This is another of those questions that no one specifically asked (though it
does come in frequently, in various forms). Rather, this is a scenario that I
experienced myself earlier this week.
A friend who has one of my older laptops on loan came to me and told me that
it had become slow and that websites like Hotmail and Facebook had stopped
working. Sometimes, it wouldn’t even connect to the network.
My first suspicion was malware, for which I had good cause. You see a couple
of weeks earlier, my friend had clicked on one of “those” links – the ones that
come to you as a result of someone else’s email account having been hacked.
While it hadn’t done anything immediately, it was high on the list of
The machine’s working again, so I want to outline the steps that I took to
clean it up. They’re fairly generic and can be used in many, many situations,
but perhaps not all of them are obvious.
Regular readers will have seen this coming.
The very first thing that I did was create a backup image of the machine. Yes, this backs up the potentially infected machine.
I do this as a safety net; it establishes a “can’t get any worse than this” point in time. No matter what I do to the machine from this point forward I still have all the original files backed up should they need to be restored. By having a complete image of the system, I can also revert to this state should something I do in the process of “fixing” it actually end up making things worse. By restoring the backup, I can start over and try again.
The technique that I used was perhaps novel, but an important one.
I did not boot the machine normally. In fact, I didn’t boot the machine from its hard drive at all. Instead, I booted the machine from a copy of Macrium Reflect rescue media on CD.
Most backup programs allow you to create bootable rescue media of some sort, with the intent that when you need to restore a complete disk image, you can boot from that media and perform the restore.
Overlooked is the fact that in many cases (including that of Reflect), the rescue media can also be used to perform a backup.
So, that’s what I did. I booted from the rescue media, attached an external USB drive, and created a complete image of the laptop’s hard drive on that external drive. I then saved that elsewhere, should I ever need it.
Turns out I did not, but as I said – it’s the ultimate safety net.
Windows Defender Offline
My next step was to run anti-malware tools on the machine, but ideally once again, without actually booting Windows from the hard drive.
There are several bootable anti-malware tools available. I selected Windows Defender Offline (formerly known as the Microsoft Standalone System Sweeper). Using another machine, I downloaded a copy and burned it to CD. I booted the laptop from this CD and let Defender perform a complete scan.
The reason why booting from something other than the machine itself is so important is that when you boot from an infected hard disk, any malware that may be on it gets the opportunity to execute. That means that it can interfere with anti-malware scans that you perform, sometimes even preventing them. It also gives the malware an opportunity to try and hide from the scanners.
By booting from anything but the possibly infected system, that malware never gets the chance.
After the Windows Defender scan came up clean, I felt that booting the machine was somewhat safe.
Microsoft Security Essentials
With the machine now running Windows XP (SP3, fully up to date), I then made sure that Microsoft Security Essentials was also up to date and ran a complete scan again.
It’s possible that this is redundant with Windows Defender Offline. They are basically the same technology and quite possibly could be running off the same malware databases. But without absolute confirmation that they would be the same, I simply elected to take the safer route and run a complete scan again.
And once again, the scan came up clean.
Particularly because Windows Defender Offline and Microsoft Security Essentials might have been the same scan run twice, and they were likely to at least be similar, running a scan with a different tool is always a good idea.
Once again, the scans came up clean.
I’ll admit part of me liked how this was looking.
What distinguishes a rootkit from other forms of malware is its ability to hide. A rootkit actually infiltrates the operating system at a low level and causes the very functions that report the presence of files to “conveniently” overlook the files that comprise the rootkit itself. The rootkit might live in C:\Windows, but listing the files in that folder would simply not list the rootkit’s own files by virtue of the rootkit filtering the results.
Theoretically, the effects of a rootkit would have been bypassed by having booted Windows Defender Offline from CD. However, when malware is suspect, I’m a big believer in scanning too much rather than not enough.
Rootkit Revealer is a tool from the same folks at Microsoft that bring you Process Explorer.
And it turned up nothing.
At this point, I made the careful assumption that malware was not at play here and moved on to more generic cleanup activities.
With the browser acting as it had been, it’s tempting to just clear the browser cache. In fact, clearing the browser cache is one of our more common answers to assorted questions that come in to Ask Leo!.
In this case, however, I wanted to be a little more thorough, so I elected to fire up CCleaner instead.
CCleaner will clear the browser cache, but it’ll also clean much more. The biggest additional offender is often Windows own temporary files folder, but CCleaner actually runs around and cleans up many additional things as well. (Note: I did not use the registry cleaner, only the file cleaner.)
I ran CCleaner for two reasons: to hopefully stabilize the browser, of course, but also to prepare for the next step.
Normally, I’d be tempted to run Windows own disk defragmenting program – and indeed that would probably be sufficient. But I wanted to see just how bad things were, so I chose to run Defraggler, another free tool from the same people that make CCleaner.
Besides having a more informative display (to us geeky types at least ), my sense is that it’s slightly more thorough in its defragmenting work. Given that this machine hadn’t been defragmented in years, I wanted it to be aggressive, if perhaps time consuming. (If you defrag regularly, then Windows’ own defragmenting tool is quite sufficient.)
The drive was most definitely severely fragmented when I started. In addition, the 17 gigabytes still in use on the 60 gigabyte drive was spread out across almost the entire disk surface resulting in lots of disk head movement even for unfragmented files.
After defragging, not only were the files contiguous, but they were also clustered together near the beginning of the disk.
The machine’s once again working fine, albeit still a tad pokier than we might want. More on that in a moment. It’s booting properly, the browser’s working as expected, and Hotmail and Facebook are once again working as well.
We appear to have dodged a bullet with respect to actual malware. The link that had been clicked on was most likely already rendered inoperative by prior victims. It’s true that we can never know that the machine isn’t still infected, but I feel that the steps taken give us a very high level of confidence that we’re clean.
As I mentioned, the machine’s still a tad slower than we might like, and I believe I understand why. In cleaning up, I installed additional security software – specifically Malwarebytes – which had not been running before, and is now present constantly. It’s very likely that I’ll turn that off, leaving day-to-day security in the hands of Microsoft Security Essentials and WinPatrol.
The machine is an older Dell Latitude 131L with 2GB of RAM and a 70GB hard drive. The processor is running at 1.6Ghz. As I said, it’s running Windows XP SP3. My belief is that with current versions of OS and security software assuming today’s slightly more powerful machines, the addition of one more security program might just be taking it to the boundaries of acceptable performance.