Professional Documents
Culture Documents
byRobertSpotswood Version1.01
Introduction
Onceacomputerisinfectedwithmalware,youneedspecialwaystocleanit.Just installingsomeantivirus(AV)softwareandtellingittocleanwillgetsomeproducts,but notall.Withmalwareemployingrootkittechnology,suchashookingintotheExplorer processandthereforebecomingcompletelyinvisibletoWindowsandtheprogramsthe runontopofWindows,suchasAVsoftware.Anothertrickistohavetwoprocesseswhich watcheachotherandrestoreoneiftheotheriskilled,orrestorefilesifdeleted. ThereisaneedtobeabletoscanaWindowsmachinewhilebeingabsolutelysureno malwareisactive.Onemethodistopulltheharddrive,putitintoaknownclean machinewithAVsoftware,andthenscantheharddrive.Itworks,butistimeconsuming, andyouhavetohaveacleanmachinehandy. Therehastobeabetterway,andthereis.ItinvolvesusingaLiveLinuxCDandaflash drivewithClamAV.
Preparation
ThankstoStephenGranforthestaticcompliationinstructions.Youneedstatic compliationtoreducelibraryversionconflicts. 1. ./configureenablestaticdisablesharedwithoutcurlprefix=/mnt/usbdisk 2. makeLDFLAGS='allstatic' 3. Copythebinariesfreshclamandclamscantoyourflashdrive. 4. Makeanetcdirectoryontheflashdisk.Thisandsteps57onlyhavetobedone once. 5. Copytheclamd.confandfreshclam.conftotheetcontheflashdisk 6. Forfreshclam.conf: a. Commentouttheexampleline b. ChangeDatabaseDirectoryoptionto/mnt/usbdisk Version1.01 Page1of4
Usage instructions
Optional, but recommended:
1. Haveagoodbackup.It'spossiblethemalwarecansabatogeyourcomputersothat removingitcausesdamage. 2. Doadiskcleanup.Everyfileyoudeleteisoneyoudon'thavetoscan.Thatmeans thescantakeslesstimeanddeletingisquickerthanscanning. 3. ClearyouInternetcaches.ThisincludesIE,Firefox,andOpera.Again,everyfile youdeleteisoneyoudon'thavetoscan. 4. Disablesystemrestore.Virusesareoftenbackeduphereandtherecanbea significantnumberoffilestoscan.However,thisdoeslimityourabilitytorepair sometypesofdamage,sousethisrecommendationwithcaution.
clamav:x:119:129::/var/lib/clamav:/bin/falseHeretheuidis
119andthegidis129.Oftenthenumbersarethesame.
Version1.01
Page2of4
5. Nowmountplugintheflashdrive.Donotplugitinwhilebooting.Afew computershaveproblemsbootingoffaliveCDifaflashdriveisinserted.Ihave seenthiswithSonycomputersespecially. 6. Ignoreanyautomountoperations.Cancelthem.Theywillcauseproblemslater. 7. Findoutwheretheflashdriveis,andthewheretheharddrivetobescannedis. Runthefollowingcommand:fdisk -lasroot.Usuallyitis/dev/sd?1where the?isoftenan"a".Thiscommandalsotellsyouwheretheharddriveis. 8. Makethemountpointsfortheflashdriveandharddrive(ifnecessary).Atthe veryleast,youneedtorunthefollowingcommand:mkdir -p /mnt/usbdisk 9. Mounttheflashdrivewithclamavastheowner.Thisisparticularlyimportantif theflashdriveisformattedasFATorFAT32.Clamwillnorununlessthebinaries areownedbyclamavandwiththeFAT's,themountoptionsaretheonlywayto makethishappen.Youwillneedtheuidandgidnotedaboveinstep4.Usingstep 4asanexampleandassumingtheflashdriveisat/dev/sda1,themountcommand wouldbe:mount -t auto -o uid=119,gid=129 /dev/sda1 /mnt/
usbdisk
10. Now,assumingyouhaveinternetconnectivity,runthefollowingcommand:cd
--database=/mnt/usbdisk/ /mnt/hda1
Version1.01 Page3of4
14. Generallyyoushouldjustdeleteinfectedfiles.Theparanoidcanrenamethemand movethemtoanotherdirectoryinsteadofdeletingthem.However,youneedtouse commonsenseastheremaybefalsepositives.IfthecomputerhasAVsoftware, therewilllikelybefalsepositivesintheAVdirectory.Ifindoubt,andyouhaveweb access,youcantryuploadingthefiletohttp://www.virustotal.comor http://virusscan.jotti.org/toseewhatothervirusscannersthinkofthefile.Use sparinglythough.Theyareslow.Also,evenifthefilecomesbacksqueaky clean,therearestillnoguarantees. 15. Incaseyounoticeadifferenceinthenumberofsigsreportedbyfreshclamand clamscan,theyarePUA(PotentiallyUnwantedApplications)sigsandthey'renot loadedbydefault.Youcanenablethembypassingdetectpuatoclamscanor activatingDetectPUAinclamd.confbutbewarethehighfalsepositiverates! 16. NowifyourebootintoWindows,youmightwanttoreinstallyourAVsoftwareand doafullscan.ClamAVdoesnotcleanuptheregistry,althoughwiththeprogram filesgone,themalwareshouldbenonfunctionalatthispoint.
Version1.01
Page4of4