A Computer Recovery Walkthrough With Free Trinity Rescue Kit

Popular guest writer Mark Schneider, walks you through a computer recovery operation using the Trinity Rescue Kit, which, as he puts it, “saved my bacon”.

Today, I was doing a little maintenance on my daughters Gateway laptop, uninstalling one anti-spyware program, and upgrading another to real-time protection. It seemed to go fine – I ran the Uninstall from Programs and Features in Vista, and enabled the full time protection in Malwarebytes, with the registration codes and rebooted.

When the computer shut down, I noticed it installing several updates. I didn’t think much of it at the time but when the machine restarted, the brown stuff hit the fan. I didn’t have any mouse! Even the Track pad was totally unresponsive. So, I plugged in a old USB trackball mouse, success!

I then clicked on the admin account I keep on the machine and went to type my password – nope, the keyboard didn’t work either. So I rebooted after plugging in my USB keyboard. Windows went through its usual routine and told me the keyboard had installed and was ready to use, except, it wasn’t. It wouldn’t work at all.

Basically, I was hosed! I couldn’t run the device manager from the limited account, or do a system restore. I had to get into the admin account, or I was stuck.

So I did what any red-blooded geek would do, I Googled “resetting a password in Vista”. I came up with usual Microsoft solution, you know the one where you use the password reset CD you made when you set up the computer, yep that one, the one no one ever makes!

Fortunately for me, I also found a reference to TRK or the Trinity Rescue Kit. TRK is a Linux based bootable CD, that can be used for resetting passwords, recovering files and a few other things relating to Windows calamities.

Publisher’s description: Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

Once the CD booted normally, I typed in “winkey u admin” – this started TRK searching, and mounting all the files in the system. I choose “Enter” in the next dialog, and then typed an “*” confirmed this with a “y”, and this created a new administrator account with no password.

I was able to log into the Administrator account and then began the next phase of fixing the corrupted drivers. This took a little longer than I anticipated. I tried deleting the Track pad and keyboard in Device Manager , both had the little caution signs next to them indicating a damaged or corrupted driver; rebooted but this didn’t work.

I finally resolved the problem by using a restore point. Fortunately, you can get there with just a few clicks of the mouse. So I got lucky; the USB mouse worked, and the TRK worked after some trial and error.

Get the Trinity Rescue Kit here. I recommend it for your toolkit, it definitely saved my bacon.

Fast facts:

TRK is a complete command line based distribution, apart from a few tools like qtparted, links, partition image and midnight commander.

Full read/write and rpm support (since build 333)

Easily reset windows passwords (backup and restore option)

Four different virus scan products integrated in a single uniform command line with online update capability

Full ntfs write support thanks to ntfs-3g (all other drivers included as well)

Clone NTFS file systems over the network

Wide range of hardware support (kernel 2.6.39.3 and recent kudzu hwdata)

Easy script to find all local file systems

Self update capability to include and update all virus scanners

Full proxy server support

Run a samba fileserver (windows like file sharing)

Run an ssh server

Recovery and un-deletion of files with utilities and procedures

Recovery of lost partitions

Evacuation of dying disks

UTF-8 international character support

Powerful multicast disk cloning utility for any file system

Two rootkit detection utilities

Elaborate documentation

It is possible to boot TRK in three different ways:

As a bootable CD which you can burn yourself from a downloadable iso file.

From a USB stick/disk (optionally also a fixed disk), installable from Windows, or from the bootable TRK CD.

From network over PXE, which requires some modifications on your local network (version 3.2). Has the ability to act as a network boot server itself, without any modifications to your local network.

Trinity Rescue Kit is now in Version 3.4, and is better than ever before.

Getting started with TRK.

Download at: Developer’s site.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world. Why not pay a visit to Mark’s site today.

This article was originally posted here on March 11, 2010.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

A Lesson In Malware Removal Using Kaspersky Rescue Disk

This past Sunday, I posted an article on the benefits of regular scanning with a “live CD” – Stay Malware Free (Hopefully!) – Scan With A “Live CD” Regularly. Which, reminded me of an excellent article (previously posted here), by my good buddy and fellow blogger, Mark Schneider, on working with Kaspersky Rescue Disk to eradicate malware.

There are some great pointers here, and I encourage you to re-read this terrific article. It’s well worth a re-read.

 

You find your computer getting slower and slower to boot, and when it finally does boot it’s so slow everything runs at a crawl. So you try running the antivirus you have and just get a message that says the definitions are out of date and you can’t connect to the update server.

Or you may find an annoying pop-up coming up every time you boot telling you PC Antivirus has found 70,278 infections and for $49.99 they will remove them for you. Well my friend, you are hosed! Your machine is so badly infected that you have to try desperate measures.

At this point you can try pulling your hard drive out of the machine and putting it in another mounting it as a slave, and using your other machine to try to clean it.

Another way to get this thing up and running is to try some kind of bootable rescue disk to clean it. Bootable rescue disks are bootable CD’s/DVD’s that contain small operating systems, with some preinstalled tools contained for repairing your computer.

When you turn on your computer hit F10 or F12, select your CD/DVD drive and your computer boots into an operating system contained on that CD. There are a lot of great rescue disks out there, the problem is most are very complicated, and some take forever to boot.

I found one great exception to this though. Kaspersky Labs, creator of the very capable Kaspersky Antivirus line of products has built a great free bootable rescue CD that is simple to use.

Unlike many other bootable rescue disks it has one purpose, to clean your system. To create a Kaspersky Rescue Disk, download the ISO image from this link , then burn the image to a CD.

Depending on what operating system you are using you may need to download a CD burning program if you don’t already have one. If you are running Windows 7 it has a built in, burning program that’s simple to use and works great. If you are running XP or Vista, I like Image Burn, or CD BurnerXP – both do a great job of burning .ISO images, and are free.

Once you have your rescue CD built, start your infected machine pushing F12/F10 to get it to the boot selection screen. Boot to the CD Rom drive as I stated earlier and relax, although faster than most rescue disks it’s hardly fast.

Follow the prompts and when it boots into the Kaspersky Rescue system you first need to update the virus definitions. Once updated do a scan, and go read the newspaper or get some coffee, it takes a while.

Once it completes the scan go ahead and let it remove or quarantine all the files it has found. I’ve never had it delete anything that caused the machine it was fixing not to boot. But of course before you do anything like this, BACK UP YOUR DATA!!!!! But you already did that so proceed.

Do the scan, remove the junk and log off Kaspersky. Just turning off your computer with the power button won’t hurt anything when you are running a rescue CD.

The reason rescue CD’s are so effective is, you’re not trying to disinfect a computer with an infected OS. When you boot to the hard drive of an infected machine, you’re playing on the bad guy’s home turf. They control the machine and in many cases they’ve hidden the infected files so your antivirus can’t see them.

There are other rescue disks out there and many are very complicated and take a very long time. The Kaspersky Rescue Disk is the fastest and easiest I’ve found to clean an infected machine enough to allow me to boot back into Windows and complete the process by adding my favorite automated antimalware tools to keep the system clean going forward.

Note: Kaspersky Rescue Disk 10 can be run from a USB device.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

Why not pay a visit to Mark’s site today.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Principles of Security: Keeping it Simple

Popular guest writer Mark Schneider looks at how to increase system security by focusing on core applications.

Computing on the Windows platform today can be very rewarding. The problem with Windows applications is, as Microsoft has made improvements in patching security holes in Windows, the Black Hat hackers have begun to focus on third party applications to exploit the Windows platform.

Recent highly publicized exploits on the Adobe Acrobat PDF reader, have been just the tip of the iceberg. According to Secunia, creators of PSI a security tool which scans your PC  for out of date software, half their users had 66 or more programs on their PC’s.

Once all the programs and required patches were tabulated, it totaled over “75 patch incidents annually”, per average PC. That averages out to a patch every 4.9 days.” (Source InfoWorld Security Central)

This state of affairs obviously puts the average user at risk. Most people do well just to keep their Windows OS patched, much less check more than once a week for patches to their other applications.

This leads to the crux of my point, keep it simple. Don’t download every application you see, or hear about. Pick a core of useful applications that allow you to use your computer in the way you need to, and stop!

Your computer is a serious tool that can be very useful, so treat it seriously. You can still have fun with your computer, but you don’t need 5 different media players –  choose one, and stick with it. If you find one you prefer uninstall the old one first.

Many people use old out of date programs because they don’t like the “feature creep” of newer applications. This is a mistake; keep what programs you have up to date. This is especially true with PDF readers, browsers, email clients, and media players. Keeping your flash player up to date is extremely important. Adobe Flash is a major exploit vector, and I frequently run with it disabled.

Trying new applications can be fun and rewarding but, the best way to try new applications is in a virtual machine. Using a program like Virtual Box from Oracle Systems, is a great way to safely try new applications without committing yourself to a new program, or loading your Hard Drive with a ton of unnecessary applications that need to be constantly updated.

Finally, run Secunia’s free PSI. It will help you keep your applications up to date, and add another layer of security to your computer.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Another Day in the Trenches: Killing XP Antivirus 2010

Popular guest writer Mark Schneider, walks you through a computer recovery operation, following an infection by a rogue security program, XP Antivirus.

I hate rogue antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work, I noticed a shared computer suddenly popped up a Window announcing it was doing a scan, and that I was infected with over 4,000 Trojans and other forms of malware.

Nice try I thought, so I used Control Alt Delete to start task manager, and I closed Internet Explorer and all running processes involved. Fortunately, it was a limited user account that was infected, and that turned out to be a important factor in removing it.

I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with. These cretins that come up with this crap can’t even come up with something creative – we’ve seen XP Antivirus for a few years now; each year they just tack on a year to make it look current.

Sad thing is, I’m sure somewhere out there is someone who renews this crap every year. Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account, updated Malwarebytes and ran it again… and found more junk, actually the same junk. Malwarebytes found it, but could not kill it.

Next, I downloaded Superantispyware, a great application that I always run at home but it wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer. I do this because I often find the malware knows how to prevent anti-malware from installing – these guys aren’t creative, but they’re getting smarter.

To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk!

I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is here. I used the .exe file association fix and it worked great.

The last thing I did was to run Process Explorer, and Autoruns from Syinternals. These utilities give a great in-depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean, for now.

So a few lessons I learned on this one: Don’t use IE – this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second, running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier.

Next, running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Trinity Rescue Kit – Recovery From a Windows Calamity

Popular guest writer Mark Schneider, walks you through a computer recovery operation using the Trinity Rescue Kit, which, as he puts it, “saved my bacon”.

Today, I was doing a little maintenance on my daughters Gateway laptop, uninstalling one anti-spyware program, and upgrading another to real-time protection. It seemed to go fine – I ran the Uninstall from Programs and Features in Vista, and enabled the full time protection in Malwarebytes, with the registration codes and rebooted.

When the computer shut down, I noticed it installing several updates. I didn’t think much of it at the time but when the machine restarted, the brown stuff hit the fan. I didn’t have any mouse! Even the Track pad was totally unresponsive. So, I plugged in a old USB trackball mouse, success!

I then clicked on the admin account I keep on the machine and went to type my password – nope, the keyboard didn’t work either. So I rebooted after plugging in my USB keyboard. Windows went through its usual routine and told me the keyboard had installed and was ready to use, except, it wasn’t. It wouldn’t work at all.

Basically, I was hosed! I couldn’t run the device manager from the limited account, or do a system restore. I had to get into the admin account, or I was stuck.

So I did what any red-blooded geek would do, I Googled “resetting a password in Vista”. I came up with usual Microsoft solution, you know the one where you use the password reset CD you made when you set up the computer, yep that one, the one no one ever makes!

Fortunately for me, I also found a reference to TRK or the Trinity Rescue Kit. TRK is a Linux based bootable CD, that can be used for resetting passwords, recovering files and a few other things relating to Windows calamities.

Publisher’s description: Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

Once the CD booted normally, I typed in “winkey u admin” – this started TRK searching, and mounting all the files in the system. I choose “Enter” in the next dialog, and then typed an “*” confirmed this with a “y”, and this created a new administrator account with no password.

I was able to log into the Administrator account and then began the next phase of fixing the corrupted drivers. This took a little longer than I anticipated. I tried deleting the Track pad and keyboard in Device Manager , both had the little caution signs next to them indicating a damaged or corrupted driver; rebooted but this didn’t work.

I finally resolved the problem by using a restore point. Fortunately, you can get there with just a few clicks of the mouse. So I got lucky; the USB mouse worked, and the TRK worked after some trial and error.

Get the Trinity Rescue Kit here. I recommend it for your toolkit, it definitely saved my bacon.

Fast facts:

TRK is a complete command line based distribution, apart from a few tools like qtparted, links, partition image and midnight commander.

Here ‘s a sum up of some of the most important features, new and old:

Full read/write and rpm support (since build 333)

Easily reset windows passwords (backup and restore option in 3.3)

Four different virus scan products integrated in a single uniform command line with online update capability (5 in version 3.3)

Full ntfs write support thanks to ntfs-3g (all other drivers included as well)

Clone NTFS file systems over the network

Wide range of hardware support (kernel 2.6.39.3 and recent kudzu hwdata)

Easy script to find all local file systems

Self update capability to include and update all virus scanners

Full proxy server support

Run a samba fileserver (windows like file sharing)

Run an ssh server

Recovery and un-deletion of files with utilities and procedures

Recovery of lost partitions

Evacuation of dying disks

UTF-8 international character support

Powerful multicast disk cloning utility for any file system

Two rootkit detection utilities (version 3.3)

Elaborate documentation

It is possible to boot TRK in three different ways:

As a bootable CD which you can burn yourself from a downloadable iso file.

From a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK CD.

From network over PXE, which requires some modifications on your local network (version 3.2). Version 3.3 has the ability to act as a network boot server itself, without any modifications to your local network.

Although version 3.3 is still beta, it is recommended that you download this version, as most features which were included in version 3.2 are still running just fine (and are more up-to-date) and the new stuff is presumed to be running fine too.

Download at: Developer’s site.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Kaspersky Rescue Disk – The Ultimate Malware Solution?

Guest writer Mark Schneider gives you some very important pointers on how to kill malware dead, with a great free tool – Kaspersky Rescue Disk.

You find your computer getting slower and slower to boot, and when it finally does boot it’s so slow everything runs at a crawl. So you try running the antivirus you have and just get a message that says the definitions are out of date and you can’t connect to the update server.

Or you may find an annoying pop-up coming up every time you boot telling you PC Antivirus has found 70,278 infections and for $49.99 they will remove them for you. Well my friend, you are hosed! Your machine is so badly infected that you have to try desperate measures.

At this point you can try pulling your hard drive out of the machine and putting it in another mounting it as a slave, and using your other machine to try to clean it.

Another way to get this thing up and running is to try some kind of bootable rescue disk to clean it. Bootable rescue disks are bootable CD’s/DVD’s that contain small operating systems, with some preinstalled tools contained for repairing your computer.

When you turn on your computer hit F10 or F12, select your CD/DVD drive and your computer boots into an operating system contained on that CD. There are a lot of great rescue disks out there, the problem is most are very complicated, and some take forever to boot.

I found one great exception to this though. Kaspersky Labs, creator of the very capable Kaspersky Antivirus line of products has built a great free bootable rescue CD that is simple to use.

Unlike many other bootable rescue disks it has one purpose, to clean your system. To create a Kaspersky Rescue Disk, download the ISO image from this link , then burn the image to a CD.

Depending on what operating system you are using you may need to download a CD burning program if you don’t already have one. If you are running Windows 7 it has a built in, burning program that’s simple to use and works great. If you are running XP or Vista, I like Image Burn, or CD BurnerXP – both do a great job of burning .ISO images, and are free.

Once you have your rescue CD built, start your infected machine pushing F12/F10 to get it to the boot selection screen. Boot to the CD Rom drive as I stated earlier and relax, although faster than most rescue disks it’s hardly fast.

Follow the prompts and when it boots into the Kaspersky Rescue system you first need to update the virus definitions. Once updated do a scan, and go read the newspaper or get some coffee, it takes a while.

Once it completes the scan go ahead and let it remove or quarantine all the files it has found. I’ve never had it delete anything that caused the machine it was fixing not to boot. But of course before you do anything like this, BACK UP YOUR DATA!!!!! But you already did that so proceed.

Do the scan, remove the junk and log off Kaspersky. Just turning off your computer with the power button won’t hurt anything when you are running a rescue CD.

The reason rescue CD’s are so effective is, you’re not trying to disinfect a computer with an infected OS. When you boot to the hard drive of an infected machine, you’re playing on the bad guy’s home turf. They control the machine and in many cases they’ve hidden the infected files so your antivirus can’t see them.

The rescue CD can scan your boot sector, and you hard drives from the outside looking in. The malware doesn’t have a chance to hide if it’s not running. It’s become the first step I now use when I’m dealing with an infected machine.

There are other rescue disks out there and many are very complicated and take a very long time. The Kaspersky Rescue Disk is the fastest and easiest I’ve found to clean an infected machine enough to allow me to boot back into Windows and complete the process by adding my favorite automated antimalware tools to keep the system clean going forward.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

Why not pay a visit to Mark’s site today.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.