virus/malware removal when system won't boot

 

Overview

sometimes

steps to virus/malware removal when system won't boot

XP SP3 and Vista and up prevents access to the internet (and who knows what else) if it detects malware, but this is the first time I have heard of this message. this is a new feature in SP3 borrowed from Vista. It has come to my attention that it can also prevent booting.

since it could be malware, I suggest you burn the cd ISO image of http://www.sysresccd.org/Main_Page which is a linux system rescue livecd, it contains clamav which is a malware+virus scanner. download the latest version of ISO. burn it to a cd as a CD image, not as a file.

configure CMOS SETUP's boot menu to boot to a cd before the hard disk.

boot the cd you burned.

after you have configured your keyboard and all that stuff (defaults), do the following at the linux shell prompt: (be careful what you type - you should not get any errors)

  1. mkdir /mnt/c
  2. ls /dev/sd* look to see which numbered devices are listed. if you have just 1 hard disk, it will probably be /dev/sda1 which you would call C: - use that device in your mount command. you may want to mount and scan all those devices.
  3. mount -t ntfs-3g /dev/sda1 /mnt/c
  4. mkdir /mnt/c/quarantine
  5. /usr/bin/clamscan --recursive=yes -r --infected --move=/mnt/c/quarantine --algorithmic-detection /mnt/c at this point, you can take a look at what is in /mnt/c/quarantine by doing
  6. ls /mnt/c/quarantine/*
  7. rm -f /mnt/c/quarantine/*
  8. rmdir /mnt/c/quarantine
  9. umount /mnt/c
  10. repeat to step 2 and do same for rest of devices. when you have finished all sda1 etc. partitions, continue to next step.
  11. init 6

you can use the cd command to cd into directories or cd .. to go down a directory within the hard disk and mess with files. rm is the same as delete. rm -f forces a delete even if it's readonly. remember that you use / instead of \ in linux, and that in linux, the filesystem is case sensitive. to cd into a directory or filename or filepath with spaces, use double quotes around the directory name or filepath you want to specify.

init 6 does a shutdown.

umount unmounts the hard disk's filesystem you previously mounted with the mount command. you should always umount a filesystem you have mounted.

you can also use this to fix bluesods, blacksods, virus problems, problems with a windows update which causes a bluescreen, etc.

it's tools like this which you can use to prevent disaster. I hope it helps.

2nd alternative

mount the hard drive on a USB-SATA-IDE cable adapter interface, and scan it with your virus scanner and malwarebytes' anti-malware.

the problem with this method is that the virus scanner will try to modify the system's registry and change things that just aren't there and this may either cause problems on the host system or do nothing at all.