Using Linux to Clean Up Windows Viruses and Malware

The following are the steps that I use to utilize Linux as a tool for cleaning up Windows viruses and Malware for many of my customers.


You need to choose a distribution you like (not that hard, but make sure the distro has access to ClamAV and BitDefender)

Install the distro onto a USB External Hard Drive (USB3 is obviously the best option as it will run faster on systems that support it).

Installing a full version of Linux can be tricky at times depending on your chosen installation method.
I used Ubuntu 14.04 LTS, and in order to get the distro installed, utilized an old desktop.

  1. I disconnected all other drives from the desktop.
  2. I connected the 2.5 inch drive via SATA to the tower.
  3. I then started Ubuntu off of a live CD and installed to the 2.5 inch drive.
  4. After verifying that it would boot, I moved the 2.5 inch drive to an external USB enclosure.
  5. Any machine you want to fix in the manner described below, must be set to boot from USB.
    a. In the case of legacy BIOS this is generally fairly simple.
    b. In the case of the newer UEFI, you’ll need a distro that can be booted in UEFI mode (Ubuntu 13.10 and on are capable of this).
  6. Once completed you’ll want to get / install ClamAV (this is a free / open source anti-virus software that runs on Linux).

ClamAV uses definition files for viruses on multiple platforms including (and mostly from) Windows.

To install just do the following commands in terminal (at least for Ubuntu based distros).
sudo apt-get install clamav

You’ll be prompted for your password for super user access.

Next you’ll want to get the latest virus and malware definition files for ClamAV. To do this enter the command
sudo freshclam

You need to find and mount the main Windows partition of the installed / infected disk.

To find the partition do
sudo fdisk -l
That’s a lowercase L at the end).

Once you find the partition(s) you need / want to scan, you’ll need to mount it (them), so create a directory called Windows in the /mnt directory.
cd /mnt
sudo mkdir Windows

Then you’ll mount the drive to the directory you just created. NOTE: you don’t have to do the mkdir step after the first time.
sudo mount -t ntfs -o nls=utf8, umask=0222 /dev/<drive from fdisk> /mnt/Windows

you’ll want to replace the with the actual drive info you found in the fdisk stop.

Now you’ll want to set a temporary location to store any infected files you find.
cd /tmp
sudo mkdir virus

Now you can give the command to scan with ClamAV and have it move any infected files to the /tmp/virus directory.

The nice thing about this is that on reboot, the directory is wiped out.
sudo clamscan -r --move=/tmp/virus /mnt/Windows

When complete you can amount the drive, and mount another if you need to scan more than one.


To be thorough I like to use a second scanner, and have found on just about every occasion that it will find infected files that ClamAV does not, and vice-versa.

I use BitDefender as my second option. You can get it from their website at

On the left look for a link that says, Request Free License and go through the steps. They will send you a 1 year license.

Download the package, install, use the free license, then when complete, you’ll use the steps above up to mounting the Windows partition.

You’ll want to run BitDefender as a super user so that it can do the Quarantine, Delete of infected files, etc. for you. So in a terminal do:
gksu bdgui

This will start BitDefender in GUI mode as a super user.

Run an update through the GUI (sometimes they put out more than 1 update per day).

Scan the /mnt/Windows directory (mounted volume), and take action when complete. You must take action on items.

Repeat until nothing is found.

You can now reboot the machine into Windows and utilize native Windows tools for continued cleanup if needed.