Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 24 June 2009

Using the ClamAV LiveCD to clean an infected Windows machine

Should you ever get into a situation that finds your computer unable to boot to the desktop due to an infection, or the system boots fine, but doesn't get to the desktop, what do you do? Well, typically, your options are;

1. Format and re-install Windows
2. Remove the hard drive and pop it into a secondary machine as a slave
3. Use a Linux LiveCD to boot and clean the machine

The first option is obviously, not viable for most people as you'd want to backup your documents and such. The second, again, is not viable for most people as not everyone has a secondary machine.

The last option however, is very simple, and can be used by everyone. To save yourself downloading a large file, you can download a much smaller LiveCD specifically for this task, in the form of the ClamAV Live CD by Brandon Perry;

http://www.volatileminds.net/projects/clamav/

Whilst rather old, this can be updated to use the latest definitions, and we'll go through this in a second. The first thing you need to do once you've downloaded the ISO, is burn it to a CD - I personally suggest ISORecorder for this;

http://isorecorder.alexfeinman.com/isorecorder.htm

The first screen you will see when booting the CD, is the introduction, for this, simply type clamav and press enter. You'll need to wait a few minutes for it to load, but once loaded you'll be at the command prompt;

ubuntu@ubuntu~1$

Type sudo apt-get update and press return. Again, you'll need to wait a couple of minutes, but once it's finished, you'll be back at the prompt. Next we need to update the ClamAV signatures, to do this, type sudo freshclam and press return.

Next, we need to mount the drive containing your Windows installation. Type each of the following commands, pressing return after each of course.

cd /home
sudo mkdir mnt
sudo mount -t ntfs-3g /dev/sda1 ./mnt


Finally, we need to run the scan (note this will take some time, so grab a coffee, watch a movie, take the dog for a walk or ... you get the idea), to do this, type the following and press return;

clamscan -i -r --remove ./mnt

Note: The authors tutorial for this LiveCD is available in English, German or Polish at http://www.volatileminds.net/projects/clamav/tutorial.html, his blog also documents a script you can use (on Linux obviously, no such beast yet exists for Windows) to update the LiveCD .ISO automagically via cron

As an aside, I do actually generally recommend people surf the internet using a Linux LiveCD anyway as it makes it much harder to infect your Windows system (there is malware out there for Linux, make no mistake, but no-where near as much as there is for Linux, due mainly to Windows popularity). You don't even need to boot the system with the CD, you can use MobaLiveCD instead (though bear in mind, this is MUCH slower, and tends to require ALOT of RAM, and tends to hate trying to run large (over 150MB) ISO's (I've had the most success with it, using DamnSmallLinux).

3 comments:

Unknown said...

Thanks for posting this. How do I put it onto a USB and have it boot from there? I have attempted F-Secure Rescue CD V3.00 (159MB) and the fsdupdate.run file (100MB) for those that can't access Internet to download latest definitions. I suspect I have a boot virus as I got STOP 0x00..ED unmountable boot volume BSoD. Think this will work?

Brandon Perry said...

Thanks for the post :-).

@AdamoGio ClamAV won't clean boot sector viruses. Google how to rewrite the boot sector.

MysteryFCM said...

My pleasure :o)