How to Handle Malware: Complete Guide. Give it to your younger brother, let him do it himself!

Numerous times you used to help your friends and people when their PCs fell to onslaught of malware. So did we. But we got pretty sick and tired of all that and pulled out a trump card by instead compiling a full guide that you can just hand off to the injured party and thus guarantee your non-involvement. Take it and put it to good use!

Tip one. What can we do with the help of Live CD

using emergency repair discs from antivirus companies

Antivirus Live CDs can be used to recover your system once it is rendered unusable by computer viruses. Almost every antivirus company offers this product for free.

The CD is most often a Linux-based boot drive containing scanning and disinfecting utilities along with Linux components. These Live CDs also typically contain additional software tools (registry editing and recovery utilities, disk partition editing utilities, network configuration utilities, etc.).

See chart 1 for a brief description of Live CDs from the most popular Russian antivirus providers.

Chart 1. A brief description of five boot drives of the most popular antivirus software providers

Chart 1. A brief description of five boot drives of the most popular antivirus software providers

Kaspersky Rescue Disk 10

Kaspersky Rescue Disk 10

Live CD ESET NOD32

Live CD ESET NOD32

Comodo Rescue Disk

Comodo Rescue Disk

Dr.Web LiveDisk

Dr.Web LiveDisk

Avira Rescue System

Avira Rescue System

The selected Live CD image can be written either on a disc (CD or DVD) or on a memory card. If you're using Windows 7, the image can be written using the bundled software. You just have to right-click the icon, choose "Open with", then "Windows disc image burner". Older versions required special software to write disc images, e.g. Nero Burning ROM or its free counterparts like Img Burn or Ashampoo Burning Studio.

To write a boot image to a memory card you can use the special utilities supplied by antivirus software providers along with Live CD or WinSetupFromUSB. Select the correct USB memory card and the image file, check "Auto format it with FBinst" and then start the process.

WinSetupFromUSB utility

WinSetupFromUSB utility

If your PC or laptop is a little behind the times and didn't come pre-installed with Win 8 or higher, then system booting using a boot drive is as easy as 1-2-3. Enter BIOS setup (boot the PC and when the firmware starts running press "Del" or "F2"), change the boot source priority to CD-ROM or USB-memory card (except not all PCs support booting from USB) and wait for it to boot up.

If your PC has Win 8 or higher, you might face certain problems in UEFI mode (in the vast majority of cases). You might find it difficult to enter BIOS setup, and you will have to disable Secure Boot in order to boot from Live CD.

What is Secure Boot

Secure Boot is a UEFI option meant to protect PCs from bootkits, low-level exploits and rootkits. The UEFI boot manager in Secure Boot mode will only run code verified in its own database by a digital certificate.

You can use msinfo32.exe to find out the status of this option. Or rather you can simply read the note in the bottom right corner of the display:

The option's status using msinfo32.exe and the note in the bottom right corner of the display

The option's status using msinfo32.exe and the note in the bottom right corner of the display

How to disable Secure Boot

This all depends on your brand of laptop or motherboard, although for the most part the process doesn't differ much. The Secure Boot option can be found either in Security, System Configuration or Boot; you will have to check "Disabled" once you locate it. Then you will have to enable OS compatibility mode. Different manufacturers assign it different names: Launch CSM, CMS Boot, UEFI and Legacy OS or CMS OS. It can be found under "Advanced" in the main menu, then "BOOT MODE" or "OS Mode Selection". Don't forget to save the changes.

Disabling Secure Boot on a laptop with the InsydeH20 setup utility

Disabling Secure Boot on a laptop with the InsydeH20 setup utility

Live CD workflow

Live CD workflow

After you manage to boot your computer, you can scan and clean it. Usually this occurs without any prompting. Some Live CDs contain registry editing utilities. This is extremely helpful for analyzing registry autorun legs (most malware uses registries to autorun when the system is booting) or to revise some of the system parameters manipulated by the malware.

Some registry locations malware prefer

Autorun

Browser Helper Objects

System parameters

In order to prevent debunking, certain types of malware change the registry to disable the task manager, command prompt and registry editor. It's also possible there might be unauthorized UAC.

The key

DisableRegistryTools parameter:

  • 0 – enable registry editor;
  • 1 – disable registry editor;

DisableTaskMgr parameter:

  • 0 – enable task manager;
  • 1- disable task manager;

EnableLUA parameter:

  • 0 – enable UAC;
  • 1 – disable UAC.

The key

DisableCMD parameter:

  • 0 – enable command prompt;
  • 1 – disable command prompt;
  • 2 – enable scripts run.

Tip two. The right way to ask for help

calling on the collective mind of virusinfo.info

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project


Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.