Using system rescue CD to scan and delete virus in Windows

System rescue cd from http://www.sysresccd.org/ include clam anti virus, during our standard operating procedure process I use this cd as one of virus detector.

How I use it :

1. Download latest version from http://www.sysresccd.org/

2. Burn into CD

3. Start Computer and set BIOS to load CDROM as first loader :

bios Using system rescue CD to scan and delete virus in Windows

4. Enter default menu by hit Enter, after everything loaded you’ll see this screen :

systemrescue Using system rescue CD to scan and delete virus in Windows

5. Setting Ip, gateway and dns for resolving address.

ifconfig eth0 inet 192.168.12.107/24

route add default gw 192.168.12.1

echo ‘nameserver 192.168.12.1′ > /etc/resolv.conf

6. Try network connection using ping

ping yahoo.com

PING yahoo.com (206.190.60.37) 56(84) bytes of data.
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=1 ttl=47 time=373 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=4 ttl=47 time=356 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=6 ttl=47 time=414 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=7 ttl=47 time=408 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=8 ttl=47 time=353 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=9 ttl=47 time=363 ms
^C
— yahoo.com ping statistics —
10 packets transmitted, 6 received, 40% packet loss, time 9457ms
rtt min/avg/max/mdev = 353.667/378.221/414.335/24.191 ms

7. Checking windows partition

fdisk -l

Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x6f656f65

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        1043     8377866    7  HPFS/NTFS

as you see windows partition in ‘/dev/sda1′

8. Mounting windows partition to /mnt/winc

mkdir /mnt/winc

ntfs-3g /dev/sda1 /mnt/winc

9. Update clam anti virus to latest virus definition

freshclam

ClamAV update process started at Sun Feb  8 10:17:27 2009
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
Reading CVD header (daily.cvd): OK
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 222.124.18.20                                                                             1)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 222.124.18.20                                                                             1)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 8963, sigs: 75625, f-level: 38, builder: guitar)
Database updated (513597 signatures) from database.clamav.net (IP: 222.124.18.201

10. Scan windows partition using clamscan

clamscan -vri /mnt/winc

v = verbose, see the process

r = recursive

i = print infected file

The process will take some time depend on how big your windows partition and computer speed.

11. See the summary

———– SCAN SUMMARY ———–
Known viruses: 513111
Engine version: 0.94.2
Scanned directories: 603
Scanned files: 4592
Infected files: 1
Data scanned: 772.54 MB
Time: 657.436 sec (10 m 57 s)

As you see infected files, 1 file.

To delete that file use :

clamscan -vri –remove /mnt/winc

Yes, –remove will remove the file.

4 Comments

  1. Hi

    I am a user of SystemRescue CD

    There are practical difficulties in the following cases :

    1. The article assumes that Internet is already available and the userid/password is already embedded in the modem/router (ADSL). Most of the time this assumption fails.
    2. Hence the method of passing the userid/password to the ADSL modem/router is required.
    3. If we decide to use this method inside an Organization, the Internet may be accessible only via Proxy. And proxy will require userid/password and may be Local DNS/Wins access
    4. How do we pass on the Proxy information and userid/password for the Proxy?

  2. Pingback: Update Clam Anti Virus Definition Offline | Learning On Demand

  3. Pingback: IT Tutorials » Using System rescue cd to Remove Viruses from Windows

Comments are closed.