly, the yellow "Stopped" tab in the black status window above the button should change to a green "Started." The last thing we need to do on this computer is assign a password to the administrative account. This is done in the middle of the window. Enter your chosen password twice and click on the Set Password button. There is no need for a complicated password, as this is a temporary network connection. I found that "abc" worked just fine. We'll need to enter the password in a minute, so you may want to write it down. Now, it's time to shift over to the clean computer, the one with your favorite anti-malware software installed. The screen shots below are from a Windows XP machine but Vista should work just as well. The first step in connecting to the infected machine running UBCD4WIN is to ask it for a list of resources it's sharing on the network. The only shared resource we care about is the infected C disk. To do this, click Start -> Run and in the Open box enter the IP address of the infected machine preceded by a pair of backslashes (see below). Then click the OK button. At first nothing happens, but shortly you are prompted for a user name and password. The default user name of "administrator" does not need to be changed. Enter the password you just specified for file sharing and click OK. There is no need to remember the password. The networking software on the UBCD4WIN computer responds with a list of shared disk drive letters. Next page: Accessing the C disk