My friend's pc is nuked. He said it had only been running in Safe Mode but now it won't even do that. Claims all restore points are gone and what ever caused this took out his McAfee also (perhaps that was part of the problem). I'm aware of Avira, BitDefender, F-Secure and Kaspersky rescue CDs and there may be others. I skimmed the features and Avira updates their's through out the day while the others you have to be able to get online to update which could be a problem. Other than a reformat, which I'm sure would take a day with XP SP1 cd, plus I don't know if he has the cd for all the drivers, what other tools can I help him with? Thank You!

-{ Quote: "My friend's pc is nuked. He said it had only been running in Safe Mode but now it won't even do that. Claims all restore points are gone and what ever caused this took out his McAfee also (perhaps that was part of the problem). I'm aware of Avira, BitDefender, F-Secure and Kaspersky rescue CDs and there may be others. I skimmed the features and Avira updates their's through out the day while the others you have to be able to get online to update which could be a problem. Other than a reformat, which I'm sure would take a day with XP SP1 cd, plus I don't know if he has the cd for all the drivers, what other tools can I help him with? Thank You!" }-
how can a rescue CD help if it wasnt created while his PC was actually in good shape. A reformat is the only safe way to go here.

-{ Quote: "how can a rescue CD help if it wasnt created while his PC was actually in good shape. A reformat is the only safe way to go here." }-
Not really! Form the aforementioned companies I can burn him a cd. You can boot into them and they scan and clean.

-{ Quote: "My friend's pc is nuked. He said it had only been running in Safe Mode but now it won't even do that. Claims all restore points are gone and what ever caused this took out his McAfee also (perhaps that was part of the problem). I'm aware of Avira, BitDefender, F-Secure and Kaspersky rescue CDs and there may be others. I skimmed the features and Avira updates their's through out the day while the others you have to be able to get online to update which could be a problem. Other than a reformat, which I'm sure would take a day with XP SP1 cd, plus I don't know if he has the cd for all the drivers, what other tools can I help him with? Thank You!" }-

I prefer using the Avira Rescue System CD because of the broader range of hardware compatibility and ease of updating.
Concerning the case with your friends computer, the information provided suggests that the boot sequence of Microsoft Windows is corrupted and whatever infected the computer also corrupted
the security software and who knows what else. I strongly suggest re-formatting of the hard drive and re-installing Microsoft Windows. As for the drivers, one can visit the computer manufacturers
Web Site and download the needed drivers. In most cases all that is required to find and gain access to the drivers are the Computer Model Number and/or Serial Number.

Advice by member "trjam" is most often sound advice. I believe that member "trjam" mistakenly interpreted your Post concerning the Rescue CD creation, however,
the advice on formatting the hard drive is sound advice.


HKEY1952


Edited by HKEY1952 for clarification

I have very limited experience (with actual removal of malware) with Rescue CD's. I have tried many of them but have had 100% hardware compatibility only with the AVIRA Rescue CD. The AVIRA Rescue CD will boot, allow updates (if necessary) and run a scan of all of the hard drives of my four home PC's. I have never used it to clean a truly infected PC. I use it for a second opinion about once a month on my PC's. AVIRA says that Rootkits are easily found and removed when Windows is not running.

I see what you are saying and to me the choice would be Best Buy.;)

Avira is the answer.

Give last known good configuration (http://www.computerhope.com/issues/ch000626.htm) a shot.

Quite a good review of emergency disks here (http://thepcsecurity.com/category/utilities/portable-antivirus/). I've used Avira's emergency boot cd and it works well.

I would burn them all. CDs are cheap. I have Avira and F-Secure CDs, but haven't had a need to use them yet. If you read the pdf file that comes with the F-Secure CD, you'll see that you can download updated virus definitions manually, save them to a USB drive, and update from that on your friends computer with the boot CD.

I do agree with trjam that the best route may be to reformat. I would even go so far as to use Darik's Boot And Nuke (http://www.dban.org/) to wipe that HDD first.

Then you need to teach your friend how to image his system and back up his data on a regular basis. ;)

-{ Quote: "I do agree with trjam that the best route may be to reformat. I would even go so far as to use Darik's Boot And Nuke (http://www.dban.org/) to wipe that HDD first." }-

How long does it typically take to "Nuke" a hard drive? I know that it will vary widely depending on the hard drive size and the system. Once I started to Nuke a 60 GB ATA100 hard drive and it looked like the process would take a long time (around a day or so) so I aborted the "Nuke".

Would a simple "zero-write" be sufficient to make sure that Malware is made permanently inoperative? I have done a "zero-write" on a couple of hard drives to see how long the process would take. I think that a 240 GB hard drive "zero-write" took around a couple of hours. I used Terabyte Unlimited's Copy-Wipe bootable CD for the "zero-write" operation.

If my memory serves me correctly, the newer version of dban on some SATA 80Gb HDD Pentium 4 systems that I wiped recently took around 3 hours to complete using autonuke.

You have to update Avira Rescue Disk once you boot from it, there is an update feature because fresh downloads are not updated often.

I use Avira, Dr-Web and VBA32 rescue CD. This usually help to start Windows and than I run Combofix.exe followed by MalwareBytes (manual update for both, internet disconnected).

When this is done I run HitMan Pro with internet connected.

This remove over 95% of stuff. Than I run renamed HijackThis and inspect each line over at http://www.systemlookup.com/

If i find something new I submit to Avira because they add detection over night and than i scan PC again to make sure the same files are not used to replace some legitime programs.

When this is done I than remove junk files, clean registry, do Windows update and reset security related programs and settings. I run GMER to make sure there is no something new letf..

Last step is to immunize your system and than install security programs (antivirus, firewall and antispyware).

Paid ones includes: MalwareBytes, AVIRA FREE with max heuristic and SafeStart, new FREE PC Tools firewall.

well this is a good option....http://www.raymond.cc/blog/archives/2009/08/31/integrate-multiple-antivirus-rescue-disk-into-one-single-disc-or-usb-flash-drive-with-sardu/

IMO the best option is UBCD4Win,it contains numerous AV/AS scanners along with registry tools,mbr utils and a ton of other useful stuff too.

Does anyone know if I could make my NOD32 SysRescue disk and use that? It does mention that it uses your NOD username and license which it would not find/see on his system.

-{ Quote: "Does anyone know if I could make my NOD32 SysRescue disk and use that? It does mention that it uses your NOD username and license which it would not find/see on his system." }-


Hi!

It is not necessary to make ESET SysRescue CD , although you can . It would be much faster to make BartPE CD (http://www.nu2.nu/pebuilder/) . Note - while making this bootable CD , simply copy the ESET NOD32 AV folder (X:\Program files\ESET\ESET NOD32 Antivirus) . This folder includes ESET Command line scanner and ESET signatures.

Then , when you boot from the BartPE disk , goto Start , find the programs and run CMD (Command Prompt).

From the main directory , simply type ecls.exe /auto and press [ENTER] . This would run ESET Command line scanner with updated definitions and would clean and remove whatever NOD32 finds.

If the OS can then boot , you are fine . If not , you could perform Windows Repair Install.

The Norton rescue disk works well - (of course I work for Symantec so I would say that). But really, I used it for on a friend's PC the other day. The installation disk is a self-booting rescue disk - it even found the internet connection and updated its scanner before it ran. Of course you have to buy the software to get an activation code to run it. But that may be worth it if it allows you to avoid nuking the HD.

-{ Quote: " what other tools can I help him with? Thank You!" }-

Remove his hard drive, slave it to a healthy PC that's fully updated. Install/update several malware removal tools such as MalwarBytes and Microsoft Security Essentials..scan and clean.

My suggestions. Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Dr. Web (http://www.freedrweb.com/livecd/?lng=en)
2. Avira (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html)
3. BitDefender (http://download.bitdefender.com/rescue_cd/)
4. Kaspersky (http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/)
5. F-Secure (http://www.raymond.cc/blog/archives/2008/07/26/free-f-secure-rescue-cd-300-to-clean-virus-from-unbootable-windows/)