I’ve used A Linux bootable “live” CD many times to help locate files in Windows machines that can’t be deleted while Widows is running.
Many malware applications set their files as read only, so that even if I can find them, which is rare these days, they can’t be deleted. Many also come back immediately or after a reboot, unless you find the “parent” files. Those are almost always read only. Windows will not let you change that attribute, or if you do by the time you close Windows Explorer the bug changes it right back, it spawns another one, read only, and the problem is back with another filename before you can close the window.
I fought this several times before finding out what was happening, a bootable Linux CD solves the problem. Being Windows software, the virus, worm or spyware can’t run under Linux, so it can’t run at start up, but Linux can see it, read it by way of a compiler, rename or delete it, whatever you want to do.
Slightly off topic, I have a friend who was fellow moderator on a computer tech support forum and a programmer in college. When a bad version of a particular spyware application appeared, I called him and was telling him about finding and removing it, he told me to zip it up and email it to him. HUH???
He told me he was also working with one of the spyware sites, he would drop it into a Linux compiler, read the code and help figure out how it worked, and the site would have a fix out in a day or two. The problem was, the people writing it, somewhere in Russia it was suspected, were demanding their people write a new version every 3 days. So by the time a fix was figured out, a new version was already in the wild.
He did the same with viruses, I zipped up several using Linux, emailed them to him and he would forward them to the proper folks to figure out fixes. I Had about 30 copies of one virus on my machine at one time, never opened of course, I’d just transfer the emails to a folder created for that purpose, where it was effectively quarantined, and harmless. As long as you don’t open the email, it’s not a problem, it can sit there forever. I can’t remember which virus now, but a nasty one.
If you don’t know it, with Outlook or Outlook Express, you can view the “source code” and read the email, without actually opening it. That’s how I figured out if it was malicious if I got a suspicious email. I can’t remember for sure, it’s been years, but I think you right click on the subject line in Outlook and there’s a View Source option. That opens a strictly text version where you can read the entire thing in text form, including full headers, which you can copy and use to determine where the email came from.
I was using this to send the ISP a notice that their customer was sending out a virus. Sometimes the customer doesn’t even know it, the virus infects the machine then sets up a secret email server that sends itself out to everyone on the address book. It has your email address, a legitimate looking subject line, sometimes even copied from an existing email, and a copy of the virus embedded inside.
What you do is just look for a filename in the text version. They are creative, they use filenames that closely resemble legitimate Windows files. For example, it might create a file named explore.exe and switch the registry entry to point to that file, instead of explorer.exe, which is the main Windows file. Same for other files. I’ve seen loads of them, at one time I could just look through the Windows system files and spot them, then they started to hide them elsewhere. After a while they got so clever I couldn’t find them any more at all, I started having to simply reinstall Windows.
Sometimes now even a Linux CD won’t do the trick, reinstall is the only option. I’m not sure how they’re doing it, but someone found a way to really hide their malicious software, so that I can’t find it at all. Similar to what Sony did when they created a “rootkit” embedded in their music CDs was use “super hidden” files. The only way you could find it in Windows was to use the command prompt, know where to look, and know how to reset the attributes so you could even see the directory at all.
The main reason so few viruses have been able to get anywhere with Linux is that with most distributions, system level access is completely restricted, while Windows normally runs the user at Admin level access to begin with. Even with their attempts at better security in XP it’s still really bad.
Interesting. I use a variety of anti-malware progs in Windows, so I haven’t seen any nasties in a long, long time. Also, having been a computer user for quite awhile I use caution and common sense.
In case you may not be familiar with it, a good site to check out any file or webpage you may think is “iffy” is:
It runs the file or URL through a mess of malware detection programs and shows you the results.
The nice thing about using Linux to malware-check Windows or do other repair work is that when Windows is “asleep” - not running - so is the malware, so it can’t hide.
You can also install Linux to a USB stick, which is handier than a CD/DVD to use and it actually runs pretty good as an operating system. It only uses the host’s PC CPU and memory. I have 3 or 4 different version on USB that I often run. The Lubuntu flavor of linux is my favorite for all around use.
And though it’s extremely rare to run into Linux malware, I use a paid anti-malware prog on the Linux side of my dual boot. It’s never run into any malware other than the harmless EICAR anti-malware test file I’ve used to test it. You can also use it on Windows (and I would suppose Macs) to see if your anti-malware progs catch it.
Info here:
https://en.wikipedia.org/wiki/EICAR_test_file
Get test file(s) here:
http://www.eicar.org/85-0-Download.html