NWI Tech Support

 Print This Post

UPDATE – Monday, December 6th, 2010

I have good news… I think. I haven’t had a chance to run a full battery of tests yet, but I do know that Malwarebytes is now at least installing, loading, updating, and scanning properly. Granted this was run under Windows XP within a virtual terminal… I will post more as soon as I have time.

I apologize for the delay, work is holding me up! I have had a chance to do some further testing and there seem to be some issues, but nothing that prevents Malwarebytes from being utilized though.

What I’ve noticed so far:

Switching tabs within the main GUI creates rapid flickering within the GUI itself and the only way to get the updates to take is by clicking the Updates tab, clicking back on the Scanner tab, then clicking the Check for Updates button. The GUI then needs to be exited and restarted to begin a scan. Scanning proceeds as it should, deletions seem to work fine as well. As with the previous versions, you will have at least 1 infection claimed within wine itself… I will post details later when I get a chance to put together a complete package… Should be later this evening.

I have uploaded both the ISO (sPCpup-431_wine138.iso) as well as the latest wine build (wine-1.3.8.pet). The directions below still apply… Let me know if you find any issues.

…the wine file c:\windows\system32\winnls32.dll is found to be infected with Trojan.Tracur. This, of course, is a false positive and can be safely ignored.

—————————————

Good day to you all, this is Ted from slighPC’s and I wanted to comment about the drastic increase in harmful malware (malicious software). Recently I have been subjected to an incline of issues pertaining to Windows malware infections and the numerous major issues stemming from them. In this article I plan on portraying a worst-case-scenario and discussing the methods to resurrect a Windows machine from the dead so to speak.

Windows will not boot no matter what is done. All suggested fixes and resolutions have been implemented and the machine is still non-functional. This is becoming more and more prevalent in my experiences and for me personally… I feel defeated if I have to resort to a clean install to rectify any issue.

That said, most computer shops would recommend a reformat and clean install at this point… but what about my Programs and Data, you ask? Most if not all data could theoretically be saved to external media and re-populated after a clean install. This though, has been the case in very few of my experiences. The main problem seems to be following software data backup procedures prior to issue occurrences. For example, Outlook by default saves data in an OST file which cannot be restored without additional resources or 3^rd party application(s). This data would need to be saved as a PST file from within Outlook itself, which can be restored. Programs or applications are an entirely different story due to their use of the underlying Windows components such as the registry… sadly I have never found a sure-fire, completely successful path to restoring single applications after a clean OS install. Due to these setbacks I have always made it a point to investigate every avenue to performing a full repair, leaving the reformat as the ultimate last resort. …Enough with the technical jargon, let’s get on with the fixing!

External OS Scan Procedure (Use at your own discretion as these directions are provided without warranty and we cannot be held liable for any damages as a result of using these directions… We are here to help though, so please keep us posted with any success or failure information and we will be more than happy to provide our assistance and expertise.)

Requirements to run an external OS scan

Broken Windows box with:

CD-ROM boot capabilities

392MB RAM minimum (512MB recommended)

First you’ll need to burn our custom Linux liveCD by following the post “How to burn an ISO file to CD from within Windows“.

Boot from your Linux liveCD

Insert the CD in your CD or DVD-ROM and reboot your computer. You may have the option to select your boot device without changing the BIOS (e.g. Dell machine boot device selection is typically tied to the F12 key). As the OS is booting you will be asked to select your keyboard and video settings (keyboard layout is self-explanatory and the video selection should work fine under Xorg… if you have issues choose Xvesa).

Setup the Network connection

Click on Menu (bottom left corner) -> Setup -> Network Wizard

Depending on your interfaces, you selection may vary. For most will select eth0 by clicking the button conveniently labeled eth0; click the Auto DHCP button to acquire an IP address. You will have the option to save the settings to automatically establish a connection on the next boot (so long as your on the same machine). Click Done and if all went well, you now have Internet access.

Download and Install Malwarebytes’ Anti-Malware from within Linux

Use the default browser to download Malwarebytes’ Anti-Malware free version.

Click on Menu -> Internet -> Opera Browser/Mail/Chat

Ok the Opera update pop-up dialog box and replace the URL bar contents:

file://localhost/usr/share/docs/home.htm

with the Malwarebytes’ Anti-Malware site URL below:

http://malwarebytes.org

and then press the Enter key on your keyboard.

Locate and click on the button “Download free version” on the left hand side of the page.

Save the file to the default location (/root) for ease of use with these directions.

Click on Menu -> Utility -> Terminal

In the Terminal window type the following command to begin the Malwarebytes’ Anti-Malware installation:

wine ~/mbam-setup.exe

Follow the prompts and take the defaults as you would in any Windows environment. You will notice a bit of output in the Terminal window as your installation is taking place. This is strictly informational unless of course any issues arise, in which case I would recommend posting your errors to allow us to get you back on track. After the installation is complete and the database is updated you should see the Malwarebytes’ Anti-Malware window appear. Before we begin the scan we will need to mount as well as add our Windows drive to wine. So at this point we will want to close Malwarebytes’ Anti-Malware by clicking on ‘Exit” in the bottom right corner of the window.

Mounting and Adding your Windows partition to Linux

To mount your Windows partition we will first need to locate it. Depending on the make and model of your machine you will most likely have multiple partitions. For example, newer Dell models typically house three separate partitions (a tiny utility partition, a Windows partition, and an image restore partition). The easiest way to locate the correct partition is by mounting each drive labeled sda1, sda2, sda3, etc. (for IDE drives your labels would be represented as hda1, hda2, hda3, etc.) from your desktop and searching for the ‘OS’, ‘Program Files’, and ‘User Profiles’ folders. For Windows XP and Windows Vista installs we would generally be searching for a ‘Windows’ OS (Operating System) folder. For Windows upgrades this may be labeled as Winnt. The ‘Program Files’ directory should be housed in the same location for both XP and Vista. The User Profiles directory should be labeled ‘Documents and Settings’ for XP and ‘Users’ under Vista. Once you have located these three folders you more than likely have the correct partition mounted and ready to go.

From here we will need to add our partition to the wine configuration. First we will need the correct path to the mount. You will need to note the drive label you found the ‘OS’, ‘Program Files’, and “User Profiles’ directories under. In this case we’ll use ‘sda2′.

Click Menu -> Utility -> Wine Config, then click on the ‘Drives’ tab in the Wine Configuration window. You should see the current ‘Drive mappings’ listed as:

C:     ../drive_c

Z:     /

Click the button labeled ‘Add…’, leave the default drive letter as ‘D:’ and click OK. Now with ‘D:’ highlighted blue click ‘Browse…’ to the right of ‘Path:’, then click the ‘+’ next to ‘mnt’ in the Browse for Folder window. Click on the the folder we noted from the steps above. In our case we would click on the folder sda2 and click OK. At this point the ‘Path:’ should be populated properly (in our case ‘/mnt/sda2/’). Click ‘Apply’, then ‘OK’ and now we have added our Windows partition to wine.

Running the scan

Open Malwarebytes’ Anti-Malware by clicking Menu -> Other -> Malwarebytes’ Anti-Malware.

Change the default option “Perform quick scan” to “Perform full scan”, click on the “Scan” button. When prompted with the drive selection window, remove all checks with the exception of the “D:” drive and click the “Start Scan” button.

Viewing and Removing the infections

After the scan has completed a new dialog box will appear stating The scan completed successfully. Click ‘Show Results’ to display all objects found. Click OK, then click ‘Show Results’ in the bottom right corner. A list of all infections should appear. At this point we are ready to remove all of the infections found by clicking on ‘Remove Selected’ in the bottom left corner and a log file will appear at focus on your desktop.

I would recommend saving the log file to the Windows partition by clicking on ‘File’ -> ‘Save as…’. In the new window click the drop-down arrow to the right of ‘Save in:’ and click on ‘My Computer’. You should now see ‘(C:)’, ‘(D:)’, and ‘(Z:)’ listed, double-click on ‘(D:)’ and give your log a name by filling in the ‘File Name’ text box with ‘mbam-todaysDate’ (Eg. mbam-01-04-10). Then click on the ‘Save’ button and your log file will be located at the root of your Windows partition.

I will assume after you have saved the log file that you will be looking at a Malwarebytes’ dialog window stating ‘All selected item removed successfully… Your computer needs to be restarted to complete the removal process. Would you like to continue?’. From here we want to click on the ‘Yes’ button. If your machine does not initiate a restart automatically you will want to click Menu -> Log Out, and then click on the ‘Restart’ button in the middle of the dialog window. At this point you will be asked if you’d like to Save your Session. For the purpose of simplicity will will select ‘DO NOT SAVE’ by using the right arrow key to select and the enter key to acknowledge. Just after your machine powers down remove the CD-ROM and let Windows (with fingers crossed) boot normally.

Back in Windows (Hopefully…)

Once the machine boots into Windows we should be able to access the Internet to download a copy of Malwarebytes’ Anti-Malware to finish the disinfecting process.