Recently, I was asked to remove some viruses from a Dell E510. The E510 comes with Windows Media Center installed on it. In addition, the E510 provides a RAID 1 array using technology supplied by Intel. (IntelĀ® Matrix Storage Technology).
In a typical job like this, I take the infected drive and slave it to my PC. Then I scan it with several of the well-known virus and spyware scanners. Occasionally, I'll mount the infected registry on my PC and remove nasty items directly.
But with the array, I was itching to try something different. I am experimenting with antivirus rescue CDs. Turns out that there are free rescue CDs from a lot of vendors. I downloaded free versions from Avira, BitDefender, F-Secure, and AVG. They all are based upon Linux, albeit different flavors. This isn't a review of the rescue disks - maybe I'll do that in some other post.
I booted the PC from the AVG disk and was pleased to see that it recognized the array and was able to mount it. It also configured the NIC card and was able to download updates from the internet. I scanned the PC and AVG recognized 9 viruses and a rootkit! I wasn't expecting that.
I booted the PC from the F-Secure CD and was disappointed to find that it couldn't recognize the array, so I was unable to use this product. The Avira CD also failed to mount the array. However, the BitDefender Cd performed much like the AVG product - it mounted the array, downloaded updates from the internet and scanned the PC.
OK, I said I wasn't going to review the antivirus CDs, but I couldn't resist at least mentioning how they performed with this system.
Back to the AVG scan - AVG said that the rootkit was concealed in the iaStor.sys driver file. This was bad news - remember that I said the Dell E510 uses Intel array technology? Guess what driver controls array access - yes, it's iaStor.sys. So remove the driver and the OS won't boot.
Oh well, there's no hope for it. Using the AVG product, I deleted the iaStor.sys file. However, all is not lost. I took one of the disks out of the Dell and mounted it on my PC. RAID1 is basically drive mirroring, so I found that I could read the single drive. I went to the <drive>:\i386\ folder and extracted a new copy of the iaStor.sys driver and put it back in the \windows\system32\drivers\ folder. Then I mounted the 2nd drive and did the same thing.
I replaced the two drives in the Dell, made sure the array was OK by booting it once, then booted it from the AVG disk for another round of scanning. I deleted all of the infected files reported by the scanner, then rebooted the Dell. I thought I was finished when the array wouldn't boot.
However, I wasn't ready to quit. I mounted one of the drives on my PC and ran CHKDSK /r on it. Two files were recovered, file0001.chk and file0002.chk. Then I attached the other drive and repeated the procedure. The same files were recovered. File0001.chk had a disk size of 0kb. Not too interesting, so I deleted it. File0002.chk was a binary file of some sort. I guessed it had to be a missing driver, which would explain why the PC wouldn't boot.
A search for some hex editors turned up XN Resource Editor. It is a little dated but it worked like a champ. When I used it to open the file fragment, it told me that the original filename was iaStor.sys. Looks like I hadn't quite gotten things right the 1st time around.
I followed the same procedure as above to put new copies of iaStor.sys in the correct system folders. I put both disks back into the Dell and held my breath as it booted.... successfully!! The Dell rebuilt the array this time and I waited until that completed. One last scan confirmed that the PC was now clean.