Recovering From An Infected System

I didn't realize how lucky I was to have avoided viruses. A system came to me with a virus that prevented users from typing in the access information to AOL's virus system, and seemed to also hide from some virus scanners. The solution is to use a "boot CD" to start up the system from the CD-ROM, and then run tools to clean off the hard disk.

Boot CDs started out on Linux, where it was not entirely unusual to set up machines to boot up (start up) into different operating systems, or even different configurations of the same operating system. The next logical step was to put the entire operating system onto the CD. This idea led to the creation of Windows Boot CDs.

The one I'm using currently is The Ultimate Boot CD for Windows, which is based on Bart's PE, a boot CD system. It comes preinstalled with all the free command-line virus scanners.

F8

After one run through with the boot CD, I did a session using "F8". When you reboot into XP, start hitting the F8 key to get the menu to start Windows in "Safe Mode". Safe mode starts up Windows, but doesn't start up most of the drivers or services, thus preventing viruses from starting.

Boot into safe mode with networking, and then go to the virus scanning sites (listed above). They'll find any stray viruses. You can then remove the files manually. Easier said than done, though... Viruses know how to hide, and anti-virus tool vendors don't want to make it too easy to clean yourself.

The first tool in your arsenal is the "Search..." program from the Start Menu. Type in the filename and see if it comes up. If it does, delete the file.

If it doesn't, the virus is located in some hidden directory. That means you have to use the Command Line, cmd.exe. McAfee displays the first directory, so you can usually CD into that directory. Then, you can do a "DIR /A" to display hidden files. Using a little cut and paste, you can build the correct path for Search.

For example, one virus was detected in C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}. I had to dig around to build that path, but once it was in Search, it found the offending file, and it was deleted.

Cleaning Up the Disk

I believe that keeping the disk clean is of dubious value, unless the system is very old. Most slowdowns are due to applications and small programs executing, consuming memory. This causes RAM to run out, and forces the system to swap to disk (that is, it saves out part of RAM to disk, and then loads up data from disk into RAM).

That said, there are some disk tools that, at the very least, look useful. They are located in Start Menu -> All Programs -> Accessories -> System Tools. Disk Cleanup compresses old files, and deletes temporary files. Defragment Disk rearranges the blocks on the disk so that file access will be a little faster. If you're going to use them, run the cleanup first, then defragment.

Before you defragment, you may want to twiddle the virtual memory (VM) settings a little bit. Turn it down to a small size, or use no paging file if you have enough RAM. Then, defrag the disk. Then, boost the VM back to its prior size or larger. This will cause the VM page file (the file where VM is stored) to be a large, contiguous block. VM access will improve.

I've noticed that some people have slow disks, and that can kill performance upgrades. If you get a significant motherboard upgrade, it's a good idea to get a new disk that will run as fast as the built-in IDE controllers on the motherboard. If the system has PCI-X slots, get a 3.0 Mb/s SATA card and a SATA drive. This will improve booting and program loading times. Additionally, get enough RAM so you don't swap to disk. VM isn't supposed to be something you use regularly. It's there for emergencies, when you really need just a little extra space.