Software, Technology

How-to: Remove Ransom-ware with Kaspersky Rescue Disk


Kaspersky Rescue Disk utilityFollowing our last security How-to, Identify the Troj/Urausy Ransom-ware infection, this describes using an anti-virus removal tool from Kaspersky to deal with the malware from my esteemed colleague’s laptop.

To create a bootable Kaspersky Rescue Disk, you will need a clean, non-infected, computer with Internet access and a DVD or CD burner, OR, if the infected machine lacks an optical drive, a USB flash drive you can wipe and install Kaspersky Rescue Disk onto.

You will also need to be able to call up a one-time boot menu (usually the f12 key at power-on) and make sure you can change the boot order in the infected machine’s BIOS so that you can boot into the Kaspersky Rescue Disk in place of your Windows install.

  1. Download Kaspersky Rescue disk and burn it to a blank CD or DVD. I won’t go into this; sufficient to say most Windows machines have software to burn disks onto optical media. You could also install the software onto a USB flash drive
  2. Boot into your Kaspersky Rescue Disk to Remove malwareTo restart the infected computer, place your rescue disk into your disk drive, hold down the power button for ten seconds to power down your computer.Only insert the USB flash drive containing Kaspersky Rescue Disk when the machine is completely off – otherwise the infection may be spread to the USB drive!When your computer is completely shut down press the power button to turn it back on. You may need to hit f12 to invoke a one-time boot menu. Select the CD or USB drive to boot into Kaspersky Rescue Disk over your infected hard drive.The CD will invoke an on-screen message like “press any key to boot from CD/DVD. Press anything and your computer will continue to boot from the rescue disk.The Kaspersky Rescue Disk will begin booting.This is actually based on a slimmed-down Linux Live CD, with a KDE desktop (not that you need to know that); it’s a self-contained boot envirnment that is NOT Microsoft Windows and can’t be cross-infected by the Troj/Urausy Ransomware.Select a language and select Kaspersky Rescue Disk Graphic Mode, then hit ENTER. This will start your rescue disk, booting into the graphics desktop.

NOTE: since I bypassed Windows and mounted the hard drive with the Kaspersky Live CD, I took the opportunity to take a full, up-to-date backup of the owner’s data. Don’t assume this is going to work 100% on all variants of the virus; prepare for the worst and assume you’ll do a factory re-set of the machine, which means wiping Windows and all the data on the disk.

  1. Kaspersky Object ScanFrom the Kaspersky Rescue Disk main screen, select Scan to start the utility.If you can persuade the infected machine to connect to the internet – use the Internet connection icon from the bottom-right system tray – you should select My Update Center tab to ensure you have the latest set of virus definitions available for which can KRD scan.Select Start update, this will update the program for any new definitions for anti-viruses or for any new information that the program may be able to use. This may take some time to finish.When the update is complete, go to the Objects Scan tab and choose which drives you want the program to scan; select Start Objects Scan.The objects scan can take anything from a few minutes to a few hours – on the 120GB laptop drive with Windows 7, it took four hours to complete.Kaspersky Rescue Disk reportsKaspersky will alert you that it has found a virus or Trojan on your computer. Select Delete or Quarantine to delete or isolate the virus from your machine.The utility has further options for Quarantine, Reporting and Settings.

    The first time I ran it on the laptop, it found eleven threats including six types of malware. A couple of alerts were false positives for legitimate software or plugins and I restored those from the Quarantine tab.

On the whole, Kaspersky does a through job of finding and deleting malware.

Kaspersky Rescue disk resultsOnce the the virus removal is complete you need to reboot your machine, removing the rescue disk CD or flash drive (otherwise you reboot straight back into Kaspersky Rescue Disk). In the bottom left of the screen where the Windows Start button normally sits is the Kaspersky Start button – click that and select Restart. Your machine will now start up into your normal Windows operating system.

Using Kasperksy, I managed to zap the malware without resorting to a factory reset.

Many IT security experts will recommend using a combination of tools including Malware Bytes and HitmanPro to perform the belt-and-braces (lovely Northern phrase, that) security sweep in order to get maximum coverage. One tool might miss a virus, two less likely, three less likely still. AJS

Related: How-to: Identify the Troj/Urausy Ransom-ware infection

About Allan J. Smithie

Allan J. Smithie is a journalist and commentator based in Dubai.

Discussion

One thought on “How-to: Remove Ransom-ware with Kaspersky Rescue Disk

  1. Good post! We are linking to this great article on our website.
    Keep up the great writing.

    Posted by marisa belmore | August 6, 2014, 2:31 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter Updates

Follow us on Twitter @EverythingExpre

Find Us on Facebook

Enter your email address to follow this blog and receive notifications of new posts by email.

Categories

Library

BBC World News

BBC World News
Opens the BBC World News page.
Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: