Jump to content











Photo
* * * * * 1 votes

what is best way to remove viruses from windows ?


  • Please log in to reply
25 replies to this topic

#1 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 28 May 2010 - 04:53 AM

For example - friend ask you for help to remove viruses from his hd.
his windows is starting but is very slow.

you take your ultimate super usb and go to his place.

you starting and you see this shit motherboard ami bios 2001 which is not starting from usb.

you dont have cd, only usb stick.
and this ami bios 2001 can not boot from it.

so what is important to have on such pendrive to remove viruses from his existing system ?

maybe (my idea but i dont tried it yet):
to have virtualbox on usb, run it with some vistape iso or smth else, attach his physical disk partition and run some nod32 scanner...

but i dont know if that will work.
some .sys viruses are hidden so you can not see files or registry entries because system srvicedispatchtable is modified by hook....


so what can be better way ?

safe mode is too not always good because some viruses are working in safe mode too....

You do not have access to cd, only to usb.
what you should have on usb to help him even then ?

#2 target_practice

target_practice

    Newbie

  • Members
  • 27 posts
  • Location:Portland, Oregon
  •  
    United States

Posted 28 May 2010 - 06:11 AM

For example - friend ask you for help to remove viruses from his hd.
his windows is starting but is very slow.

you take your ultimate super usb and go to his place.

you starting and you see this shit motherboard ami bios 2001 which is not starting from usb.

you dont have cd, only usb stick.
and this ami bios 2001 can not boot from it.

so what is important to have on such pendrive to remove viruses from his existing system ?

maybe (my idea but i dont tried it yet):
to have virtualbox on usb, run it with some vistape iso or smth else, attach his physical disk partition and run some nod32 scanner...

but i dont know if that will work.
some .sys viruses are hidden so you can not see files or registry entries because system srvicedispatchtable is modified by hook....


so what can be better way ?

safe mode is too not always good because some viruses are working in safe mode too....

You do not have access to cd, only to usb.
what you should have on usb to help him even then ?


Sorry for the essay, but here's some thoughts:

I recommend getting and learning Autoruns, Process Explorer, FileAssassian, Spybot S&D, and some anti-rootkit tools. GMER or whatever is popular in that category. With Autoruns you kind of need an internet connection to research potetial threats. If you carry a laptop you can buy a cheap crossover cable, link two computers, and PXE boot the machine into a live enviroment that way assuming you have the ram. That's a little trickier though.

Attaching a VM to a physical hard drive in use by the system can be extremely dangerous, and doesn't deal with the really tricky virii that are currently running.

You could theoretically 'inject' your rescue disk. If your buddy doesn't mind you changing his boot-loader, back up his MBR, install grub and copy the ISO of your rescue disk to the hard drive then reboot. Variations on this solution exist.

#3 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 28 May 2010 - 10:00 AM

Hello,

Boot Land has a younger brother forum called Virus removal, would you mind posting this question over there as well?

The idea is to keep boot land more focused on boot disks and use the new community to explore and discuss in more detail how give a good fight to malware.

Thank you!

http://virusremoval.pro

:thumbsup:

#4 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 28 May 2010 - 12:03 PM

i did a experiment.

EXPERIMENT ONE:

Installed virtual box, mount iso file with winpe based on windows xp.

vbox manage internalcommands createrawvmdk bla bla bla \\.\physicaldrive0 (this where original host windows is installed),

in guest system i double click my computer go to that disk and on host i had file a.exe and b.exe (open office with changed name to a.exe and copy of it as b.exe)....

i deleted a.exe =

on guest = deleted, disapear from disk,
on host = nothing - still exist.

i changed name on guest from b.exe to test1.exe -
on guest name changed,
on host nothing.
i shutdowned guest and go to host system -
a.exe still exist, b.exe - still exist test1.exe - no such file on disk.

i tried to run a.exe = run ok.

i tried to run b.exe = WINDOWS CAN NOT FIND THIS FILE" or smth.
tried to delete b.exe = as above.

chkdsk - file b.exe disappeared.

strange shit.
END OF EXPERIMENT ONE.

#5 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 28 May 2010 - 12:30 PM

Suggestion 1:
Get yourself plop from plop.at.
In the archive is a ready made iso image. Burn that to a CD. Use said CD to boot your USB-Stick.

Suggestion 2:
Create a CD instead of a USB-Stick, it's more useful on older computers.

Suggestion 3:
Take the infected HDD out and connect it to another computer for virus removal.


:thumbsup:

#6 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 28 May 2010 - 01:24 PM

thanks.
i know about plop.

i know that there is such thing as cd :thumbsup:

My question was = you have only USB with you.

and you friend has bootable but infected system.

so the best way is take with you plop on those usb, change his mbr, boot from usb, clean and restore or not prev mbr.

but if system wont be bootable even in safe mode - there it will be problem. i am working on solution, i will post it when it will work or if it will work, i will try to change usb firmware to be seen as floppy and check on those old ami 2001 bios.... i will post later what happend, probably in 1 week.

#7 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 28 May 2010 - 01:41 PM

so the best way is take with you plop on those usb, change his mbr, boot from usb, clean and restore or not prev mbr.

The point you're ignoring is, that the best way to deal with an infected system is to not boot from it! AT ALL!
Besides a good virus infects your stick the second you connect it to the infected system.

i will try to change usb firmware to be seen as floppy and check on those old ami 2001 bios....

You can save yourself the time and work. If the BIOS can't boot from USB at all, fixing the firmware of the Stick does not help.

If you wanna boot a Stick on those machines and refuse to use a bootloader from Floppy or CD, there's only one thing left.
Fix the BIOS.
But imo this only makes sense, if one constantly wants to boot from USB on that machine.

:thumbsup:

#8 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 28 May 2010 - 02:10 PM

The point you're ignoring is, that the best way to deal with an infected system is to not boot from it! AT ALL!
Besides a good virus infects your stick the second you connect it to the infected system.

no, it wont infect, i will make on it partition - read only, run plop installer for windows or grub4dos to install mbr on hdd and it will not work only if there are viruses on this system hooking mbr write or smth to modify mbr...

so i have 50% chances that not.

i will try modify firmware anyway. just to be sure....


and this bios is seeing usb, i can change in bios to boot from usb but it wont work, it is not booting even FBINST.... rmprep, every possible combination zip usb etc....
so i will try to floppy.

#9 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 28 May 2010 - 02:50 PM

no, it wont infect, i will make on it partition - read only, run plop installer for windows or grub4dos to install mbr on hdd and it will not work only if there are viruses on this system hooking mbr write or smth to modify mbr...

so i have 50% chances that not.

You wanna boot up the infected system, then connect the USB-Stick to install plop from it.
The second you plug your stick in, you allow all active virii, worms, trojans and whatever to fiddle with your stick.
I would do that only if the stick had a write protect switch, which hardly any have these days anymore.

i will try modify firmware anyway. just to be sure....

and this bios is seeing usb, i can change in bios to boot from usb but it wont work, it is not booting even FBINST.... rmprep, every possible combination zip usb etc....
so i will try to floppy.

On those old BIOS turning the USB-Stick into USB-HDD usually does the trick.


:thumbsup:

#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 May 2010 - 03:48 PM

An interesting question would be, given that:
  • "business card CD's" do exist
  • CD's have been cut to shape

http://www.businessc...sign-guide.html

How small can a CD be cut to to contain PLoP, in order to increase it's portability?

Would a small plastic disc with a diameter of around 60 mm be too bulky to be carried together with a "super" USB stick? :ph34r:


:thumbsup:
Wonko

#11 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 28 May 2010 - 04:01 PM

How small can a CD be cut to to contain PLoP, in order to increase it's portability?

If it is purely used on laptops, as small as it fits. For dektop computers, a miniCD, not smaller, you're bound to that size by the tray.

:thumbsup:

#12 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 28 May 2010 - 05:38 PM

i changed it to usb hdd

even lexar boot it - changed to usb fixed - nothing, fbinst, rmprep bootice most combinations = nothing

#13 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 28 May 2010 - 07:37 PM

As my old math teacher used to say: "Please answer in whole sentences."
I don't understand a word.

:thumbsup:

#14 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 29 May 2010 - 05:38 AM

On those old BIOS turning the USB-Stick into USB-HDD usually does the trick.


:thumbsup:

does not the trick because as i wrote i set it to usb hdd using lexar boot it utility.
there is option - switch removable bit and then usb stick is visible as usb hdd fixed disk.

BTW - fbinst as far as i know create hidden partition as hdd.

so if fbinst doesnt work there is 90% that anything at all will work.

#15 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 29 May 2010 - 12:01 PM

I did a few weeks ago a similar test.
Non of the tools that prepare (partition) a USB-Stick, made the slightest difference.
Eighter a computer accepted a stick regardless or he rejected a stick regardless.
On those computers, that did not boot from all sticks, only the one that was detected as USB-HDD worked.

:thumbsup:

#16 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 29 May 2010 - 12:42 PM

so only option is to get CD or :
http://www.cooldrive...atatousb20.html

#17 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 29 May 2010 - 01:11 PM

What did work for me, was a USB-Stick, which got detected as a USB-HDD. But even this stick required that the BIOS had an option, to boot from USB devices.

The only general solution is, to have a Floppy or CD with plop, just in case.
Hopefully next version will have better performance.

:thumbsup:

#18 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 29 May 2010 - 01:19 PM

What did work for me, was a USB-Stick, which got detected as a USB-HDD. But even this stick required that the BIOS had an option, to boot from USB devices.

The only general solution is, to have a Floppy or CD with plop, just in case.
Hopefully next version will have better performance.

:thumbsup:

next version of what ?

#19 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 29 May 2010 - 01:26 PM

Next version of plop.
The actual version transfers only 1,3MB/s with USB 2.0 and between 200-600KB/s with USB1.1.

:thumbsup:

#20 mateuszek

mateuszek

    Member

  • Members
  • 93 posts

Posted 01 June 2010 - 06:02 AM

....
You can save yourself the time and work. If the BIOS can't boot from USB at all, fixing the firmware of the Stick does not help.
...

Sorry but you were wrong.
fixing fw on stick helps.
in this case = yes.

I did what i said i will do.
Lexar retrax - 16gb usb pendrive.
Chipset = SMI.
Flashboot.ru -mass production tool, create multi lun.
Created floppy.
Now pendrive is visible as removable disk smth about 14.9 gb and 1.44mb floppy (as normal floppy device in computer).

And this ami 2001 old bios -this bios booted it - YES - it is visible as USB FDD and booted...

USB-ZIP - not boot.
FBINST - not boot.
FIXED DISK, USB HDD - not boot.
USB as cdrom from sandisk (u3) - NOT BOOT.
but modified firmware in usb to be visible as floppy - yes !!!!
yes !!!!
yes!!!!
SO - lexar + smi chip + smi mpt + modify to create separate lun as floppy, create it bootable (as normal floppy in windows) and boot even on old bios.

Maybe i will find bios that will not boot it, i dont know but for now this is working on oldest 2001 ami bios i had my hands on.

#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 June 2010 - 08:07 AM

Yep. :(

Guess why some people is looking for this kind of stick?

http://www.boot-land...?showtopic=4977

:)
Wonko

#22 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 01 June 2010 - 11:30 AM

You can save yourself the time and work. If the BIOS can't boot from USB at all, fixing the firmware of the Stick does not help.

Sorry but you were wrong.
fixing fw on stick helps.
in this case = yes.

Maybe i should have been more clear.

If the BIOS can't boot from USB at all, fixing the firmware of the Stick does not help.

Your BIOS appearantly supports booting from USB, even if just in a very limited way.

Besides that, congratulations to our success.

:)

#23 Andrew Kevin

Andrew Kevin
  • Banned
  • 2 posts
  •  
    United States

Posted 28 September 2010 - 10:20 AM

* Personally, I would never bother with an infected drive, I would 'nuke & pave'... delete & re-create the partition, reformat & reinstall.
* Problem is that people never have backups (I have daily) & sometimes also don't have OS CD/DVDs.
-----------
spam links removed by moderator

#24 ksanderash

ksanderash

    Frequent Member

  • Advanced user
  • 162 posts
  • Interests:electronics, PCs, cinema, reading books, psychology, philosophy
  •  
    Moldova

Posted 28 September 2010 - 04:21 PM

mateuszek

but modified firmware in usb to be visible as floppy - yes !!!!

You could try to change the mode (USB-ZIP/USB-HDD) via Bootice first. It seems to me that firmware just sets the default appearance, that can be overrided by reformatting utility.

Andrew Kevin

Personally, I would never bother with an infected drive, I would 'nuke & pave'

It depends. If you don't have any backup -- sure you start tinkering about that garbage )

#25 ceehoppy

ceehoppy

    Newbie

  • Members
  • 29 posts
  • Interests:Tinkering, DIY - home & cars age:38
  •  
    United States

Posted 28 September 2010 - 06:16 PM

congrats! If you're going to use a usb stick for virus-work, I would strongly consider applying an Enhanced Write Filter. Your stick will run faster & be very resistant most malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users