As I mentioned in a post a few days ago, I was hit pretty badly with a virus infection on my Windows XP installation. One of the symptoms was Windows shutting down almost immediately after logging in. Once I recognized the problem as virus-caused, I set out to root it out. Here’s a log of my travails.
Trying to prevent Windows from shutting down immediately
One of the methods that’s worked for other people trying to avoid the shutdown caused by Sasser is to quickly type shutdown -a in a command window:
shutdown -a
The -a means abort.
But I never had enough time to open a command prompt to enter the command. Part of the reason for that might be the inordinate amount of time that my installation of Windows (which is the original manufacturer’s installation) takes to fully load, including all autorun programs and services.
So I went back to the Linux Live USB, and added a Windows batch file with the command already typed out, along with running the programs which would fix Sasser:
shutdown -a c:\sassgui.com c:\sasssfx.exe
So all I had to do was open up an Explorer window and type a.cmd in the location bar. (I kept the name intentionally short, “a.cmd” being easier to type than “stop-shutdown-fix-sasser.cmd”.)
The shutdown sequence was just too fast, though. So I had to find another way besides logging into the existing Windows installation.
Extracting Windows system files
That meant booting from Linux.
Complicating the situation was that the fact that the computer on which I have a CD/DVD burner was the infected one. Unfortunately, I didn’t have a Linux CD available, so plan B was booting off a USB flash device, of which I luckily had one with Linux installed (Ubunutu 8.10 Hardy Heron). This version of Ubuntu includes read/write drivers for the NTFS filesystem, which means that I can modify files on the Windows installation while in Linux.
My first line of attack was to replace the files (svchost.exe, rundll.exe, etc.) which are said to be affected by Sasser. I had a copy of the Windows XP installation files on the infected computer’s hard disk, so I wanted to copy those over to the Windows system directory (after making backups of the current system files).
It’s not quite that simple, though. The files on a Windows install disk (or directory) are saved in the so-called Microsoft cabinet format. Microsoft provides utilities for de-compressing such files, but, of course, they only run on Windows.
Thoughtfully, someone has created a program called cabextract to do just that on Linux systems. cabextract version 1.2-3 is included in the Ubuntu 9.10 (Karmic Koala) Universe repository.
After extracting the files, I saved them to the Windows directory and rebooted. It didn’t work though. The Sasser infection was quite deep, and just changing a few files didn’t work.
Ultimate Boot CD
Next try: the Ultimate Boot CD, a huge collection of various and sundry programs for doing surgery on your computer. I burned a copy of the Ultimate Boot CD, but while that has a few anti-virus options, some are woefully outdated, and others simply didn’t run. Basically, the Ultimate Boot CD is geared toward fixing or diagnosing any number of many different problems you might have that can’t be done while booted in the main operating system, including repartitioning, fixing the MBR, fixing registry, resetting passwords, etc.
Ultimate BootCD: Initial Menu
As such it has a complicated interface and long list of programs and options on startup. But it’s not very good or easy for virus removal. Download the Ultimate Boot CD here.
Kaspersky AntiVirus Rescue CD
Next, I tried the Kaspersky AntiVirus Rescue CD 2008 (kav_rescue_2008.iso). This is a lot easier to run than the Ultimate Boot CD. Kaspersky just loads automatically and you’re presented with a graphical Linux environment in which to run a scan. Kaspersky also provides a command shell in case you want to move files around or ssh into a remote computer. And there’s a file manager.
Kaspersky Rescue CD: Scanner, File Manager, and Shell
I started the scan, and let it run overnight, but it was still nowhere near finished the next morning. Kaspersky is too slow. It tells you how many files it’s processed, and the time it’s taken so far. Based on that, it was taking about a second per file, which would basically mean it would never finish.
So I cancelled out in favor of another option.
BitDefender Rescue CD 2009
After that, I tried Bit Defender Rescue CD 2009 (BitDefenderRescueCD_v2.0.0_3_08_2009.iso). This, like Kaspersky, also provides a graphical Linux environment and a command shell. But it also provides a lot more. You get Firefox, mail programs, network scanners, backup and partition imaging, text editors, a rootkit checker, even a picture viewer. So, if this is your only computer, at least you can surf the web and check e-mail while BitDefender works.
BitDefender Rescue CD: Initial Screen
Unlike Kaspersky, BitDefender works on many tens of files per second, which one would expect of a C-based program. I don’t know what was wrong with Kaspersky. Anyway, it finished scanning in less than a day. Instead of just deleting all infected files, I manually specified which ones to delete and which ones to leave alone.
Rebooting to Windows
After the BitDefender cleaning, I was at least able to boot to Windows. Since I had lost the Task Manager and Command Shell, I decompressed the following files from the Windows installation files to the Windows directory:
- taskmgr.exe (the Task Manager)
- taskmgrw.chm (help file for Task Manager)
- cmd.exe (Command Shell)
- command.com (old Command Shell)
- msconfig.exe
- msiexec.exe (installer runner)
- appwiz.cpl (Add/Remove Applications Control Panel Wizard)
- regedit.exe (Registry Editor)
- rundll32.exe (DLL function executor)
- taskkill.exe
I still wasn’t quite confident that all remnants of all viruses had been removed. In fact, I still couldn’t reach microsoft.com, which indicated that a virus was still present.
McAfee Stinger
I downloaded a free tool that McAfee provides called Stinger. It doesn’t do constant scanning of files as they are downloaded, but it can scan existing files on a hard disk.
It found a Conficker file which it deleted:
C:\WINDOWS\system32\vkaxt.dll Found the W32/Conficker.worm.gen.a virus !!! C:\WINDOWS\system32\vkaxt.dll has been deleted.
But it also found a bad svchost.exe, which it couldn’t delete:
C:\WINDOWS\System32\svchost.exe Found the W32/Conficker!mem trojan !!! C:\WINDOWS\System32\svchost.exe could not be repaired.
Windows XP Service Pack 2
So I re-installed Windows XP Service Pack 2. I also applied a Hot Fix (WindowsXP-KB958644-x86-ENU.exe) which is meant to prevent vulnerabilities leading to Conficker contamination. After a reboot, I could finally access microsoft.com. I thought I was OK, but after a while, I lost microsoft.com access again!
Conciller.exe
After some more research, I discovered that Conficker actually patches into system files in such a way as to re-emerge later even after a Service Pack install.
The files are packed and encrypted on the hard disk, and are only unpacked while running. The Communication Systems work group at the Institute of Computer Science at the University of Bonn has created a scanner called conciller.exe which scans every running process for Conficker and removes it without disturbing the original process. Direct download here.
When I ran it, I actually got a few hits, which means Conficker was still active. Only after disinfecting memory with conciller.exe, and then re-installing the Service Pack and the Hot Fix, was I finally able to rid the computer of the Conficker mess.
Postscript
While I was finally able to clean the computer, it came at the loss of many days of non-productivity and frustration. I decided I’d had enough of Windows, and didn’t particularly care to get on the buggy and non-compatible bandwagon called Windows Vista. So I resolved to start researching the suitability of Ubuntu as a replacement for my main operating environment. I’ll post updates on that in other blog posts.
If you liked this article
If you liked this article, don’t forget to subscribe for updates!
Get updates by RSS (What’s RSS?)
Follow me on Twitter
![[del.icio.us]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/digg.png)
![[dzone]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/dzone.png)
![[Facebook]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/linkedin.png)
![[Reddit]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/reddit.png)
![[Slashdot]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/slashdot.png)
![[StumbleUpon]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/twitter.png)
![[Yahoo!]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/email.png)
Top Incoming Search Terms
antivurus boot conficker bitdefender kaspersky bitdefender live abort bitdefenderrescuecd_v2.0.0_3_08_2009 bitdefenderrescuecd_v2.0.0_3_08_2009.iso boot cd +sasser bootable sasser removal disk bootable sasser remove bootable sasser scanner c:\windows\system32\svchost.exe w32/conficker!mem(trojan) cabextract dll windows xp cd linux cd antivirus bootable conficker cd booteable antivirus sasser conciller conciller conficker conciller. exe conciller.exe conciller.exe download conciller.exe download conficker conciller.exe switches conficker boot disk conficker boot from cd conficker bootex remove conficker linux boot conficker live cd conficker live cd removal conficker livecd conficker rescue windows xp boot conficker stinger svchost.exe could not be repaired conficker svchost "could not be repaired" conficker svchost.exe could not be repaired conficker taskmgr.exe conficker.cd dreamhost mastercard securecode fix sasser with ubuntu live cd how to remove sasser ubcd http://digitivity.org/329/removing-conficker-and-sasser-viruses-from-windows-xp-with-kaspersky-and-bitdefender-rescue-cd-linux-ubcd i can't run bitdefender rescue cd kaspersky sasser mcafee conciller msiexec conficker remove conficker +linux remove conficker from boot cd remove conficker in windows with ubuntu remove conficker mem linux remove conficker windows xp remove conficker with cd boot disk remove conficker with linux tools remove sasser remove sasser before logging into windows remove sasser boot xp remove sasser from linux live cd remove sasser linux remove sasser live cd removing conficker linux removing conficker using linux rescue xp in cmd prompt sasser bootcd sasser fix rootkit sasser from boot cd sasser linux sasser patch xp sasser removal bootable sasser removing tool boot disk sasser svchost sasser virus boot sassgui.exe sasssfx.exe stinger conficker svchost could not be repaired stinger svchost.exe could not be repaired stop svchost.exe duplicating conficker svchost xp sp2 conficker svchost.exe conficker windows xp patch svchost.exe could not be repaired conficker system files affected by sasser ubcd sasser ubuntu bitdefender restart using ubuntu to rescue xp virus sasser.exe what hotfix removes conficker what is conciller.exe what window files does bitdefender delete? will any rescue disc remove sasser windows 2003 sasser cmd doesn't work windows updates crashing xp windows xp and force reboot and sasser and wvchostRelated posts:
- My Windows XP Gets Virus Infected I got hit badly with some nasty viruses which ultimately...
- Latest Windows XP Update Crashes Computers There are reports that Microsoft's latest update for Windows XP...
- What’s Good Podcast about Why Macs Are Better Than PCs The John Chow blog featured a guest article by the...
- Frozen Bubble: A Fun and Addictive Marbles Game for Windows, Linux, and Mac Frozen Bubble is a fun game for wasting time while...
- Ubuntu Karmic Koala 9.10 Is Out The latest release of Ubuntu, the easy-to-use Linux distribution, is...
Explore related content: antivirus, BitDefender, cabextract, conciller.exe, conficker, Kaspersky, malware, McAfee Stinger, rescue CD, Sasser, security, Ultimate Boot CD, virus, Windows XP
[...] Regarding #1, that, of course, is the reason I moved to Ubuntu (after cleaning a virus infection on Windows). [...]
Great site Very Informative. Thank you.
Thanks for visiting. Be sure to subscribe to the Digitivity RSS Feed for more articles like this.
Thanks for this cool post. Anyway i found your blog on google and find it very useful. I’ll be sure to come back again for more!
@Rosenda
Thanks. I wrote the post so that people who are struggling with Conficker and Sasser on Windows could have a chance of removing those viruses. I don’t think it’s possible to fully remove them without Conciller.exe.
Be sure to subscribe to the Digitivity RSS feed.