Using system rescue CD to scan and delete virus in Windows

System rescue cd from http://www.sysresccd.org/ include clam anti virus, during our standard operating procedure process I use this cd as one of virus detector.

How I use it :

1. Download latest version from http://www.sysresccd.org/

2. Burn into CD

3. Start Computer and set BIOS to load CDROM as first loader :

bios

4. Enter default menu by hit Enter, after everything loaded you’ll see this screen :

systemrescue

5. Setting Ip, gateway and dns for resolving address.

ifconfig eth0 inet 192.168.12.107/24

route add default gw 192.168.12.1

echo ‘nameserver 192.168.12.1’ > /etc/resolv.conf

6. Try network connection using ping

ping yahoo.com

PING yahoo.com (206.190.60.37) 56(84) bytes of data.
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=1 ttl=47 time=373 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=4 ttl=47 time=356 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=6 ttl=47 time=414 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=7 ttl=47 time=408 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=8 ttl=47 time=353 ms
64 bytes from w2.rc.vip.re4.yahoo.com (206.190.60.37): icmp_seq=9 ttl=47 time=363 ms
^C
— yahoo.com ping statistics —
10 packets transmitted, 6 received, 40% packet loss, time 9457ms
rtt min/avg/max/mdev = 353.667/378.221/414.335/24.191 ms

7. Checking windows partition

fdisk -l

Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x6f656f65

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        1043     8377866    7  HPFS/NTFS

as you see windows partition in ‘/dev/sda1’

8. Mounting windows partition to /mnt/winc

mkdir /mnt/winc

ntfs-3g /dev/sda1 /mnt/winc

9. Update clam anti virus to latest virus definition

freshclam

ClamAV update process started at Sun Feb  8 10:17:27 2009
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
Reading CVD header (daily.cvd): OK
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 222.124.18.20                                                                             1)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: getfile: daily-8684.cdiff not found on remote server (IP: 222.124.18.20                                                                             1)
WARNING: getpatch: Can’t download daily-8684.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 8963, sigs: 75625, f-level: 38, builder: guitar)
Database updated (513597 signatures) from database.clamav.net (IP: 222.124.18.201

10. Scan windows partition using clamscan

clamscan -vri /mnt/winc

v = verbose, see the process

r = recursive

i = print infected file

The process will take some time depend on how big your windows partition and computer speed.

11. See the summary

———– SCAN SUMMARY ———–
Known viruses: 513111
Engine version: 0.94.2
Scanned directories: 603
Scanned files: 4592
Infected files: 1
Data scanned: 772.54 MB
Time: 657.436 sec (10 m 57 s)

As you see infected files, 1 file.

To delete that file use :

clamscan -vri –remove /mnt/winc

Yes, –remove will remove the file.

Tags: