Home for the holidays, can you look at my laptop? (Part 1 – Linux saves the day)

One of the great joys a family has when a member works in IT is onsite technical support when we all get together.

The Victim

Part 1 is pop’s laptop, which picked up a nasty malware bug somewhere.  Probably one of the hundreds of funny videos he gets sent by all his buddies.  Despite AVG and Windows Defender, something got in there and screwed up the userinit.exe.  We could get to the welcome screen, but as soon as you clicked the username, you’d be immediately logged out.

The Scan

I found a great list of free bootable rescue CDs, and downloaded and ran the offering from f-secure.  The f-secure disk boots into a network enabled Knoppix environment, and you can grab the latest definitions file via network or onto a USB key, which I did and the software located automatically.

The scan found and and quarantined one infected file, and a couple previous infected versions in the system restore archives.  It was the userinit.exe, so now the task becomes replacing it.

The (failed) System Recovery

HP/Compaq doesn’t ship recovery disks anymore.  Instead, the recovery is located on a secure partition you boot into.  This is important to know, because if I had known this at first, pop’s laptop would have been fixed a week ago when he UPS’d it to me.  After running the online recovery, I was still unable to log in to Windows.  This meant we had to use the destructive restore.

The Data Recovery – Linux to the Rescue 

To prevent losing data, I had to boot the system and copy it off.  I first tried a Windows LiveCD made with BartPE, but my laptop has an IDE drive, and pop’s has SATA, so there were no drivers for his HDD.  Plan B was to boot into Linux.

The first Linux attempt was an Ubuntu 8.10 LiveCD.  Ubuntu must not support SATA on its LiveCD, because it couldn’t mount the drive.

Next attempt was PC Linux OS, which is my favorite distro running under Parallels.  I made a bootable thumb drive following the instructions at PenDriveLinux.  We booted and mounted the SATA drive, but by default the thumb drive is not writeable, and I couldn’t enable writing to the drive.

My last attempt was to use Slax.  I made a bootable USB key with Slax.  Slax is very lightweight, and has an attractive KDE shell, easy networking (using WEP), and a good set of standard  utilities for burning CDs and DVDs.  Some of the critical data I copied to the thumb drive, and the rest (iTunes, grandbaby photos) had to go on a DVD.

The Destructive Restore

After recovering the data, I had one last-ditch idea, to replace the userinit.exe on pop’s machine with the one from my machine.  No dice.  Don’t know why, but didn’t work.

So, I booted into the recovery mode, and did the destructive restore.  Success!  After a small amount of configuration, and reinstalling his software (thankfully he’s un-savvy enough to only have a couple programs), he was up and running.  And now it’s time to finish changing all the passwords.

Moral of the story

HP/Compaq’s onboard restore partition is handy and well designed, but the simple non-destructive recovery may not be enough after a malware infection.  When you need to recover data, Slax is a lifesaver.

DotNetKicks Image