Use a foreign OS on a LiveCD
anonymous
September 13 2010, 08:26:24 UTC
Hi. I'm Charles (croten@serv.net).
I heard about this from a mutual acquaintance on another forum.
This looks pretty simple.
Suppose the worst case: that the OS is a write-off. That's really very unlikely, but I'm giving you the worst-case scenario first.
Evacuating the files you want to save off isn't hard. The key is using an alternate boot medium and an OS that won't "see" your system drive as anything except data and a filesystem.
I've done this myself, both in practice "fire drill" scenarios and for real.
The foreign OS won't even notice the virus until and unless it's asked to run the viral code _as_ _a_ _program_. There's no reason to do that, and the issue won't come up by accident either, so the infection won't matter a bit.
You'll need three things:
(1) A blank CD-R
(2) Another computer to download an ISO image and burn it to a CD with.
(3) A USB drive big enough for the data you want to save off.
My absolute first choice for a job like this is System Rescue CD. It's designed for problems just like this one. It's free.
The idea is to boot your sick system using an alternate OS, from media that won't see the system drive as anything except a data drive.
Here's the procedure.
(1) Use the second computer to D/L the ISO image and burn it to the CD.
(2) Shut down the sick system.
(3) Boot only long enough to get into the motherboard BIOS, and reset it to boot from optical media by preference.
(4) Shut down, and reboot from the optical disk. I'm supposing it'll be System Rescue CD.
The entire boot process, right through loading of the OS, will completely ignore any viruses on the system's hard drive.
As far as the OS is concerned, that system drive is just a data drive.
(5) The boot-up OS is Linux. It'll probably think your system disk is /dev/sda/. You can find out how it's partitioned by using the Linux "fdisk" command. You'll need to take some care, because "fdisk" can change the partition structure if it's used incorrectly. All you want is to observe what's there without changing anything.
Here's the command sequence, assuming system drive is /dev/sda. Just three lines: fdisk /dev/sda p q "p" prints out the partiton table. "q" quits without saving any changes. Your data will almost certainly be on the biggest partition, the one with the most "Blocks".
(6) Mount the main partition (I'll assume it's /dev/sda1) of the system drive on the logical mount point (probably /mnt, since that's what it's there for) using the ntfs-3g option.
Sample command line:
mount -t ntfs-3g /dev/sda1 /mnt
If you do it that way, you access the system drive's filesystem as the effective owner.
(7) Connect the USB drive up physically.
(8) If the USB drive needs to be formatted with a filesystem, do so. Then mount it. Create another directory, say, /mnt2, at top level, and mount it there. If it's formatted to NTFS, use the same syntax I used above.
(9) Copy all the stuff that needs to be saved onto the USB drive.
(10) Once you're done, unmount it and remove it.
There are also several free boot CDs that'll run A/V products by design. Boot with one of these, freshen the signatures, then scan the hell out of the system drive to flush out and then delete the malware. "Search and destroy".
I've never used either one myself, yet, so I can't speak from personal experience. But I've got CDs of both of them, in my bundle of burned rescue media.
The last time my Windows box got infected, I used a process monitoring tool (Process Explorer, at http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to stop the offending process and find out where it was located in the file system.
If process monitoring tools are within your comfort zone, they are real lifesavers in this sort of mess.
I heard about this from a mutual acquaintance on another forum.
This looks pretty simple.
Suppose the worst case: that the OS is a write-off. That's really very unlikely, but I'm giving you the worst-case scenario first.
Evacuating the files you want to save off isn't hard. The key is using an alternate boot medium and an OS that won't "see" your system drive as anything except data and a filesystem.
I've done this myself, both in practice "fire drill" scenarios and for real.
The foreign OS won't even notice the virus until and unless it's asked to run the viral code _as_ _a_ _program_. There's no reason to do that, and the issue won't come up by accident either, so the infection won't matter a bit.
You'll need three things:
(1) A blank CD-R
(2) Another computer to download an ISO image and burn it to a CD with.
(3) A USB drive big enough for the data you want to save off.
My absolute first choice for a job like this is System Rescue CD. It's designed for problems just like this one. It's free.
Its download page is http://www.sysresccd.org/Download.
The idea is to boot your sick system using an alternate OS, from media that won't see the system drive as anything except a data drive.
Here's the procedure.
(1) Use the second computer to D/L the ISO image and burn it to the CD.
(2) Shut down the sick system.
(3) Boot only long enough to get into the motherboard BIOS, and reset it to boot from optical media by preference.
(4) Shut down, and reboot from the optical disk. I'm supposing it'll be System Rescue CD.
The entire boot process, right through loading of the OS, will completely ignore any viruses on the system's hard drive.
As far as the OS is concerned, that system drive is just a data drive.
(5) The boot-up OS is Linux. It'll probably think your system disk is /dev/sda/. You can find out how it's partitioned by using the Linux "fdisk" command. You'll need to take some care, because "fdisk" can change the partition structure if it's used incorrectly. All you want is to observe what's there without changing anything.
Here's the command sequence, assuming system drive is /dev/sda. Just three lines:
fdisk /dev/sda
p
q
"p" prints out the partiton table.
"q" quits without saving any changes.
Your data will almost certainly be on the biggest partition, the one with the most "Blocks".
(6) Mount the main partition (I'll assume it's /dev/sda1) of the system drive on the logical mount point (probably /mnt, since that's what it's there for) using the ntfs-3g option.
Sample command line:
mount -t ntfs-3g /dev/sda1 /mnt
If you do it that way, you access the system drive's filesystem as the effective owner.
(7) Connect the USB drive up physically.
(8) If the USB drive needs to be formatted with a filesystem, do so. Then mount it. Create another directory, say, /mnt2, at top level, and mount it there. If it's formatted to NTFS, use the same syntax I used above.
(9) Copy all the stuff that needs to be saved onto the USB drive.
(10) Once you're done, unmount it and remove it.
There are also several free boot CDs that'll run A/V products by design. Boot with one of these, freshen the signatures, then scan the hell out of the system drive to flush out and then delete the malware. "Search and destroy".
(1) AVG has one, at http://www.avg.com/us-en/avg-rescue-cd
(2) F-Secure has one, at http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/
I've never used either one myself, yet, so I can't speak from personal experience. But I've got CDs of both of them, in my bundle of burned rescue media.
The last time my Windows box got infected, I used a process monitoring tool (Process Explorer, at http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to stop the offending process and find out where it was located in the file system.
If process monitoring tools are within your comfort zone, they are real lifesavers in this sort of mess.
Here are two more:
System Explorer: http://www.systemexplorer.net/
Process Hacker: http://processhacker.sourceforge.net/
Reply
Leave a comment