Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications

How to use ISO images of Linux to remove a Windows virus.

Every time I get asked to remove a virus from a panicked Windows users computer, I think it will be the last. I continue to be wrong, and I see the same viruses appear over and over again on different computers.  Since my days in PC boot camp, new technologies have changed the way I remedy a Windows virus. This is how I eradicate those stubborn viruses on todays Windows machines.

First, I Google the Windows virus message and write down the virus details and files associated with the virus.

Second, I insert a bootable Puppy Linux CD into the machine and power on and boot into Puppy. I then  use file manager in Puppy Linux to navigate the hard drive of the effected computer, locate the virus files and delete the offending virus files (from the notes I took above during my Google search). I remove the Puppy CD and reboot back into Windows. This works EVERY time.

To create a Puppy Linux CD you need to download an ISO image from the Puppy site and burn a bootable CD. If you run an Ubuntu operating system you will find this the easiest way to make a bootable CD, you simply right mouse click on the ISO image once it is on your hard drive and select make CD. For creating a bootable CD in Windows youll need to read your CD Burning software instructions as they all do it differently.

A bootable Puppy Linux CD allows me to mount the windows drive in Unix, open a unix based file manager, find and delete the virus executable files  (.exe). (identified in my Google research on the virus)

In my experience infected Windows computers ALWAYS have outdated virus software (AVG is good and free), have not received regular windows updates from Microsoft and have Microsoft Defender either disabled or not installed. Those are the three keys to healthy Windows laptops and PCs: Anti-Virus (AVG is free), MS Updates (enable auto-update, its free) and Microsoft Defender (Free). After I delete the virus files it can take another 60-90 minutes to download and install all of the updates.

I realize that these instructions are geared for someone who has spent some time with different flavors of Unix, but with Puppy Linux you don't have to be a Linux genius. In fact once you boot into Puppy you will notice it looks a lot like any Windows system you have ever used. I have had computer novices use Puppy to grab a web browser and balance their check book on-line during lunch break.

As an IT Professional I keep the Puppy Linux CD in a safe location so I always have it ready when the next panicked Windows user calls me because they are missing deadline due to a virus that has crippled their computer.

To fix broken Windows use Unix. Puppy Linux (and Google) is all you need!

To be fair to the hard working Linux distribution community, you can achieve the same results with any one of at least eight different Linux distributions. Click here for more cool Linux options and reviews

And for the smallest of all Linux distributions:

Dont forget BasicLinux:


Download is 2.8 megs and runs on 386 in 3 megs of Ram. Thats what powers the OSULRC-1 with a touch screen, Stylistic, Fujitsu 1000, booting to a pcmcia hard drive.


Rate This Article: poor excellent
Comments about this article
I try to convince them to
writen by: lynne14 on 2010-04-29 15:32:55
I try to convince them to switch to Linux and save the computer
RE: I try to convince them to written by lynne14:
fix windows
writen by: upchucky on 2010-05-02 09:28:33
Using the above mentioned techniques, my favourite to fix windows is Knoppix 5.3.1 liveboot, it has two partitioners, excellent hardware detection, and a comprehensive site for help.
I have rescued many windows machines, and used it to convert engineers to make the switch to Linux.

I have seen partitioners fail and I have used the knoppix partitioners to recover the partitioning operations right where the failure started.

I recommend Ubuntu as a great everyday operating system if the machine is relatively new, and suggest puppy or other smaller footprint versions depending on the machine and desire of the client.

I let people know that norton and windows defender are the two worst virus protection one can use. defender misses about 30 percent, and norton in the wrong hands can fry a hard drive.
AVG has now released a Linux liveboot cd to fix any machine that has been infected by any malware. It is very effective and free.
RE: fix windows written by upchucky:
This may work for some infections...
writen by: r0gue on 2010-05-04 21:17:28
...but it's ultimately naive to suggest it will work "EVERY time".

For starters you can only Google for "Windows virus message" if you have a "Windows virus message" and I have to say I'm not entirely sure what you mean by "Windows virus message". Not all malware will advertise its presence with a message, in fact many pieces of malware (Trojans, Keyloggers, Rootkits, Bots) will go out of their way to not alert the user to their presence, it's simply not in their best interests for you to even know you are infected. This is why I laugh at Windows users who boast "Oh I never use antivirus and I've never had a problem".

What you are referring to would seem to be either malware that are found but not removed by the users existing anti-malware product or the category of malware known as "Scareware" that pop up scary "you are infected" messages. You might have some joy with your technique in the latter case but in neither case can you be certain you have found and removed everything. In fact, in the first case - where the existing AV has found something - you will almost certainly have something else nasty like a trojan that put it on there in the first place, otherwise the existing AV would have stopped and removed it.

Secondly, you fail to mention NTFS alternate data streams. While these are technically readable with NTFS3G under linux they wont be displayed by 'ls' or any of the linux file managers and none of the automated linux malware scanners will find them either. I quote Klaus Knopper's far better article on removing malware from Windows systems using a linux boot CD...

"While the ADS features is supported and works well with the Linux implementations of FUSE-based NTFS, thus allowing backups and extraction of such files, none of the Linux-based Windows virus-scanners supports this feature so far, and viruses inside ADS files will most likely go unnoticed."

All it takes is one registry entry to reference a malware file in an "Alternate data stream" and you are rooted again. That file could be ANY file on an NTFS partition and all the googling in the world won't find it if the author selects that file at random (which , TBH, you would).

Also your AV advice is out of date. Recent AVG versions suck, I used to recommend it to my clients a couple of years back but I had to stop as as soon as it went up to version 8 I started getting way too many complaints about slowdowns, instability and popups bugging them to upgrade to the paid version. There's really no need to use AVG or any other demo AVS anymore since Microsoft have released Microsoft Security Essentials, having it never expire more than makes up for the fractionally lower detection rate. Bear in mind that the very best AVS is 99.9% effective so 1 in every thousand times it will fail. How many web pages do you surf across per month? People must be made to understand signature based AVS is a safety net at best, it's far more important to stay fully patched and wherever possible avoid executing arbitrary javascript!

So anyway, in summary, there is nothing wrong with using linux to help clean up an infected Windows system other than...

1) You can NEVER be certain you have got everything, the only real way to be sure being to fully reinstall Windows and be very careful what files you put back on there once you have.

2) Claiming the above method works "EVERY time" is far too bold, your technique can only remove the infections you know you have got which is necessarily limited to the ones which both make themselves fairly obvious and have detailed information concerning them available online.

If you can't or won't reinstall infected systems at least make sure you do the following in addition to the routine you describe above...

1) Delete every users 'temp' and 'temporary internet files' folders
2) Delete hiberfile.sys
3) Delete the windows prefetch folder
4) Carefully scrutinize anything recently added to the Windows and System32 folder
5) Boot back into windows and safemode and run Combofix
6) Run Malwarebytes
7) Update and run MRT

Sorry to be so harsh but I run a computer repair business for a living and the contemporary malware situation simply isn't as simple as you make out in your article.

RE: This may work for some infections... written by r0gue:
Thanks for your reply
writen by: gregrank on 2010-05-06 08:37:31

Thanks for your reply.

Your information about NTFS is correct, it won't be detected by most Unix builds. If the user is lucky the manufacturer will have a "System restore" feature that can recover XP (Vista or other, takes about 30 minutes) to a previous state and allow an upgrade. I ran across this issue just this week. Until this week, the above article was true for me :)

You are correct that AVG scanning is slow, however a user can easily modify when scanning takes place (early or late or when one is away from a computer to minimize this inconvenience)

And I don't feel like you are being harsh. You are right, I never said it was simple. In fact once you get a bootable Windows machine back up, I did say it takes 90 minutes to install all the crap that is required to repair a hard drive.

I have not had the same positive experience you have had with Malwarebytes, in fact many of the machines I see already have that software installed and still the machine is DOA.

I'll make a note of Microsoft Security Essentials and add it too my bag of tricks

That said, I have good luck with the process that I published here and I do appreciate your feedback as you are adding to the common body of knowledge by making this post.

As this is a Linux forum, I think it is great to see how complex it is to maintain and repair Windows. And Linux is complex to, to be fair, especially for a newbie

What would work every time is just leaving a boot able LInux ISO in a PC and continuing to work in Linux and ignore Windows completely. Over a decade managing Linux Servers and Desktops, never one malware or virus incident! That is true

RE: Thanks for your reply written by gregrank:
Avira AntiVir Rescue System
writen by: regine on 2010-05-11 06:48:17
RE: Avira AntiVir Rescue System written by regine:
RE: Avira AntiVir Rescue System
writen by: gregrank on 2010-05-12 20:05:28
Thanks for posting this. I love it and will check it out

Reply to gregrank:
RE: Avira AntiVir Rescue System
writen by: gregrank on 2010-05-16 13:57:42
I give this product 4 out of 5 stars:

Created boot disk with just three clicks (using windows)
Boots to linux AND supports NTFS
Scans hard dirve and creates log file with option to autofix as it scans
Writes to a log file for easy understanding of findings
Works in English and German
Next time you are in Braunschwieg please stop into the flower shop at the link below, pick up some flowers for a loved one and say hi to Marion from Greg:
Reply to gregrank:
Another thing to mention
writen by: dokma on 2010-05-19 05:10:41
For the user who is in such a situation I would also leave them a bootable live CD of a Linux distro that could save them next time their win machines coughs due to viruses. It can be used for example to finish those Word documents or to surf the internet and finish your work that way. In any case it is good to leave these win users a way to taste how good Linux really is.

RE: Another thing to mention written by dokma:
the same. ALMOST! :)
writen by: kpbotbot on 2010-06-15 17:52:46
I do the exact same thing, although the method that I do in hunting down the virus files is rather different. I use Avira's Rescue CD. I keep it as updated as I can before I start scanning for viruses. I list down the detected virus files, and delete them after rebooting to a PCLinuxOS live cd.

See. Exactly the same :D

Though I do not do the google part because it's harder because of a lot of factors, including the fact that there are a lot of virus variants that looks rather the same.

Last note is that I just make sure that I was able to delete the "master virus file", the one with (or the ones with) an autorun entry. Most of the time, these files are in drive roots and Windows installation folders. MOST OF THE TIME :DD

RE: the same. ALMOST! :) written by kpbotbot:
writen by: Bicetti on 2010-07-08 10:19:59
I'm a new user of Linux (at home i have mandriva 2010) but at works we use Windows. Now, after read your article i've create the CD with Puppy, just in case. And voil a colleague of mine takes a virus ihd.exe. A quickly google about the virus and then .. go puppy! 2 minutes and the PC's disinfected.
Thank for your article.
RE: Thanks written by Bicetti:
Help me please- can't delete files in Puppy
writen by: Ren38 on 2010-08-20 10:25:36
I have something- a virus, I guess- every time I start the computer I get this:

"windows has encountered a critical problem and will restart automatically in one minute. please save your work now."

The computer restarts and the same thing happens over and over. So on another forum I was told to use Avast to find the rootkit (whatever that is) so I ran it and there was one file it quarantined but could not delete, so I guess this is the rootkit? It was C:\Windows\System32\drivers\mazap.sys.

And then I downloaded Puppy Linux and made the cd, and when I rebooted with PL and found this file, I was not able to right click and delete the file as I was told. When I try to delete I get: "error: read-only file system." What can I do now?

Please help me! :D
RE: Help me please- can't delete files in Puppy written by Ren38:
RE: Help me please- can't delete files in Puppy
writen by: gregrank on 2010-08-26 17:40:21
Well it's been six days so I hope you have solved your problem. I am the author of the original post.

Not sure if you can right click on the file and change the setting to read/write/execute or whatever. If not I would recommend trying to boot successfully into safe mode (F8) key when windows reboots. If you can successfully boot into safe mode (with networking), try downloading Malwarebytes, the free version and run a scan. if you get this far you will certainly be able to delete the virus/malware

I am pleased with all of the comments to this post and it's popularity, though as a working professional, I don't check this post every day nor do I provide the type of support you need here. Sorry about your problems with windows. As roger says above, keep security essentials running and malwarebytes on your system . run weekly scans at least with Malwarebytes. this should keep you going (or install the latest version of Ubuntu) and learn to use linux. It may run on less than 1% of all PC's but it rocks and virus and malware don't effect me (ever)

Good luck
Reply to gregrank:
security virus
writen by: gregrank on 2010-08-26 17:44:36
The "Security Virus" was the inspiration for this original post. I saw this virus on 1/2 dozen or so PC's and was able to restore windows to a working state with PuppyLinux and Google

Rogers notes above are very good advice to follow for Windows users.

Every chance I get I talk people into Ubuntu or Linux with Open Office. I feel sorry for people and companies and all the money spent fighting malware and viruses. What a waste of time. Ubuntu comes with a program named "Wine" which will run some (not all) of windows programs if you have them
If iTunes ever gets ported to Ubuntu then there will be very little use for Windows (except for the SharePoint stack people)

RE: security virus written by gregrank:
Coming full circle
writen by: gregrank on 2010-10-10 13:39:04
Puppy Linux and Google helped me repair a broken XP machine afflicted with the "Fake Microsoft Security Essentials Virus". Malwarebytes would not clean the Trojan from the computer, but Google and Puppy Linux helped me find it and delete it. Puppy Linux 5.1 now mounts NTFS
RE: Coming full circle written by gregrank:
Windows Defender Virus - Another PuppyLinux Rescue
writen by: gregrank on 2011-05-24 15:49:21
Removing Windows Defender Virus from a Windows Computer:

This little gem of a virus hides all users folders and Programs (and edits your registry) causing one to think all of your data is gone.

Watch this video to help find virus files and registry edits to remove this virus:

Once you locate all of the files from the virus (second half of the above video) boot off of latest ISO of PuppyLinux to find and delete hidden virus files from their location on your computer. Download and run unhide.exe to re-set all folders and programs from hidden to visible.

To make desktop icons reappear:

Type regedit or regedit.exe into the dialog box. Press Enter or click OK.

Navigate through HKEY_CURRENT_USER, Software, Microsoft, Windows, CurrentVersion and Policies. Click Explorer. Double-click the value NoDesktop from the right pane.

Change the value to 0. Click OK Reboot.

Windblows needs a condom, I use: Malwarebytes.
RE: Windows Defender Virus - Another PuppyLinux Rescue written by gregrank:

Comment title: * please do not put your response text here