I have to concur with criticism leveled at this page. It skips from
"how to remove known malware files" to "last resort, format" without
much coverage beyoind what the first resort may be. Aside from a
reference to feeware Kaspersky AV's Linux rescue CDR, there's nothing
on how you are to deduce what malware files should be replaced, or how
one is to manage any integration dependencies that may be involved.
Perhaps the message is: "If you are a non-guru on NTFS, you're ^%$d,
mate". That's important info for rabble-rousing purposes (some
Bastilles need to be stormed; where's a rabble when you need it?)
Right now, the best bet is to start with Bart's PE bootable CDR and
run detection tools from there, to build a list of what malware is
present. Then you read up that list and tackle according to caveats.
The hurdles are:
1) Creating a Bart's PE from a clean PC
2) Finding scanners that are Bart's-compatible
3) Finding scanners that are Bart's-compliant
4) Finding a way to keep these updated
5) Ensuring tools operate on the correct settings files
On (2) vs. (3); a tool that runs from a maintenance OS (mOS) such as
Bart's or a Linux CDR is compatible if it runs from it, but needs to
be able to do everything it is supposed to do before you can call it
compliant. For example, a scanner that reads and fixes the Bart's
registry, rather than that on the HD, is not compliant.
Trend SysClean may be non-compliant in another way. When run from HD
boot, it launches a series of console (DOS-looking) windows that scan
for various malware. It does not do this when run from a Bart's boot,
even if SysClean itself is on the HD when it is run. What's missed?
So I backstop SysClean with Stinger, and similar catches-a-few
scanners from Avast, AVG etc.
On (4), you can use a CDRW if your PC will boot this, or you can store
updates on a write-protected USB stick. Bart's won't tolerate CD
swapping (the OS CDR must always be present) and it won't detect
changes of USB stick on the fly, but it will detect and use a USB
stick that is present when Bart's boots up.
On (5), there's a Bart's plug-in that switches registry references
from Bart's to HD after X seconds. The idea is; you run this to shell
your tool, your tool inits itself with reference to the Bart's
registry, and then waits for you to initiate something. While it is
waiting, the shell tool kicks in so that all further registry access
will be to the HD installation you selected. Then you use the tool
you shelled, and it operates on the HD installation as you wished.
That comes back to (1), i.e. the challenge of building a working
bootable mOS and tool set out of all these useful but loose bits.
You do mention hosted scanning, i.e. dropping the HD into a clean
system and scanning it from there. That's like a mOS with full native
tool support, but it's also a mOS that is not write-protected and is
thus potentially infectable. You still have the problem of directing
tools to scan and fix the correct HD's settings files, too.
Thank you for not wasting time with potentially-doomed informal
strategies, such as Windows-basesd av or online scanners. If we were
not so desperate, we wouldn't give these a second glance.
------------------------ ---- --- -- - - - -
Can't stop what's coming
Can't stop what's on it's way (Tori Amos)
