My technique for removing malware on PC’s that won’t boot

I’ve seen a few Windows machines that would not boot because of a rootkit and virus. Here is my quick way of knocking them out before I even get the system booted.

1) Boot up with Trinity Rescue Kit (Linux rescue disk) and select the menu option to mount all drives.
2) Go to a command prompt and open the folder that the drive is mounted to (eg /sda1, /sda2, hda1, etc)
3) Go to the Documents and Settings (XP) or Users (Vista, 7) folder and open the directory that contains the users files. We’ll say /sda1/Documents and Settings/bob for example
4) go to /sda1/Documents and Settings/bob/Local Settings/Application Data/ and delete any .exe files. In Vista/7 its Users/bob/AppData/Local/
5) I also like to go to the users/documents and settings folder and find all the .exe files and remove ones that look suspicious. They have random file names, are in appdata folders, temp folders etc.

cd /sda1/Users/
find . -name “*.exe” >exelist
nano exelist
(remove the lines that aren’t files you want to delete then save, close)

Now I just cat the list

cat exelist

and it gives me the list of the exe’s I want to delete. I usually do it by hand because there’s generally few but you could always write a quick command line script for it.

Now that the virus is probably out of the way, the computer probably has a root kit too. Reboot into the Windows XP recovery console when using XP and rewrite the master boot record with “fixmbr”. I can’t recall how to do it in Vista/7 but google it, it is trivial.

Now boot into the system with safe mode with networking. Install ccleaner and malwarebytes anti-malware (I use its faster) and then run ccleaner first, then malwarebytes. Do the full scan if you have time. If not, the quick scan will be ok. The system should now be clean.

I hopes this works as well for you as it does for me. I generally can do this much faster this way. I had a system cleaned of rootkit/virus in 15 minutes yesterday. In Windows only, it generally takes me 30m-1hr to do.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.