Using bartPE for Virus Removal

Posted on 2009-03-31
Medium Priority
Last Modified: 2013-11-22
I am thinking about learning how to use bartPE for virus removals of customers' machines. I could jump right in and start learning but I wanted to understand the concepts a little better and save some learning curve time.

1) Do I create the bartPE disk based on the OS that I will be working on... iow, if a customer's machine is XP-Home, will I eventually have a different bartPE CD for it and one for XP-Pro?

2) Plugins  I'm a little confused about these. Are these needed for my favorite version of a virus scanner... or are these mainly hardware related?

3) What are the "must have" plugins that you almost always include?

4) concept, concept, concept... the more you can tell me about the concept of using bartPE (especially in a virus/spyware removal environment) will be most helpful.

Thanks, in Advance!
Question by:AnselAdams
LVL 35

Accepted Solution

Joseph Daly earned 2000 total points
ID: 24028240
1. No you can use any version of XP. It will boot to the PE environment which is independent of the users machine.
2. Plugins can be any amount of different programs that do not come natively on the CD.
3. I mainly use BartPE for manually deleting files that are locked by viruses when windows is running. For my use i maiinly just use the explorer and delete the file.
4. As I said above I will usually run my default virus scan software either under regular windows or safe mode. Whatever isnt caught or able to be removed there I then fire up bartPE and manually delete. This is very good for DLL's or EXE's that have some sort of protection on them. Since BARTPE only reads the disk there is nothing that can lock the files.

Author Comment

ID: 24028797
Wow... thanks for the fast reply!

I'm still a little puzzled about the plugins. I see there is one for Avast. So I take it that I need to install the plugin to run advast, right? It doesn't specify any particular version but I've seen one for AVG that targets an older AVG version.

I the real question that I have at this time is:

Does this work any better than pulling the hard drive and scanning it with another computer? I can see the advantage of not pulling the hard drive, but almost always I pull off the case to blow out the dust and it's not much of a step to pull the hard drive.

My first focus is pulling the hard drive, backing it up, then working from there. I use Acronis as my backup tool. I've had problems installing it with highly infected computers so I typically pull the hard drive during the dust cleaning and use my work computer to backup and do the initial scanning.
LVL 35

Expert Comment

by:Joseph Daly
ID: 24029182
the only real benefit I can see to using the boot CD rather than doing it your way is the time saved while pulling and attaching to another machine. If you are used to doing it and dont mind then I would stick with what works for you. That said I usually keep a copy of the CD in my laptop bag because you never know when your gonna need it and you might not have another machine to slave into.

I think as far as the scanning/cleaning both methods should work almost identically. In both situations the drive is only being read, there is no OS or EXE attempting to lock certain files.

Pulling an image with acronis is a good idea just incase the disinfection causes some unintended system failure. That said there are plugins for BARTPE that utilize the DriveimageXML program. This could be useful in the situations like you mention where Acronis wont install correctly.

I cant really give you a definite answer as to which is the better option for you as they both have their benefits. I would suggest setting yourself up a BARTPE disk just to have it as another option in your cleaning efforts.
LVL 27

Expert Comment

by:Asta Cu
ID: 24042925
Good general overview with detail and links here:  http://en.wikipedia.org/wiki/Bartpe
LVL 34

Expert Comment

ID: 24048167
Outdated antvirus wont be effective.

And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
Also see:
Bit Defender:
This is  free:
(Regards from Michael Best: a Kiwi in Tokyo: I troubleshoot: both, English OS & Japanese OS)


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question