Before we start, little bit of scenario description first. You walk inside the home and you see a sad look on the face of your wife & kid saying that the computer “got crashed”. They told you that the Windows XP desktop they’ve been using got infected by some virus and it started showing blue screen, crazy popups and finally died. It all happened just because they clicked on some link came from an email. Yes, I had some anti-virus on that machine, but obviously didn’t help much. Then the next thing comes to your mind is, either you deal with it (probably spending hours trying to fix if possible) or throw it out the window. Is it called throwing Windows out the window?

Anyways, although I use Ubuntu as my personal/home-office desktop & server, I do have Windows XP machines on my home-office network for my family needs. I have dealt with blue screens on windows machines numerous times before. But, it was usually because if the OS is corrupted or due to some hardware failures (drives, drivers etc.). But, this was the first time I came across blue screen due to some infestation (spyware, virus etc.)

OK, What next? I didn’t want to give up. I said to myself, let’s just fight this and see what comes out of it. One good thing was I was able to start the machine and get inside the Windows XP. But, once you are there, you see all kinds of popups, blue screens, notification windows etc. The infected spyware/virus was so bad it won’t even let you open task manager or any other diagnostic tools. It locked up the system completely and there was nothing much I could do inside the Windows XP. So, I realized I should deal with this “Outside the box”.

On my initial thought, I was trying to find out if there are any virus/spyware removal tools which I can use to boot up and remove the virus through that. After doing some research, I came across one such spyware removal tool which came with a boot up disk. I tried that and it didn’t work. So, what’s my next option?

After stumbling across online & Google land for a while, it turns out the solution I was looking for is not very far from where I was sitting. I could see a Ubuntu Live CD peeping out at me from the stack of CDs on my desk. So, I asked myself why I don’t use this Live CD to boot up the machine.

I was successfully able to boot up the machine with the Ubuntu Live CD. Once I was there, I could see the hard drive (C:/) containing Windows XP operating system mounted automatically. I could access all the files inside the “C” Drive. So, the first thing I wanted to do is backup as much as possible. So I recovered all the files I needed first.

Then what? How will I sanitize the Windows XP OS now? Just like any sincere Linux geek would think, I was seeking to the command line for the rescue. I ran a find command on the hard drive looking for files that was modified for the past 24 hours. That would give me enough foot print on that machine showing what exactly happened.

find . -type f -mtime -1 -print

Once I ran that command. My target was right in front of my eyes. The top results were some folders with some .exe files. I know for sure, I didn’t install them. So, I deleted those files & folders first. And then, there were 3 files which I found very interesting. The first two were Pagefile.sys and Hiberfil.sys. We didn’t run any heavy weight software on that machine, so page file don’t make much sense and we never ever hibernated that machine, so hiberfil.sys also is not relevant. I deleted those 2 files. The third file which kind of made me laugh was, something named 1231232.png on the root C drive, when I opened it, it was nothing but what I saw as the blue screen. So basically the blue screen was just a simulation, not a real thing

After cleaning up all those files manually, I booted to the Windows XP OS and the machine was just the way it was before. This same technique is not limited to dealing with only virus/malware/spyware infected Windows XP systems, but can also be used for troubleshooting corrupted OS, hard drive failures, hardware issues etc.

Thoughts, comments, questions?