Using UNRAID to diagnose/recover virus infected hard drive


Recommended Posts

I'm generally the family IT guy, as I'm sure many of us here are. My in-laws took a non-functioning PC to their local IT shop who told them that it was infected with something and that their best bet was to replace the machine. Not believing that for an instant (it is an older CPU, but for solitaire, a bit of web browsing and writing a journal, it's more than sufficient), I've now got the machine and want to investigate.

 

Here's my game plan. Please shout down anything that sounds like it has potential for screwing up my other machines at home:

  1. I've got a Win 10 VM on my server - it's currently installing all the latest updates, then I plan on installing an anti-virus and a couple of my favorite anti-malware apps.
  2. I'll shut down the VM and make a backup of the .IMG file
  3. I'll pull the infected drive from the IL's machine and plug it into my UNRAID server via USB dock.
  4. I'll mount the drive with Unassigned Devices
  5. I'll disable networking on the Win10 VM
  6. I'll map the UD drive to the VM (will this work with networking turned off?)
  7. I'll run the AV against the contents of the drive, looking to clean up and recover as many documents as possible and move them to the UNRAID server. I'll make a dedicated share that none of my other Windows machines can access.
  8. Once I've recovered as much as I can from the drive, I'll unmount it from UD and run a pre-clear on it to completely wipe it.
  9. Once it's cleared, I'll put it back in its original home, install Win10 on it and replace all the recovered documents
  10. I'll refresh the VM from the .IMG backup.

 

I know that none of the Windows viruses that may be on the hard drive will have any impact on UNRAID, since they're not designed to run in a *nix environment. My concern is them scanning the network and finding my other Windows machines and/or the UNRAID shares while I'm doing this. A couple of thoughts on risk mitigation:

  1. Shut down all other Win machines while I'm doing this (AARGH!!! living without a computer? What am I supposed to do, talk to my wife?? :) )
  2. Mount all my user shares ReadOnly to prevent the virus from writing anything to any of my other files on the server.
  3. Give the VM a different network (I use 192.168.* internally, change the VM to use 10.* or 172.16.*) so it can't talk to anything else on the network.
    1. If I do this, would it still be able to talk to UNRAID to access the UD mounted drive? I've only got one NIC in the server.

 

If anyone has any other suggestions or sees any issues with any of the above steps, I'd be most grateful! (Plus, once I do this and get the MIL used to using Win10 instead of the Win7 that's on this box, maybe I'll be able to convince her to upgrade the WinXP box. Yes, XP. No, she's not a big fan of change...)

Link to comment

Before you go through all that, I recommend downloading and creating the windows defender offline boot media, and run that through the machine in question.

https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc

After creating the boot media on your machine, test it out on the target machine by temporarily disconnecting the hard drive, and make sure you figure out how to force a boot from your defender USB or DVD.  Then hook the hard drive back up and boot the scan media and let it scan the drive.

 

Very few currently circulating infections are bad enough to warrant disposing of the machine, worst case would be a wipe and reload after copying and documents needed.

Link to comment
11 minutes ago, Siwat2545 said:

You should remove you network adapter from the guest machine too.
 

Most modern systems have the network built in to the motherboard, making it a little difficult to remove. In any case, as long as you don't plug in an ethernet cable, the chances of it connecting to a network is pretty slim. I'm assuming he knows to not connect wirelessly either.

Link to comment
Most modern systems have the network built in to the motherboard, making it a little difficult to remove. In any case, as long as you don't plug in an ethernet cable, the chances of it connecting to a network is pretty slim. I'm assuming he knows to not connect wirelessly either.

I mean remove the virtual network adapter from the guest OS (Assuming that a the drive will be in a virtural environment)

Aka take the HDD out and pass it through KVM

Sent from my Pixel 3 using Tapatalk

 

 

 

Link to comment

Also since the shop said it was, "broken" getting free download of HDTune http://www.hdtune.com/ might be worth your time (to check SMART status and run a surface scan for bad blocks).  Other cleanup utilities for Windows that I trust:

(I usually run them in this order - all the free versions)

1. rkill https://www.bleepingcomputer.com/download/rkill/

2. JRT https://www.bleepingcomputer.com/download/junkware-removal-tool/

3. RogueKiller https://www.adlice.com/download/roguekiller/

4. MalwareBytes https://www.malwarebytes.com

5. ccleaner https://www.ccleaner.com/ccleaner

6. Antivirus software(s) 

       a. Only have one installed at a time; bad mojo to have multiple installed.

       b. I personally don't like McAfee products.

       c. Free options I tend to use: Avast!, Avira, and some times AVG.

7. autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

8. Revo Uninstaller - If there is broken programs you want to uninstall. https://www.revouninstaller.com/

 

Also should note as Roguekiller and MalwareBytes like to default as TSR-applications, when I'm done with them I tend to uninstall them.

I tend to download all these applications onto a USB drive and do them on the "infected" system. 

If Windows gets REALLY fubared All-in-one Repair Utility can some times help, but I've also had it make Windows worse off so careful with this one  https://www.tweaking.com/content/page/windows_repair_all_in_one.html 

 

Last thing, in case you did not know this, if that laptop still has the product key sticker that code can be used to activate Windows 10 - so no reason to buy a copy.

 

Edited by Jcloud
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.