Articles

Clean a Non-Bootable Windows with DrWeb Live CD


By: aaflac44
April 20, 2011

There may be a time when your Windows system is rendered non-bootable by malware, and it is impossible to load the system from a hard drive. However, you can restore the system with a bootable Dr.Web Live CD! It will clean the computer of infected and suspicious files, help copy important information to a removable data storage device or to another computer, and then attempt to cure infected objects.

DrWeb Live CD does have a Linux interface, however, you do not need to be a Linux expert to run it.

To create a DrWeb Live CD:

Step 1: Download the ISO and burn to a CD:
Dr.Web LiveCD ISO image needs to download to a computer that is not infected:
ISO Image Download: ftp://ftp.drweb.com/pub/drweb/livecd/
Select: DrWebLiveCD-X.X.X.iso (X.X.X. = the numbers for the current version)
Save to the Desktop

Make sure the CD burner program used burns ISO images to a CD!
Proceed with burning the ISO image.

Step 2: Use the ISO to prepare a bootable USB pen drive:
If the computer supports booting from a USB device, you can create a bootable USB pen/flash drive.

To do so, download the
Universal Netboot Installer (UNetbootin) to the Desktop: http://unetbootin.sourceforge.net/
Select the Download (for Windows) button, at the top
Use UNetbootin after downloading the ISO image for the Live/Rescue CD.

To run UNetbootin:

Step a. Double-click UNetbootin.exe

Step b. At the main window, tick: Disk Image

Step c. Next to Disk Image, select ISO from the drop menu

Step d. To the right, look for the […] box, browse to the location (Desktop) where you downloaded the ISO image, and select it.

Step e. To the right of Type, select: USB Drive

Step f. For Drive, make sure you select the correct letter (right-click Start > Explore, and check which letter represents the correct USB pen drive)

Step g. Click: OK

Step h. Follow the UNetbootin prompts until the installation completes.

Step i. Exit the UNetbootin program. 

Step 3: Prepare to boot from LiveCD or USB pen drive
Make sure the infected computer can boot from the CD, or from a USB pen drive.
When the computer starts, pay close attention to the initial screen for the key used to access the BIOS (Setup).
Some of the keys used to grant access to the BIOS set up menu are: F1, F2, F10 or DEL

If, for example, the key is F2, press the key until the BIOS screen shows up.
Go to the Boot tab, and make the appropriate changes to boot from CD or from a USB pen drive.
Save the changes!!
Before exiting the BIOS, insert the LiveCD or the USB pen drive in the appropriate drive or USB slot.
Exit the BIOS, and the computer starts.

The program loads...
On the first prompt with choices, select: Dr.Web LiveCD (Default)

The DrWeb Live CD is used to run the DrWeb Scanner, or, copy/save files with the file manager Midnight Commander.
Go to Step 10, if only using the scanner and not copying files!

Step 4: Identify Drives
If you need to copy files, the first thing to do is to detect the partition where your Windows data is located (source drive), and the USB pen drive where the files will be saved (destination drive).

Connect the destination USB pen drive to the infected computer.

At the Dr.Web green W screen, select: Terminal, or go to the Taskbar (bottom tray) and click on the Dr.Web green icon (far left), and select: Utility, and then, Terminal.

In Terminal, to detect the location of the source and destination drives, run the following command, at the [B]drweb ~ # [B]prompt, and press Enter:
fdisk -l (Use the letter L, in lower case)

You should get an output similar to the following example, but with information pertinent to your system:

root@drweb: ~

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk Identifier: xxxxxxx

Device Boot Start End Blocks Id System
/dev/sda1 * HPFS/NTFS

Disk /dev/sdb: 4025 MB, xxxxxxxxxx bytes
xxx heads, xx sectors/track, xxxxxx cylinders
Units = cylinders of xxxx * xxx = xxxxxx bytes
Disk Identifier: xxxxxxx

Device Boot Start End Blocks Id System
/dev/sdb1 W95 FAT32

As shown on the image, the first disk, /dev/sda is 10.7 GB in size, and under System, it shows: HPFS/NTFS.
This is, more than likely, the partition in which Windows XP is installed.

The destination USB drive, in the example above, shows as /dev/sdb, its size is 4GB, and under system, it shows: W95 FAT 32.

For the Windows drive, use the following to identify it:
/dev/sda1

For the USB drive, use the following to identify it:
/dev/sdb1

You may have other drives, and they will show in this listing. Just make sure you identify the source and destination drives correctly, otherwise what follows will not work.

Step 5: Making Directories
To make the source (src) and destination (dst) directories, still using Terminal, enter these commands, one at a time, and press Enter after each:

mkdir /mnt/src
mkdir /mnt/dst

Step 6: Mounting Drives
Before your computer can use any kind of storage device (such as a hard drive, USB pen drive, etc.), you must make it accessible through the computer's file system. This process is called mounting. You can only access files on mounted media.

Still in Terminal, mount the Windows drive (/dev/sda1), and the USB drive (/dev/sdb1) by issuing the following commands, one at a time, and pressing Enter after each:

mount -t ntfs-3g /dev/sda1 /mnt/src
mount /dev/sdb1 /mnt/dst

Step 7: Access drives through Midnight Commander
Midnight Commander can be used to copy, move, or rename files and directories that you need to keep.

Open Midnight Commander.
The highlight bar should be somewhere in the left (source) pane.
At the bottom, you see:
drweb ~ #

Issue the following commands, first, to change directory, and second to view the actual contents of the Windows drive:

At the bottom drweb ~ #, issue the following command:
cd /mnt/src

At drweb ~ # src issue the following command:
ls -l (Using the letter L, in lower case)

Now, use the tab key to move to the right side pane of Midnight Commander
The highlight bar should be somewhere in the right (destination) pane

At the bottom drweb ~ #, issue the following command:
cd /mnt/dst

At drweb ~ # dst issue the following command:
ls -l

Step 8: Viewing and Copying Files
Now, use the tab key to move to the left side pane of Midnight Commander
The highlight bar should be somewhere in the left (source) pane

In the left pane, Midnight Commander shows the folders (i.e.: /Documents and Settings) of the Windows drive in white, and files (i.e.: *boot.ini) in green.

To see the contents of Documents and Settings, highlight the entry.
Go to File, on the top menu bar, and select: View, or press F3.

Continue highlighting and selecting View, or pressing F3, until you get to the file(s) you need to copy.

Once you reach the file you need to copy from the source panel, go to the bottom menu, and press Copy, or, press F5 to copy to the destination panel.
A copy prompt appears, select: OK

Do the above for every file you need to copy.

You can also select more than one file by pressing on the first file and then repeat for the next. This highlights the selected files in another color, and once you have selected all the files you want to copy, again press F5.

Step 9: Exit/Quit Midnight Commander
Once you get the files you need listed in the right pane, press F10, or press Quit.
Select Yes to quit Midnight Commander.

Step 10: Scan
Back at the Dr.Web green W screen, go to the Taskbar (bottom tray) and click on the Dr.Web green icon (far left), and select: DrWeb Scanner

At the main window of the scanner, place a check on the drive(s) to scan if not already identified.
Also make sure Select subdirectories is checked.

Press: Start

The process may take a while…

When done, under the File and Status area, a listing of entries is presented.

You can select the desired action for every entry on the list (Cure, or Delete).
You can also press: Select all, and then Cure, or Delete.

Use Cure as a first option.
If the entry cannot be cured, it will be noted.
The Cure action is not available for entries with a status of archive, container or mail file.

Step 11: Wrap up
When done, at the Dr.Web green W screen once again, go to the Taskbar (bottom tray) and click on the Dr.Web green icon (far left).
Select: Shutdown

When Press any key to shut down appears, remove the CD from the drive, and remove the destination USB pen drive.

Start the computer normally.


Need more help?
Describe your Problem
Example: Hard Drive Not Detected on My PC

Ask Question