Remove malware from Windows 101

Short how-to on checking and cleaning windows installs from malware:

1. download a linux distro of your choice using a torrent client (reason: automatic hash-check, basically knowing that what you download is the real thing). For the purpose of this howto, I'll give the example of Fedora, because it's fully Open Source and GPL/GNU licensed, and runs really well on most hardware out of the box, and a Fedora Live distro boots to root, which is convenient. Fedora should only be downloaded from fedoraproject.org. The version to chose is the LiveCD version, and the spin that fits on a CD is the XFCE version, because it's smaller. If you go for the Gnome or KDE versions, it will not fit on a CD but you'll have to burn a DVD. Do not download the "install" version, but make sure you download the "Live" version.

2. burn the downloaded .ISO file like this: http://windows.microsoft.com/en-sg/windows7/burn-a-cd-or-dvd-from-an-iso-file

3. restart the computer and boot from the CD. Fedora will start up, and ask you if you want to install or try Fedora. Select "Try Fedora", and the system will boot further (this is not so fast because it's running of a CD, which is very slow in comparison to a HDD). When the system is booted, you'll be root, which is needed to install anti-virus software.

4. open the application laucher, and select "Terminal". A Terminal window pops up. Maximize it for ease of use. There is also a GUI way of doing all of this, but that differs from DE to DE, so I'm giving the CLI version because it works on all systems and it's faster.

5. In the terminal windows, you'll see a command prompt. This looks like "[liveuser@localhost]$" or "[root@localhost]#". If it looks like the first option, type "su -" and press enter, and it'll look like the second, which is what you need.

6. Type "yum install clamav clamtk" and press enter. The system will look for the software packages "clamav" and "clamtk" in the official trusted fedora repos, and ask for confirmation to install these. Enter"y" for confirmation. The system will now install these packages.

7. after you get the command prompt back, type "leafpad /etc/freshclam.conf" and press enter. If you use the Gnome edition, you'll have to use "gedit" instead of "leafpad", and if you use the KDE version, you'll have to use "Kate" instead of leafpad. For the XFCE version, both "leafpad" and "geany" can be used, I chose leafpad because it's a very simple program without distracting functions for the inexperienced.

8. after entering the command under the previous item, a window will pop up with the contents of the freshclam.conf file. You'll have to make two very small edits to this file:

     - at around line 7, you'll see the line "example". Change that to "# example" or just delete the line.

     - at around line 70, you'll see a line that looks like "# DatabaseMirror=db.XY.clamav.net". Delete the "#" at the start of the line, and change the "db.XY.clamav.net" to "db.US.clamav.net" if you're in the US, "db.FR.clamav.net" if you're in France, "db.DE.clamav.net" if you're in Germany, etc... basically, enter your country code or the code of a country near you, so that you can access the virus definitions database efficiently.

9. Save the freshclam.conf file by selecting "file" and "save" (just like in windows notepad). Close Leafpad, and you'll be back in the terminal window you used before.

10. Type "freshclam" and press enter. The system will update the virus definitions. When it's completed, close the terminal window.

11. in your application launcher, find the program called "clamtk". It has a red crosshair in it's icon, and should be in the accessories category or the system category. Click the program name or icon to start it.

12. ClamTK will now open in a new window. After looking for virus definitions for about a second, it should display three checkmarks or three green lights, indicating that everything is up to date. In the toolbar, you'll find an icon that says "preferences". Click that. Preferences window opens. Check all options there and click OK to close the preferences window.

13. Click the "Home" icon in the toolbar for a full system check, or open the scan menu to select a folder on your computer. Make sure that if your computer has multiple HDD volumes, all volumes are mounted. In the XFCE edition, all the volumes are shown as icons on the desktop. If they are not mounted, they are greyed out, and you have to right click them and select "mount" from the context menu that pops up. Volumes that are not mounted will not be scanned, so this is important.

14. The scan will run for some time, and when it's finished, clamtk will open a window with all the infections found on the system. You'll have to go through them one by one and select "delete" or "quarantine" for each of them.

15. When you're done, close ClamTK and restart the computer, ejecting the LiveCD when the computer boots up.

16. If you had infections on your windows install, chances are that your windows is now broken, because most infections are on system files. Use the Windows install DVD to repair the system.

 

You might consider not running Windows on bare metal, but rather in a linux virtual container, because you can then snapshot your fresh windows install before infections and restore it in seconds after removing later infections, instead of having to repair the system. It literally takes seconds to do this, because linux uses what's called overlay files for this, because most of the data in a windows snapshot consists of zeros (for whatever unknown reason), it's basically just taking huge amounts of storage space for no reason at all, and the snapshot function in linux will reduce the size of those files automatically, using much less storage space, and because it's a smaller snapshot file, it will restore much faster. Also, Windows does run faster in a well configured linux virtual container than on bare metal. It has done so since about 2011, but in the last couple of months, linux performance has risen to the point that the Windows performance in a virtual linux container is now visibly faster than running Windows on bare metal. So if you want to use Windows in a smart way, virtualize it instead of running it on bare metal, it's not only much safer, but it's also much more convenient and much faster.

Or just use Hirens Boot CD XD

or you could just format and re-install windows :D

Just back everything up first before you do

You'll back up the malware along with it lol

I know right, i really don't get it when people don't backup stuff they want to keep or that important.

Anything i have that is important is instantly copied to an external hard drive and placed safely away.

Won't find a lot of real malware, it's just a collection of windows software. The benefit of using linux to repair windows malware is that the malware can't influence the linux system, it can't use stealth technologies, etc... whereas anti-malware programs in windows hardly find anything, all anti-malware programs in windows just suck.

bit of a broad statement, i mean sure there are some pieces of malware that get through but not all of them and the level of "suck" is subjective in many cases.

Nope, commercial closed software success is based on "ostrich policy": users feel safe because they don't see the real situation. Once you do a clamav scan of your windows system, you'll be screaming for linux to save your arse... so the above how-to is only for people that are not afraid of the truth, the other should just continue with their ostrich policy!

Well i disagree with your opinion but i wont argue about it.

From personal experience i can say that in the last 18+ years of backing up software and using a computer ive only ever encountered 2 or 3 pieces of malware that i had to format to remove because anti virus software available couldn't remove it. I've also never "backed up" a piece of malware.

I appreciate the guide.  Is it possible to use a flashdrive instead of a CD.  I don't really have any CDs lying around.  Also, how would this work if I'm using both a SSD and HDD?

That would work. and if you have persistence, you wouldnt have to edit the configuration every time.

Out of Linux live usb installer and Universal Usb installer which would you recommend for it? Or if you have another one that you know of that would be better.

I personally use RMprepUSB. I have six Linux installations on one drive. 

 

In the past I used Lili (Linux Live). Worked fine. They all work the same, really.

Well i usually use the Universal but it screws up some installs like my old manjaro xfce install.

It's better not to use a USB drive, because it can be written, which is always dangerous when combatting malware.

A CD or DVD is a WORM-drive, it physically cannot be written. Extra safety layer.

Well, yes. But then again, a windows virus or malware cant copy itself in a linux environment :P

ive only ever encountered 2 or 3 pieces of malware

Which means nothing. Good malware is invisible for the user and for anti-malware programs so you could have a shitload of malware on the PC without ever noticing it.

Nothing preventing that.

If someone or something can execute code on your machine it's already too late. Malware is already capable of copying itself into ROM's and firmwares which basically means that you have to take out the hardware, flash it (or somehow reset it) and then completely reinstall the system.

Anti-malware which is running on the system which it should protect is doomed to fail from the design. Anti-malware is just another program running on your OS which can be altered and manipulated by the malware and tricked into thinking that everything is fine. Another funny point is that anti-malware will only protect you against badly written malware because the anti-malware program has to know the malware which implies that the malware must have been discovered already. Anti-malware also try to recognize malware on behavior patterns which most of the time totally fails but more importantly can also be tricked by the malware by just manipulating the anti-malware process.

So, yeah...

  • Anti-malware on the system it should protect is stupid and harmfull
  • Anti-malware from a separate system can find some malware
  • Anti-malware will never be able to find all malware
  • You have to wipe all ROM's and firmwares besides your storage to be absolutely sure that there is no malware left
  • Easiest solution is to prevent malware in the first place