1 2 3 Previous Next 163 Replies Latest reply on Sep 21, 2011 7:48 PM by secured2k

    Secured2k BootCD - Malware/Rootkit Removal

       

      *******McAfee Update*******

      CleanBoot 2.0 was released to enterprise users in April 2011. It won't be available under your grant id. One will have to call into McAfee support quoting KB71921 and they will provide you a special grant id to download CleanBoot. https://kc.mcafee.com/corporate/index?page=content&id=KB71921

       

       

       

       

       

      June 18, 2009, Version: 1.7.0

       

       

       

      Secured2k's Boot CD

      A tool to recover from malicious software and rootkits

       

      Intro

      This tool is free, however I do accept optional donations, constructive feedback, and success/failure stories for the time, energy, and knowledge put into creating this tool.

       

      I made this tool for the many users out there that have had trouble with malware and rootkits, especially as the AntiViruses out there can detect the bad files but can not remove them due to the technology used in the malware.

       

       

       

      Disclaimer:

      This CD was NOT created by McAfee, Microsoft, or any other security software company.

      This CD was created by a volunteer under the alias, "Secured2k", for the emergency use and repair of Windows PCs running Windows 2000/XP/2003 and Vista/2008/7 with an x86 compatible processor. While I have tried to ensure the safety of this program, the authors of the programs used in this CD are in no way responsible for any damages or losses caused by the use of this tool.

      USE AT YOUR OWN RISK!

       

      Boot CD Information

       

      • Windows RE v6.1.7260, 32-bit English
      • McAfee VirusScan Command Line Scanner
      • ESET Online Scanner v3
      • QTWeb Browser 2.5
      • Xenon File Manager
      • 7-Zip Archive Manager 4.65
      • jkDefrag 3.36
      • Autoruns 9.5

      Download ->Create Secured2k BootCD.exe [~148 MB]

      *** PLEASE READ THIS POST AND THE FOLLOWING "COMMON ISSUES" POST FULLY BEFORE USING THIS CD. ***

       

      How to Create this CD

       

      1. Simply download and run "Create Secured2k BootCD.exe".
      2. Click YES to start the process.
      3. After the files are extracted, you will be asked to include drivers detected on the system. Use this if you are on the system you will want to run the Boot CD on.
      4. You will be given an option to download and include the DAT files in the CD. This is a good idea as it will allow you to scan your computer from the boot CD if the CD can not start the your network.
      5. When the Active@ ISO Burner appears, you may configure the options for CD burning (only if needed) and create/burn the data to a writable CD/DVD-R/RW disc.

      Note: The ISO file is created in the All Users or Public Profile Desktop under the name, "Secured2k BootCD.ISO"

       

       

       

       

      How to boot using the CD

      After the CD/DVD is burned, restart your computer with the CD in the computer. Some computers may start the CD automatically while others may require pressing a key at the boot up sequence. Two of the most common are ESC for HP/Compaq and F12 for Dell. Some systems may require you to enter the BIOS and change the boot order.

       

       

       

      What the CD Will Do

      • The Windows Memory test will start and check for errors. The CD wil continue to boot the test is complete. You may press ESC to cancel.
      • Once the boot CD has started, you will see a blue background with the Windows Version in the lower right corner.
      • Read through the information and complete the user verification page.
      • The system will begin to start an automated process. If you have the need to use wireless or to change some of the startup options, click the Initialization Control before the 7 second timer is up.
      • When the system is done starting up, a taskbar will be shown at the bottom of the screen. [SIZE=2]To access the programs in the Boot CD, Right-Click on the blue desktop background. A menu will appear that will allow you to start each program.

      Using the programs on the CD

       

       

      WARNING: Removing system files and registry entries by mistake will break the system!

       

      • Xenon File Manager - The recommended way to manually locate and delete/move/rename files.
      • 7-Zip - Used in case you need to create/extract an archive - Can serve as a file manager too
      • Autoruns - Used to show what starts up with your Offline Windows. DO NOT use the Verify Signatures, it will crash the program.
      • Registry Editor - Used in case you need to manually edit the registry.
      • jkDefrag - Automatic and complete defragmentation for performance
      • Command Terminal - For advanced use only
      • Task Manager - For informational use only
      • McAfee VirusScan - This Antivirus will scan and clean your system of known detected malware.
      • ESET Online Scanner - Another AntiVirus program that may detect things McAfee does't.
      • QTWeb - Webkit web browser. Some sites will not work with the default privacy mode on.
      • TeamViewer QS - Remote Support is available if an Internet Connection is available. You need to provide the remote user with the provided Partner ID and PIN.
      • Wireless Configuration - Use this if you started the CD with Wireless support but need to correct the settings entered.

       

      Bonus: QuickScan (for use in Normal Windows)

       

      I've included QuickScan (QS.EXE) in the root folder of the CD. This is a utility for Windows 32/64-bit that will auto-update and run without installing drivers or registry entries into your system. This tool should work even if McAfee is not installed, working, or updated as long as there is a working internet connection.

       

      After downloading the DAT and engine files, the scanner will check and attempt to clean what it finds in Memory and registered files in the system. This scan generally takes less than 5 minutes (2 min for me) and can quickly determine if you have something in your system.

       

       

      Message was edited by: Mark (secured2k) on 2/1/10 9:16:18 AM EST

       

      Message was edited by: SamSwift on 21/09/11 17:07:20 IST
        • 1. Re: RE: Secured2k BootCD - Malware/Rootkit Removal

          Common Issues/Problems


          • The Boot CD blue screen crashes on Driver loading - The CD will try to load drivers found on the CD by default. You can also tell the system to load drivers from the Windows installation on the Hard Drive. If one of these drivers is not stable or compatible with your hardware or with Windows, the system may crash. Use the Initialization Control to uncheck loading drivers from the CD/HDD.
          • Can't Find a hard drive - This is usually because the system does not have a driver for your hard drive controller. There are other possibilities such as drive encryption, boot sector viruses, and actual hardware failure.
          • Can't find an Internet IP - This usually happens when the network is started but no adapters can be found or the system could not get an IP address from the DHCP server. For those with a static IP, manual configuration would be needed via NETSH.
          • The McAfee scanner Cleans something that isn't a virus - The McAfee scanner files are located on the first hard drive found with enough free space (usually C:). It creates it's own backup folder that matches the hard drive's serial number. This number will most likely be unique for each computer. It is a set of 8 hexidecimal characters (ex. C:\ABEF1290\Backup)
          • McAfee/ESET scan and clean, but the system restarts and the virus returns - This is because you have a virus the AVs do not yet know about or you have a hole in your security allowing reinfection. The way around this is manual removal.
          • Wireless Support - The SSID is case sensitive (SSID and ssid and SSid are all different). If the Boot CD can support your wireless device, clicking on "Network Name (SSID):" should bring up a text file showing what networks are available as well as the authentication and encryption methods.

           

           

          • After using the CD to remove a virus, I cannot start Windows normally. It constantly reboots or shows a Blue Screen error STOP: 0x0000007B
            A STOP: 0x0000007B error means that Windows could not load a driver for your hard drive storage system. This is most likely caused by a virus that modified or replaced a legitimate Windows driver file and the AntiVirus scanner detected this change and deleted the file. In order to get your system booting again, you will need to check the log file for the .sys file that was removed and replace it with a matching clean copy. On many Windows XP 32-bit systems, I find Windows has some backup drivers located at "C:\Windows\ServicePackFiles\i386". In the Boot CD, you can replace the missing file by copying it back to its original location. For example, if ATAPI.SYS was deleted because it was infected, I would copy the file from C:\Windows\ServicePackFiles\i386\ATAPI.SYS to where ATAPI.SYS was originally located. Usually this is "C:\Windows\System32\Drivers". Another commonly infected driver file is the Intel Mass Storage device driver, IASTOR.SYS.

           

           

          • After using the CD to remove a virus, I cannot log into Windows. Windows appears to log me in but immediately logs me back out.
            The virus changes the USERINIT Registry value from "C:\Windows\System32\userinit.exe," to "C:\Windows\system32\some.bad.file.that.was.removed.exe". Since the antivirus scanners removed the bad virus file, Windows could not process the userinit function and then logs the user out.

           

                    The solution in this case is to use the registry editor in the BootCD to Navigate to the following key and make sure the contents show the following:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
          Userinit : (REG_SZ) : C:\Windows\system32\userinit.exe,

           

           

          Message was edited by: Mark (secured2k) - Updated FAQ for 2 common issues. on 2/1/10 9:29:45 AM EST
          • 2. RE: Secured2k BootCD - Malware/Rootkit Removal
            Changes since v1.6 & v1.7:

            Boot CD Creator
            - Checks and alerts for new versions of the BootCD is one is available.
            - Removed old resources to shrink the image size a little.

            Boot CD Environment
            - Uses Windows 6.1.7260 32-bit English
            - Updated Readme and verification page
            - Added Advanced Startup control page to control CHKDSK, network startup, wireless, driver loading, and screen resolution.
            - Bug fixes in the UI
            - Added the option to find network drivers on the hard drive and load them
            - Removed the system status screen and replaced it with text on the background
            - Added Wireless support for Open/Shared(WEP 64/128-bit)/WPA-PSK/WPA2-PSK networks.

            VirusScan Interface
            - Now will try to get the latest version information at start each time.

            ESET Scanner
            - Now properly shows the EULA and updates the program to the hard drive.
            - The log file and quarantined files are now stored on the Hard Drive and are not lost on reboot.


            Changes since v1.3 & v1.4:

            Boot CD Creator
            - will not run in Safe Mode
            - gives the user the option to include PCI/USB network adapters and PCI SCSI Adapters (Raid Controllers)
            - removed extra files from the DAT download to the CD; DAT and Engine version files are created for reference.
            - supports unicode driver inf files
            - included the Windows Memory Tester; A basic memory test will automatically run when the CD starts.
            - organized boot files
            - removed EFI and non-English support files for the boot manager
            - CD Volume label added to the ISO


            Boot CD Environment
            - Readme information and user verification is displayed first
            - If drivers are found on the CD, the user has the option to load them. Drivers should only be loaded on the same system that was used to create the CD.
            - Hard Drive file systems are checked and repaired. If there is more than 1 hard drive, they will be checked as well.
            - The shell now includes some basic system info and a rearranged menu.
            - Removed some themes from the environment.
            - added Autoruns Startup Manager for the offline OS
            - added Registry Editor for the offline OS
            - Task Manager
            - TeamViewer QS - For remote support if an internet connection is available. You would need to provide the randomly generated PIN and Partner ID.
            - jkDefrag in included.


            McAfee VirusScan Interface
            - Option are now displayed at the start.
            - Added the option to use BETA DATs
            - Added the option to use DATs on the CD if found
            • 3. RE: Secured2k BootCD - Malware/Rootkit Removal
              I'm having trouble using the BootCD, and I'm hoping that you can help me. I'm far from a computer expert, so please keep that in mind. I can follow directions just fine, but a 3rd-grade-level explanation would be much appreciated.

              I downloaded and ran the CD creation application on a different computer than the one I'm trying to clean. When I attempt to run the CD on the infected machine (an old Dell Inspiron with XP) by pressing F12 during the boot sequence and opting to boot from the CD drive, here's what happens:

              A blue screen entitled "Windows Memory Diagnostics Tool" starts and runs for a few seconds. Then, a black screen appears with a white progress bar across the bottom and which says, "Windows is loading files...". Then a different black screen says "Starting Windows".

              Then, a blue screen appears, which says:
              A problem has been detected and Windows has been shut down to prevent damage to your computer.
              IRQL_NOT_LESS_OR_EQUAL
              If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:
              Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.
              If the problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.
              Technical Information:
              ***STOP: 0x0000000A (0x04090001, 0x00000002, 0x00000000, 0x8c14986B)

              Help? Thanks!
              • 4. RE: Secured2k BootCD - Malware/Rootkit Removal
                I'm sorry you are having trouble with the Boot CD.


                Unfortunately, the error you posted generally means you have a hardware problem or your hardware is not compatible with the drivers included on the CD. Ideally, the line after STOP: 0000000A... would include a file name where the error happened but IRQL_NOT_LESS_OR_EQUAL usually always points to hardware misbehaving with the drivers.

                The base system that starts up is almost identical to what the next version of Windows will use to start up. If your computer blue screens on the kernel init, then you will not be able to use the CD system until the hardware issues are resolved.

                The other option you have is to use a Windows 2000/XP/2003/Vista/Server 2008 CD to start up the computer and use the recovery console or command prompt to manually fix your system. This method is usually more technical thatn what the normal user will want to do which is why I made this BootCD.

                I would be interested in your hardware configuration (what's in your PC).
                • 5. RE: Secured2k BootCD - Malware/Rootkit Removal
                  Thanks for your response. I have a standard-build Inspiron 6000. I believe that the hardware configuration is very similar to (if not exactly the same as):

                  1.6 GHz Intel Pentium M 730 (Sonoma), 533MHz FSB and PCIe x16 chipset
                  15.4 inch WSXGA+ LCD Panel (Samsung)
                  512 MB DDR2 400 MHz ram
                  60 GB Ultra ATA Fujitsu 4200rpm hard drive
                  64 MB ATi Mobility Radeon X300
                  Microsoft Windows XP Home
                  24x CD-RW/DVD (Sony)
                  Intel 2200 b/g internal wireless card
                  6-cell lithium ion battery
                  4 USB ports
                  1 IEEE 1394 FireWire port
                  Secure Digital I/O card slot
                  1 PCMCIA card slot
                  2 front facing speakers
                  VGA output
                  Optional S-Video and composite video out with adaptor cable
                  Audio-out (headphones) and Mic-in
                  Integrated 10/100 network Ethernet card
                  Internal 56k modem

                  Unfortunately, I don't have the Windows XP CD, so that's not an option. Would you recommend running RootRepeal at this point? Any insight that you can provide would be outstanding. The machine is being affected by NTOSKRNL-HOOK. Please let me know if you'd rather I start a new thread.

                  Thanks again!
                  • 6. RE: Secured2k BootCD - Malware/Rootkit Removal
                    Please post a new thread with the results from RootRepeal.
                    • 7. RE: Secured2k BootCD - Malware/Rootkit Removal
                      outstanding boot CD mate, saved my bacon when my director got our first virus infection in 9 years - trojan brought in the virus and VSE did it's job in killing/cleaning, but this unfortunately altered the 8 EXE files date stamp to the date they were cleaned. Some of these were important system files, which could affect future patches/updates.

                      Ran your CD (which i downloaded the other week as a precaution, and extra utility to have), cleaned the whole desktop and restored the files from another XP system (used the McAfee On-Access list to get the filenames in question). Verified it was clean before removal from isolation and allowed back on the LAN.

                      very good method to update the ISO before burning, found the Win7 interface an nice touch too.

                      many thanks.
                      • 8. RE: Secured2k BootCD - Malware/Rootkit Removal
                        Thank you for the feedback.

                        Update Info:
                        Some have asked if I plan to keep the AVs updated. I do not need to do this as the AV engines and DAT files come directly from the AV company when the CD is created or run.

                        I do not plan to update the CD any more unless there are major bugs or updates needed. For example, when Microsoft releases the final RTM Windows 7 Code, I will update the CD again; but there may not be any new features or fixes.
                        • 9. Will this help me?
                          I think I have the same problem with the NTOSKRNN HOOK virus. When I run McAfee, it says it finds one problem & corrects one problem. When I run it again, it says the same thing sometimes, other times, it stops & says it can't finish the scan. I even get the blus screen at times. Also, when I type a web address, it ends up taking me to a completely different website. I am using a Dell Dimension desktop. My son's Dell Inspiron laptop is now doing the similar things things & won't run the McAfee scan at all. We are both running Windows XP. Before I take my computers in & spend $150 on them, could this CD help us? FYI: I am not a computer expert!
                          1 2 3 Previous Next