Few days ago I had to deal with a virus that is very very hard to remove. So the best and easiest way to remove it is using an antivirus rescue CD. When you boot up the computer with a rescue cd which is usually a linux live CD, Windows is not loaded and the virus is inactive. This makes it easier for the antivirus to detect and clean the virus. I have encountered viruses that corrupts Windows so badly until you can’t even boot in to Safe Mode, you cannot install any antivirus because it auto terminates it and you can’t pin point where the virus is added to Windows auto startup location as it replaces one of your legitimate Windows system file.
Normally my first choice is to use Kaspersky Rescue CD but I had problems downloading it as I am getting very slow download speed. It managed to download until half way and then time out. Moreover it has been 2 months since Kaspersky Rescue CD last updated and I didn’t want to spend more time downloading the virus definition. I like Quick Heal Native Boot Scan as well but I didn’t want it to auto fix suspicious files that it finds. There is no way to configure it. Finally came Avira which is one of my favorite too. The Rescue CD ISO image file which is only 53MB in size and took only 7 minutes to download. The bootcd was last updated few days ago and I know I didn’t have to spend a lot of time updating the virus definition. When I boot up my Acer laptop with Avira AntiVir Rescue System, everything seems fine and was presented with a simple looking graphical user interface. When I click on any options such as “Remove infected files”, “Try to repair infected files” or “Rename Files, if they cannot be removed”, the whole system hung, and there is no respond at all.
Sadly this is a bug that happens to most laptops such as Acer, Dell and HP. If you encounter such problem, here is how you can continue using Avira AntiVir Rescue System without relying on the GUI.
Just boot up the Avira AntiVir Rescue System as normal. Then press the number 1, hit enter and it should start loading vmlinuz and initrd.gz.
When the graphical user interface is fully loaded, simultaneously press Ctrl+Alt+Backspace.
That will bring you in to a black colored console screen that looks like DOS. Before you start typing anything, please be informed that the antivirus is programmed to type in German keyboard layout. For example, when you press the – key on your keyboard, you’ll notice that it chances to ß. Refer to the image below on what to type to get what character.
First we need to update the virus definition to the latest version. To do that, type the following command. There are TWO dashes.
antivir --update
To start a full scan, type the following command below. In Linux, everything is case sensitive. The Devices must have a capital D. What the command below does is scan everything on your hda1, tries to repair the infected files and rename the non-repairable files by adding a .xxx extension. You can also substitute the -ren command with -del to auto delete the non repairable files.
antivir -s -e -ren /media/Devices/hda1
When Avira AntiVir Rescue System has finished scanning, you should be able to boot in Windows. You can search in Windows for *.xxx files. These are the files that are non-repairable by Avira. You can get a list of command lines by typing antivir --help but you won’t be able to scroll up to see all the commands. So here are all the commands for your convenience.
Usage is: antivir [options] [path[\*.ext]] [*.ext]
where options are:
--help .......... display this help text (abbreviation: -h or -?)
--scan-mode=applies "extlist", "smart" or "all" scan methods:
extlist scans files according to their filename extension,
smart detects which files to scan from their name/content,
all scans all files regardless of their name or content
--allfiles ...... synonymous for --scan-mode=all
--version ....... show version information
--info .......... show list of recognized forms
--update ........ update antivir
--check ......... used with --update to check for updates
--temp=(dir) .... specify the directory for temporary files
--pid-dir=(dir) . specify the directory for PID files
--home-dir=(dir) location of executable, VDF and key files
-C (filename) ... name of configuration file
-s .............. scan subdirectories
--scan-in-archive files in archives will be extracted and scanned
-z .............. synonymous for --scan-in-archive (scan in archives, too)
--archive-max-size=N, --archive-max-recursion=N, --archive-max-ratio=N
anti DoS feature: do not scan archive content which would
exceed the given file size, nesting level or compression
factor limits on extraction (0 means unlimited)
--archive-max-count=N anti DoS feature: do not scan archive content which
has more than N files in a recursion level
--scan-in-mbox .. scan mailbox folders, too (might be time consuming!)
--heur-macro .... enable macro heuristics
--heur-nomacro .. disable macro heuristics
--heur-level=N .. setup heuristics level: 0=off, 1-3=low-high
-nolnk .......... do not follow symbolic links
-onefs .......... do not cross file systems while following links
-noboot ......... do not check any boot records
-nombr .......... do not check any master boot records
-nobreak ........ disable Ctl-C and Ctrl-Break
-nodef ......... do only check the given file types (eg. *.DOC)
-cf(filename) ... activate CRC check and name the database
-cv ............. calculate CRC over the whole file length (default 16k)
-cn ............. insert new files into the database
-cu ............. recalculate CRC values and update the database
-v .............. scan files completely (slower with possible false alerts)
-nopack ......... do not scan inside packed files
-e [-del | -ren] repair concerning files if possible
[-del] non-repairable files will be deleted
[-ren] non-repairable files will be renamed
-ren ............ rename concerning files (*.COM->*.XXX,...)
-del ............ delete concerning files
--moveto=(dir) .. quarantine concerning files
-dmdel .......... delete documents containing suspicious macros
-dmdas .......... delete all macros if one appears to be suspicious
-dmse ........... set exit code to 101 if any macro was found
-r1 ............. just log infections and warnings
-r2 ............. log all scanned paths in addition
-r3 ............. log all scanned files
-r4 ............. select verbose log mode
-rs ............. select single-line alert messages
-rf(filename) ... name of log file
%d = day, %m = month, %y = year (two digits each)
-ra ............. append new log data to existing file
-ro ............. overwrite existing log file
-q .............. quiet mode
-lang[:|=]DE .... use German texts
-lang[:|=]EN .... use English texts
-once ........... run only once a day
-if(dateiname) .. antivir uses the given ini file
--with-(type) ... detect other (non-virus but unwanted) software, too;
type may be e.g. "dial", "joke", "game", etc,
there is a --with-alltypes shortcut
--without-(type) like --with-(type), but disables this type
--alltypes ...... synonymous for --with-alltypes (obsolete)
--alert-urls=(yes|no) print URL for more detailed information on alerts
--warnings-as-alerts exit with a return code as if a concerning file
had been found when warnings have been issued
--exclude=(file) exclude files or directories from scan
--log-email=(addr) send out scan report by email, too
@(rspfile) ...... read parameters from the file (rspfile)
with each option in a separate linelist of return codes:
0: Normal program termination, nothing found, no error
1: Found concerning file or boot sector
2: An alert was found in memory
3: Suspicious file found
100: antivir only has displayed this help text
101: A macro was found in a document file
102: The option -once was given and antivir already ran today
200: Program aborted, not enough memory available
201: The given response file could not be found
202: Within a response file another @(rsp) directive was found
203: Invalid option
204: Invalid (non-existent) directory given at command line
205: The log file could not be created
210: antivir could not find a necessary dll file
211: Programm aborted, because the self check failed
212: The file antivir.vdf could not be read
213: An error occured during initialization
214: License key not found
[ Download Avira AntiVir Rescue System ]
Related posts:
The problem with ctrl-alt-backspace is that when the graphical use interface fails typically you just get a blank screen and have no idea if it is running at all. Is there a way to just boot tothe command line in the first place?
I think you guys should check out opswat.com/ there are 2 or 3 products that may be a match. I think that OESIS Framework at opswat.com/products/oesis-framework provides a single interface to many antivirus packages. Another option is, I think, Metascan at opswat.com/products/metascan which is more for ISV.
I hope this helps.
Regards,
Wow this is fantastic I work on alot of acer laptops and was chasing bugs for days until i finally gave up backed the pictures and other valuables and wiped the machines back to factory via recovery discs . this is a much better alternative…THANK YOU !!!!!!!!! also need to send a thanx out to the entire AVIRA team
I was so happy to find your article! I am trying to find the log file. I have searched all the directories on the ramdisk but can’t find it. Nor do I see one created on the hard disk. The scan completes successfully. Is there a switch I need to use to instruct Antivir Rescue System to create a log file on the ramdisk or hard disk? Thanks so much!
I had used the avira rescue disk with the option to rename files and notised the addition of the .xxx extension but now, my system cannot boot past the windows logon and i’m stuck please how can i revert this process. I just want those .xxx out.
Thanks
got once my friend’s laptop infected with a crazy virus That use grub+ bootable image to bootup,it change every files in the windows, when log in got black screen a while then stupid sound and not the windows log in sound come out chinese word, and use this avira scan non thing come out-.-’ i think some hacker know how to make a new generation virus that uses Grub with other boot image to start… AV company please find the virus-.-’
those who still have problem with the above code or it doesnt work u can try:
antivir -s -ren /mnt/
and it works (like in my case)
better we like to protect with u
very very useful commands.
Since I can’t get a response from you about my computer problem, I can only determine that the Antivir Rescue Disk destroyed my laptop. From what I have researched there was hope for repair of the log in log off problem…I haven’t been able to find any help for what my computer is doing since using this disk…you should have posted a warning..
I ran antivir rescue disk and it found 3 trojans on my laptop…now windows won’t load at all…what do I need to do?
newbiesblogger try this command instead:
antivir -s -ren /mnt/
No need to specify media/Devices I don’t think, worked for me!
Note that you maybe have to experiment with the number in this part of the command:
hda1
to find the right partition. Try different values like 0 and 2.
I am a Avira user. Now I know what to do when it happens to me.
Nice article Ray..
I want to know is it possible to make “USB flash drive Antivirus Rescue System” just like any flash drive used for installing Windows. Because, USB’s are far more portable, easier to carry and can be used at any system. If it is, then please tell me how to get through it.
thanks.
Dear Raymond,
This article is very timely as I have 2 computers infected with virus now in my desk for repair with the same problem you mentioned.What worries me now is that even this Avira Antivirus program is not capable because
hmm, I’m not linux user and I hate when it came to write something using coding or command but when I’m try to execute –> antivir -s -e -ren /media/Devices/hda1 command it error.. huhu pain in my head… is it correct command line.. hmm hda1 or sda1 ????
Very useful entry again.I want to use it.
Dear Raymond,
Kaspersky rescue cd downloading speed is good. I downloaded it through the link from kaspersky 2010 internet security. And there is an option to update any time from our antivirus database, rescue cd updater automatically detect iso rescue image in our local drives.
thanks, Ray! :D
Thank you Raymond
another great trick from you
nice post . excellent dude….
this is really good info. Thx Ray
Interesting article Raymond!
Another excellent article Ray Thanks a lot.Will surely give it a try.
Thanks this will come in handy!!
Linux is just the best operating system
Only if more game run on Linux :(
Thank you Raymond, very helpful, even though not easy for me to understand all those command. i will just copy all the command above to word in case i need it later, i hope you allow me, thank you :)