Using bartPE for Virus Removal

Posted on 2009-03-31
Last Modified: 2013-11-22
I am thinking about learning how to use bartPE for virus removals of customers' machines. I could jump right in and start learning but I wanted to understand the concepts a little better and save some learning curve time.

1) Do I create the bartPE disk based on the OS that I will be working on... iow, if a customer's machine is XP-Home, will I eventually have a different bartPE CD for it and one for XP-Pro?

2) Plugins  I'm a little confused about these. Are these needed for my favorite version of a virus scanner... or are these mainly hardware related?

3) What are the "must have" plugins that you almost always include?

4) concept, concept, concept... the more you can tell me about the concept of using bartPE (especially in a virus/spyware removal environment) will be most helpful.

Thanks, in Advance!
Question by:AnselAdams
LVL 35

Accepted Solution

Joseph Daly earned 500 total points
ID: 24028240
1. No you can use any version of XP. It will boot to the PE environment which is independent of the users machine.
2. Plugins can be any amount of different programs that do not come natively on the CD.
3. I mainly use BartPE for manually deleting files that are locked by viruses when windows is running. For my use i maiinly just use the explorer and delete the file.
4. As I said above I will usually run my default virus scan software either under regular windows or safe mode. Whatever isnt caught or able to be removed there I then fire up bartPE and manually delete. This is very good for DLL's or EXE's that have some sort of protection on them. Since BARTPE only reads the disk there is nothing that can lock the files.

Author Comment

ID: 24028797
Wow... thanks for the fast reply!

I'm still a little puzzled about the plugins. I see there is one for Avast. So I take it that I need to install the plugin to run advast, right? It doesn't specify any particular version but I've seen one for AVG that targets an older AVG version.

I the real question that I have at this time is:

Does this work any better than pulling the hard drive and scanning it with another computer? I can see the advantage of not pulling the hard drive, but almost always I pull off the case to blow out the dust and it's not much of a step to pull the hard drive.

My first focus is pulling the hard drive, backing it up, then working from there. I use Acronis as my backup tool. I've had problems installing it with highly infected computers so I typically pull the hard drive during the dust cleaning and use my work computer to backup and do the initial scanning.
LVL 35

Expert Comment

by:Joseph Daly
ID: 24029182
the only real benefit I can see to using the boot CD rather than doing it your way is the time saved while pulling and attaching to another machine. If you are used to doing it and dont mind then I would stick with what works for you. That said I usually keep a copy of the CD in my laptop bag because you never know when your gonna need it and you might not have another machine to slave into.

I think as far as the scanning/cleaning both methods should work almost identically. In both situations the drive is only being read, there is no OS or EXE attempting to lock certain files.

Pulling an image with acronis is a good idea just incase the disinfection causes some unintended system failure. That said there are plugins for BARTPE that utilize the DriveimageXML program. This could be useful in the situations like you mention where Acronis wont install correctly.

I cant really give you a definite answer as to which is the better option for you as they both have their benefits. I would suggest setting yourself up a BARTPE disk just to have it as another option in your cleaning efforts.
LVL 27

Expert Comment

by:Asta Cu
ID: 24042925
Good general overview with detail and links here:
LVL 34

Expert Comment

ID: 24048167
Outdated antvirus wont be effective.

And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
Also see:
Bit Defender:
This is  free:
(Regards from Michael Best: a Kiwi in Tokyo: I troubleshoot: both, English OS & Japanese OS)


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ransome Ware Question 10 139
Yet another Ransome ware 13 167
Restoring files from Windows Server Backup 7 80
Need to track down Infection in a Server 2008 domain user profile 7 48
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (, the Zone Advisor for the Virus and …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now