My technique for removing malware on PC’s that won’t boot

I’ve seen a few Windows machines that would not boot because of a rootkit and virus. Here is my quick way of knocking them out before I even get the system booted.

1) Boot up with Trinity Rescue Kit (Linux rescue disk) and select the menu option to mount all drives.
2) Go to a command prompt and open the folder that the drive is mounted to (eg /sda1, /sda2, hda1, etc)
3) Go to the Documents and Settings (XP) or Users (Vista, 7) folder and open the directory that contains the users files. We’ll say /sda1/Documents and Settings/bob for example
4) go to /sda1/Documents and Settings/bob/Local Settings/Application Data/ and delete any .exe files. In Vista/7 its Users/bob/AppData/Local/
5) I also like to go to the users/documents and settings folder and find all the .exe files and remove ones that look suspicious. They have random file names, are in appdata folders, temp folders etc.

cd /sda1/Users/
find . -name “*.exe” >exelist
nano exelist
(remove the lines that aren’t files you want to delete then save, close)

Now I just cat the list

cat exelist

and it gives me the list of the exe’s I want to delete. I usually do it by hand because there’s generally few but you could always write a quick command line script for it.

Now that the virus is probably out of the way, the computer probably has a root kit too. Reboot into the Windows XP recovery console when using XP and rewrite the master boot record with “fixmbr”. I can’t recall how to do it in Vista/7 but google it, it is trivial.

Now boot into the system with safe mode with networking. Install ccleaner and malwarebytes anti-malware (I use ninite.com its faster) and then run ccleaner first, then malwarebytes. Do the full scan if you have time. If not, the quick scan will be ok. The system should now be clean.

I hopes this works as well for you as it does for me. I generally can do this much faster this way. I had a system cleaned of rootkit/virus in 15 minutes yesterday. In Windows only, it generally takes me 30m-1hr to do.

"a program on your computer has corrupted your default search provider setting for internet explorer"

I ran into this error after upgrading someones PC from IE7 to IE8. It took me a while to find the right fix so I thought I’d share it.

XP
Navigate in windows explorer to c:\
Right click on “Documents and Settings” and go to Properties
If “Read-Only” is checked or even grayed in under “Attributes” then uncheck it and click apply. Now restart IE8 again, and the problem should be solved. It is most likely a permissions issue and this fixes it.

How To use Unhide

Malware hiding all your files? Unhide them with unhide.exe. Many malware programs make it look like you lost all of your files but really they are just hidden.