FreeMan Posted April 23, 2019 Share Posted April 23, 2019 I'm generally the family IT guy, as I'm sure many of us here are. My in-laws took a non-functioning PC to their local IT shop who told them that it was infected with something and that their best bet was to replace the machine. Not believing that for an instant (it is an older CPU, but for solitaire, a bit of web browsing and writing a journal, it's more than sufficient), I've now got the machine and want to investigate. Here's my game plan. Please shout down anything that sounds like it has potential for screwing up my other machines at home: I've got a Win 10 VM on my server - it's currently installing all the latest updates, then I plan on installing an anti-virus and a couple of my favorite anti-malware apps. I'll shut down the VM and make a backup of the .IMG file I'll pull the infected drive from the IL's machine and plug it into my UNRAID server via USB dock. I'll mount the drive with Unassigned Devices I'll disable networking on the Win10 VM I'll map the UD drive to the VM (will this work with networking turned off?) I'll run the AV against the contents of the drive, looking to clean up and recover as many documents as possible and move them to the UNRAID server. I'll make a dedicated share that none of my other Windows machines can access. Once I've recovered as much as I can from the drive, I'll unmount it from UD and run a pre-clear on it to completely wipe it. Once it's cleared, I'll put it back in its original home, install Win10 on it and replace all the recovered documents I'll refresh the VM from the .IMG backup. I know that none of the Windows viruses that may be on the hard drive will have any impact on UNRAID, since they're not designed to run in a *nix environment. My concern is them scanning the network and finding my other Windows machines and/or the UNRAID shares while I'm doing this. A couple of thoughts on risk mitigation: Shut down all other Win machines while I'm doing this (AARGH!!! living without a computer? What am I supposed to do, talk to my wife?? ) Mount all my user shares ReadOnly to prevent the virus from writing anything to any of my other files on the server. Give the VM a different network (I use 192.168.* internally, change the VM to use 10.* or 172.16.*) so it can't talk to anything else on the network. If I do this, would it still be able to talk to UNRAID to access the UD mounted drive? I've only got one NIC in the server. If anyone has any other suggestions or sees any issues with any of the above steps, I'd be most grateful! (Plus, once I do this and get the MIL used to using Win10 instead of the Win7 that's on this box, maybe I'll be able to convince her to upgrade the WinXP box. Yes, XP. No, she's not a big fan of change...) Quote Link to comment
JonathanM Posted April 23, 2019 Share Posted April 23, 2019 Before you go through all that, I recommend downloading and creating the windows defender offline boot media, and run that through the machine in question. https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc After creating the boot media on your machine, test it out on the target machine by temporarily disconnecting the hard drive, and make sure you figure out how to force a boot from your defender USB or DVD. Then hook the hard drive back up and boot the scan media and let it scan the drive. Very few currently circulating infections are bad enough to warrant disposing of the machine, worst case would be a wipe and reload after copying and documents needed. Quote Link to comment
FreeMan Posted April 23, 2019 Author Share Posted April 23, 2019 Thanks, @jonathanm, I'll definitely give that a shot! Quote Link to comment
Siwat2545 Posted April 23, 2019 Share Posted April 23, 2019 You should remove you network adapter from the guest machine too.Sent from my Pixel 3 using Tapatalk Quote Link to comment
JonathanM Posted April 23, 2019 Share Posted April 23, 2019 11 minutes ago, Siwat2545 said: You should remove you network adapter from the guest machine too. Most modern systems have the network built in to the motherboard, making it a little difficult to remove. In any case, as long as you don't plug in an ethernet cable, the chances of it connecting to a network is pretty slim. I'm assuming he knows to not connect wirelessly either. Quote Link to comment
Siwat2545 Posted April 23, 2019 Share Posted April 23, 2019 Most modern systems have the network built in to the motherboard, making it a little difficult to remove. In any case, as long as you don't plug in an ethernet cable, the chances of it connecting to a network is pretty slim. I'm assuming he knows to not connect wirelessly either.I mean remove the virtual network adapter from the guest OS (Assuming that a the drive will be in a virtural environment)Aka take the HDD out and pass it through KVMSent from my Pixel 3 using Tapatalk Quote Link to comment
Jcloud Posted April 23, 2019 Share Posted April 23, 2019 (edited) Also since the shop said it was, "broken" getting free download of HDTune http://www.hdtune.com/ might be worth your time (to check SMART status and run a surface scan for bad blocks). Other cleanup utilities for Windows that I trust: (I usually run them in this order - all the free versions) 1. rkill https://www.bleepingcomputer.com/download/rkill/ 2. JRT https://www.bleepingcomputer.com/download/junkware-removal-tool/ 3. RogueKiller https://www.adlice.com/download/roguekiller/ 4. MalwareBytes https://www.malwarebytes.com 5. ccleaner https://www.ccleaner.com/ccleaner 6. Antivirus software(s) a. Only have one installed at a time; bad mojo to have multiple installed. b. I personally don't like McAfee products. c. Free options I tend to use: Avast!, Avira, and some times AVG. 7. autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns 8. Revo Uninstaller - If there is broken programs you want to uninstall. https://www.revouninstaller.com/ Also should note as Roguekiller and MalwareBytes like to default as TSR-applications, when I'm done with them I tend to uninstall them. I tend to download all these applications onto a USB drive and do them on the "infected" system. If Windows gets REALLY fubared All-in-one Repair Utility can some times help, but I've also had it make Windows worse off so careful with this one https://www.tweaking.com/content/page/windows_repair_all_in_one.html Last thing, in case you did not know this, if that laptop still has the product key sticker that code can be used to activate Windows 10 - so no reason to buy a copy. Edited April 23, 2019 by Jcloud Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.