Linux Rescue CD: a help or a hinderance?

Detect and get rid of malware without entering Windows, use a bootable Linux Rescue CD; it sounds like something that can make the life of anyone who needs to remove malware a lot easier. The idea behind it? Scan your computer without booting in Windows, which can come in handy when malware is actively preventing removal (for example by blocking the tools you try to run, or by refusing to be deleted easily). It is also offered as option to scan and clean a system that will no longer boot at all in Windows.

In theory that all sounds nice enough, in practice however there are a few serious complications. A Rescue CD is based on the (open source) Linux operating system kernel. That leads also to the first problem; a Linux OS can mount an NTFS partition (which is the file system Windows uses) just fine. However it can’t load the Windows Registry as easily. There are some Linux-based tools that can be used to access and modify the registry manually, but the registry cannot be loaded remotely as would be necessary for a scan. This means that the Antivirus or Antispyware scanner included on the rescue CD will scan the file system, but not the registry. Many types of malware use the registry in order to launch. For example a Run value that points to baddie.exe will load baddie.exe as soon as Windows has started and the user logged on. Both the file and the Run value that loads it, are bad and need to go. However, the rescue CD scanner will only detect and delete the file. So, on next reboot Windows will still attempt to load baddie.exe but will no longer be able to find it. This will usually not cause a problem when it concerns a Run value (in worst case the user of the computer will get an annoying error pop-up on each boot), but may have much more grave consequences when it concerns other registry locations.

A classic example is the Userinit value. Some (older) infections use(d) to add a file to that value resulting in the so-called logon-logoff loop if the file is removed without adjusting the value correctly. While it is not impossible to recover such a computer, it isn’t exactly simple either.

Another, more actual example is Ransomware which commonly hijacks the Shell value in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key (or its equivalent in the user hive) so that it will execute the file loading the ransom screen instead of the Windows desktop (see also the image). If a scanner deletes this file without adequately adjusting the Shell value data, the computer will no longer load the desktop and just show an empty screen with only the wallpaper. An added complication is that ransomware often adjusts machine policies to disable the Task Manger, thus preventing a user from quickly launching a program or accessing files. Luckily more and more Windows computers nowadays have the Recovery Environment pre-installed, which makes recovering from this problem and others a lot simpler.

Another issue you need to be aware of when scanning with a Rescue CD is the fact that any file can be deleted, even those that are critical Windows system files. Normally Windows Resource Protection will (attempt to) prevent the deletion of such files and/or replace them immediately upon removal. In case a system file has become infected, it will need to be identified and replaced. Deletion will in many cases lead to unbootable or unusable systems.

There are many examples here, just a random one: if the ZeroAccess rootkit infects services.exe (which is a critical file required for starting Windows services) and this file is deleted using a rescue CD, the user of the computer will no longer be able to start Windows; the screen will in most cases stay black after the Windows splash screen disappears.

 

Does that mean a rescue CD is totally useless when it comes to malware removal? We don’t think so, you can still use it to diagnose/detect the malware you are dealing with. To stick with the services.exe example, if a scanner detects it as being infected, you can then replace it manually using the rescue CD (browse to a clean copy and use that to replace the infected file).

Our advice: if you want to use it, use it wisely and don’t let it delete files, but rather investigate what is being detected and prepare a manual fix based on that. If you are not sure how to do that, then we recommend to look for help, as doing it yourself may very well worsen the state of your computer. Our experts in the “Help, my PC is infected!” Emsisoft Forum are always ready and willing to help you. The removal service is absolutely free even if you are not an Emsisoft customer yet.