Rescue that infected Windows machine with Trinity Rescue
Sticking with our current theme of rescuing, we will now focus our magnifying glass another another useful Linux tool - Trinity Rescue Kit.TRK is another live Linux distribution, but with a different spin. Instead of being a live CD who's purpose is to do just about everything, Trinity wants to really only do two things: Recover data and remove viruses. But it's the latter task that really sets this apart. You will find most live Linux distributions tend to neglect antivirus. Sure you could take an existing live distribution and add an antivirus package to it. But why bother when TRK already has numerous antivirus tools ready for work.
In this article I will introduce you to Trinity Rescue Kit and how you can use it to scan an infected Windows machine and remove dastardly viruses.
Getting TRK
The first step is to download TRK and burn it onto a disk. If you are unsure how to do this let's walk through the process.Download an iso image of TRK from the TRK download page (make sure you scroll down to one of the four mirrors and download from their). Once you have the iso downloaded you only need open up a tool like K3B and burn the image (check out my article "Burn CD and DVD ISO images with K3B" for more information). You could also put this image on a USB drive to easier portability. The easiest way to do that is to use Unetbootin (see my article "Install Linux on a USB drive with Unetbootin" for more information).
With your CD or your USB drive in hand it's time to march over to that infected machine and get to work.
Using TRK
The first thing to do is stick the CD or the USB drive in the machine and reboot. If your machine is not set to boot from either the CD or USB you will want to enter the boot menu of the machine and select either device (depending on which you are using). With TRK you can just let the boot process happen - there is no interaction necessary. Eventually you will wind up at a root prompt. There is no GUI to mention here. TRK is all command line goodness. But never fear, the commands are not too terribly challenging. In fact, to rescue a machine from virus infection there is really only a couple of commands you need to issue.
Mounting the drives
The first thing you have to do is mount the drives on the machine. TRK has a very simple command for that. At the command prompt enter:
mountallfs -g
Which will mount all of your drives in read/write mode. This is necessary in order to rid the machine of any infection. You will want to see where all of your drives have been mounted. Take a look in the / directory with the command ls /. You should listings like /hda1, /hda2, /hda3, etc. These are your mounted drives that you will want to scan.
Now, with the drives mounted, it's time to scan. This is done with the following command:
virusscan -a clam,bde,va -d /MOUNTED_DRIVE
Where MOUNTED_DRIVE is the drive to scan. You can scan multiple drives by separating them with commas like so:
virusscan -a clam,bde,va -d /hda1,/hda2,/hda3
In the above command clam is for ClamAV, bde is for BitDefender, and va is for Vexira Antivirus. Yes you can scan with multiple antivirus engines, but know that the more engines you use the longer the scan will take.
Once the scan is done you will have a report on what the scan process found and what action was taken.
Final thoughts
Trinity Rescue Kit is an outstanding tool to place in your toolbox for disinfecting machines. Get to know it and start using it, you won't regret the time spent.
Advertisement
Thanks for the response. I will attempt to update my ISO today.
I downloaded the Trinity disk and tried to use it. However, I got an error message telling me that the virus signatures for Clam Antivirus are out of date. I am aware of the fact that the signatures are in a constant state of flux. I went to the Clam Antivirus site and download the latest virus signatures, but I don’t see how I can add them to the Trinity Rescue Kit which is an ISO? What did I miss???
TNX for the fine article.
virusscan automatically updates the definitions, if your internet connection is up. Interestingly, clamav is the only one it will run if the defs aren’t updated. Otherwise, all others abort.
Use the command updatetrk to update the components and it will create a new iso.
Thanks for sharing. Sounds like a great product that will help a ton of people. I see more and more viruses all the time. Even though there is such an increase in protection.
Thanks for this article…..I have many friends/family who are constantly getting their computers infected with all sorts of crap even after I have schooled them in the proper way of using Windows. This seems as if it would be a bit of a time saver compared to what I have been doing.
I should warn you that last summer I ran tests of 10 different anti-virus products and Clam came in dead last in my tests. I wouldn’t trust it very much which is actually quite sad because I started the testing to prove Clam was a good solution. BitDefender and Vexira Antivirus were not tested so I can’t comment on how well they work.
This is a wonderful program to have on hand! I had a rather annoying virus issue that seemed to elude even KIS, I searched Google and discovered this collection, it works really good! The only problem I ran into with it was on a system that was access the internet via a wireless connection TRK could not access the internet, so I was forced to do other things to get that computer working!