Trying to prevent Windows from shutting down immediately

One of the methods that’s worked for other people trying to avoid the shutdown caused by Sasser is to quickly type shutdown -a in a command window:

shutdown -a

The -a means abort.

But I never had enough time to open a command prompt to enter the command. Part of the reason for that might be the inordinate amount of time that my installation of Windows (which is the original manufacturer’s installation) takes to fully load, including all autorun programs and services.

So I went back to the Linux Live USB, and added a Windows batch file with the command already typed out, along with running the programs which would fix Sasser:

shutdown -a
c:\sassgui.com
c:\sasssfx.exe

So all I had to do was open up an Explorer window and type a.cmd in the location bar. (I kept the name intentionally short, “a.cmd” being easier to type than “stop-shutdown-fix-sasser.cmd”.)

The shutdown sequence was just too fast, though. So I had to find another way besides logging into the existing Windows installation.

Extracting Windows system files

That meant booting from Linux.

Complicating the situation was that the fact that the computer on which I have a CD/DVD burner was the infected one.  Unfortunately, I  didn’t have a Linux CD available, so plan B was booting off a USB flash device, of which I luckily had one with Linux installed (Ubunutu 8.10 Hardy Heron). This version of Ubuntu includes read/write drivers for the NTFS filesystem, which means that I can modify files on the Windows installation while in Linux.

My first line of attack was to replace the files (svchost.exe, rundll.exe, etc.) which are said to be affected by Sasser. I had a copy of the Windows XP installation files on the infected computer’s hard disk, so I wanted to copy those over to the Windows system directory (after making backups of the current system files).

It’s not quite that simple, though. The files on a Windows install disk (or directory) are saved in the so-called Microsoft cabinet format. Microsoft provides utilities for de-compressing such files, but, of course, they only run on Windows.

Thoughtfully, someone has created a program called cabextract to do just that on Linux systems. cabextract version 1.2-3 is included in the Ubuntu 9.10 (Karmic Koala) Universe repository.

After extracting the files, I saved them to the Windows directory and rebooted.  It didn’t work though. The Sasser infection was quite deep, and just changing a few files didn’t work.

Ultimate Boot CD

Next try: the Ultimate Boot CD, a huge collection of various and sundry programs for doing surgery on your computer. I burned a copy of the Ultimate Boot CD, but while that has a few anti-virus options, some are woefully outdated, and others simply didn’t run. Basically, the Ultimate Boot CD is geared toward fixing or diagnosing any number of many different problems you might have that can’t be done while booted in the main operating system, including repartitioning, fixing the MBR, fixing registry, resetting passwords, etc.

Ultimate BootCD: Initial Menu

As such it has a complicated interface and long list of programs and options on startup. But it’s not very good or easy for virus removal. Download the Ultimate Boot CD here.

Kaspersky AntiVirus Rescue CD

Next, I tried the Kaspersky AntiVirus Rescue CD 2008 (kav_rescue_2008.iso). This is a lot easier to run than the Ultimate Boot CD. Kaspersky just loads automatically and you’re presented with a graphical Linux environment in which to run a scan. Kaspersky also provides a command shell in case you want to move files around or ssh into a remote computer. And there’s a file manager.

Kaspersky Rescue CD: Scanner, File Manager, and Shell

I started the scan, and let it run overnight, but it was still nowhere near finished the next morning. Kaspersky is too slow. It tells you how many files it’s processed, and the time it’s taken so far. Based on that, it was taking about a second per file, which would basically mean it would never finish.

So I cancelled out in favor of another option.

BitDefender Rescue CD 2009

After that, I tried Bit Defender Rescue CD 2009 (BitDefenderRescueCD_v2.0.0_3_08_2009.iso). This, like Kaspersky, also provides a graphical Linux environment and a command shell. But it also provides a lot more. You get Firefox, mail programs, network scanners, backup and partition imaging, text editors, a rootkit checker, even a picture viewer. So, if this is your only computer, at least you can surf the web and check e-mail while BitDefender works.

BitDefender Rescue CD: Initial Screen

Unlike Kaspersky, BitDefender works on many tens of files per second, which one would expect of a C-based program. I don’t know what was wrong with Kaspersky. Anyway, it finished scanning in less than a day. Instead of just deleting all infected files, I manually specified which ones to delete and which ones to leave alone.

Rebooting to Windows

After the BitDefender cleaning, I was at least able to boot to Windows. Since I had lost the Task Manager and Command Shell, I decompressed the following files from the Windows installation files to the Windows directory:

• taskmgr.exe (the Task Manager)
• taskmgrw.chm (help file for Task Manager)
• cmd.exe (Command Shell)
• command.com (old Command Shell)
• msconfig.exe
• msiexec.exe (installer runner)
• appwiz.cpl (Add/Remove Applications Control Panel Wizard)
• regedit.exe (Registry Editor)
• rundll32.exe (DLL function executor)
• taskkill.exe

I still wasn’t quite confident that all remnants of all viruses had been removed. In fact, I still couldn’t reach microsoft.com, which indicated that a virus was still present.

McAfee Stinger

I downloaded a free tool that McAfee provides called Stinger. It doesn’t do constant scanning of files as they are downloaded, but it can scan existing files on a hard disk.

It found a Conficker file which it deleted:

C:\WINDOWS\system32\vkaxt.dll
Found the W32/Conficker.worm.gen.a virus !!!
C:\WINDOWS\system32\vkaxt.dll has been deleted.

But it also found a bad svchost.exe, which it couldn’t delete:

C:\WINDOWS\System32\svchost.exe
Found the W32/Conficker!mem trojan !!!
C:\WINDOWS\System32\svchost.exe could not be repaired.

Windows XP Service Pack 2

So I re-installed Windows XP Service Pack 2. I also applied a Hot Fix (WindowsXP-KB958644-x86-ENU.exe) which is meant to prevent vulnerabilities leading to Conficker contamination. After a reboot, I could finally access microsoft.com. I thought I was OK, but after a while, I lost microsoft.com access again!

Conciller.exe

After some more research, I discovered that Conficker actually patches into system files in such a way as to re-emerge later even after a Service Pack install.

The files are packed and encrypted on the hard disk, and are only unpacked while running. The Communication Systems work group at the Institute of Computer Science at the University of Bonn has created a scanner called conciller.exe which scans every running process for Conficker and removes it without disturbing the original process. Direct download here.

When I ran it, I actually got a few hits, which means Conficker was still active. Only after disinfecting memory with conciller.exe, and then re-installing the Service Pack and the Hot Fix, was I finally able to rid the computer of the Conficker mess.

Postscript

While I was finally able to clean the computer, it came at the loss of many days of non-productivity and frustration. I decided I’d had enough of Windows, and didn’t particularly care to get on the buggy and non-compatible bandwagon called Windows Vista. So I resolved to start researching the suitability of Ubuntu as a replacement for my main operating environment. I’ll post updates on that in other blog posts.

Related posts:

1. My Windows XP Gets Virus Infected
2. Latest Windows XP Update Crashes Computers
3. What’s Good Podcast about Why Macs Are Better Than PCs