Remove Nearly Any Virus Using Hiren’s BootCD

Even if every other method fails, a bootable CD image will allow you to clean almost any infected system.

As the viral world of computers and networking grows, so does the market of social engineering and virus development. Through the course of using the Internet and your computer, you will eventually come into contact with malware. A computer virus might corrupt or delete data on your computer, use your email program to spread itself to other computers, or even erase everything on your hard disk.

The need for this guide became apparent when the latest version of the FBI MonePack Virus hit systems all over the world. The newest version has figured out how to disable all three safe modes in Windows, thus rendering virus removal through other methods virtually impossible.

For this article you will need to download Hiren’s BootCD.

1. The first step is to download and extract the downloaded zip file. You can do this by right-clicking the file after download and choosing Extract All. I use WinRAR in lieu of Window’s built-in WinZip feature, and I recommend you do the same. WinRAR is not technically freeware, but the trial never expires. Donate if you can!

2. There are two files from the extracted files that we will use. The “BurnCDCC.exe” file and the “Hiren’s.BootCD.15.2.iso” file. Double-click BurnCDCC.exe to run the application.

3. The CDCC program should run once you have double-clicked it. Click Browse in CDCC, and browse to and select the “Hiren’s.BootCD.15.2.iso” file that was extracted. Then click Open.

4. Since Hiren’s is only ~610MB, then you can either use a blank CD or a blank DVD. Insert the blank disk into your machine. In BurnCDCC under Device, your disk drive should be labeled. If you have multiple disk drives in your machine, then I am going to assume you know which drive you use for burning. Ensure the correct drive is selected. (If you only have one disk drive, then it should be selected by default.) I recommend checking the “Read Verify” box to ensure your write is successful, and leave the Speed bar at Optimal. (This is the bar dragged all the way to the right.) Once these checks have been made, click Start. If BurnCDCC ejects your disk and prompts to insert a blank one, simply push your disk back in the drive and select OK from the pop-up.

5. Now comes the fun (and potentially) confusing part. This step involves booting your computer from the disk you have just created instead of booting to the hard drive. This process can be fairly straight-forward, but for many it will not be. When you first boot your computer when it is completely shutdown (not in hibernate or sleep mode), you will most likely see a BIOS screen with a “Gigabyte” or “MSI” logo. (This could be many different screens, depending on your motherboard.) Either above or below this logo, you should see text similar to the following: “F12 for Setup,” “F10 for Boot Menu,” etc. What you are looking for is Boot Menu, Boot Order, Boot Screen, or the like. Common keys for this task are F2, F8, F10, F12 or Delete (Del).

If your computer displays what key to use for Boot Menu, then begin tapping it repeatedly the instant you press the power button on your computer. Continue to tap it until you are presented with a Boot Menu which lists your Hard Drive, Disk Drive, and potentially your Flash Media or Floppy. If your computer does not say, then try the tapping process, using each of the common keys provided above. One of them should get you to the right place. If, by chance, you still cannot get into boot menu, then you will have to change your Boot Order or Boot Priority in your BIOS. BIOS will be one of the F-Keys listed above as well (normally a blue screen with white writing, though newer motherboards are moving to a 3D experience). Refer to your specific computer model’s manual on the manufacturers website if you have tried all of these but still cannot access the Boot Menu. You may even need to refer to the manual for your specific motherboard, which should be listed in the manufacturer’s manual.

Once you have managed to get to your boot menu, select your Disk Drive, and press Enter. Your computer should now begin booting to Hiren’s BootCD.

6. Once Hiren’s BootCD loads, use the arrow keys on your keyboard to select the Mini XP option, and hit Enter. This will boot you into a weird distro of Windows XP. Once you have loaded Mini XP, you need to check to see what label your Local Disk has been given by the BootCD’s file hierarchy. Click Start, Programs, then Windows Explorer. When the Explorer window opens, it should default to My Computer. Here, it will list all the drives on your machine and a virtual drive created to run Mini XP. (My virtual drive was called the X:\ drive, and my Local Disk drive was called the D:\ drive.) Ensure you know which drive is your Local Disk (e.g., C:\, D:\, E:\, etc). You will need this for the virus removal stage.

 7. The next step is to load the HBCD Menu Program Launcher. This menu contains 100+ tools that could be used for various scenarios. Click the HBCD icon on the Mini XP desktop. When Hiren’s BootCD 15.7 – Program Launcher opens, click the Programs menu in the top left, hover over AntiVirus/Spyware and select MalwareBytes’ Anti-Malware from the pop-out menu.

8. You will be prompted with a CMD window telling you that it is better to run MBAM from your Operating System installed on your hard drive, but many viruses prevent that from happening. Disregard this error, and do as it says: Press Any Key on the keyboard. This will make the window go away, and Malwarebytes’ Anti-Malware (MBAM) will load.

9. Now, we need to update the virus definition database of MBAM. To do this, click the Update tab and then the Check for Updates button. When the updates have been downloaded, click OK on the window that pops up.

10. You are finally ready to begin the removal process! Click the Scanner tab at the top of MBAM. Ensure the Perform Full Scan radio is selected, and then click Scan. You will be prompted with a window that lets you select which drive to scan. This is where you select the drive you verified earlier by going to Windows Explorer and finding Local Disk. You can select other drives as well, but your Local Disk drive is the only one that really needs to be scanned. If you leave the virtual drive created for Mini XP (This is usually the X:\ drive.), then MBAM will find a few extra “infections” which are really utilities Mini XP uses. Removing them will not harm anything, since they cannot actually be removed from the CD.

11. Once MBAM has finished scanning your hard drive, you will be presented with a screen with a button labeled Show Results. Click it! This will bring you to a new window where the infectious files will be listed. Ensure ALL infections have a check mark beside them. Once you have checked everything, click the Remove Selected button.

12. I know this has been a long and drawn-out process. However, viruses have become very advanced, and when they completely prevent you from working directly on your hard drive and regular operating system, this method starts to look pretty good, in lieu of wiping and reloading the machine. From here, you can go to Start and then Shut Down, and boot your computer regularly into your hard drive. There should not be a need to go back to the boot menu.

If you fell into the case where you had to modify your default boot priority by going into BIOS, repeat the steps you took to get into BIOS, and put your Hard Drive back as the first boot device. Removing Hiren’s BootCD from the drive should also alleviate the need to change the boot priority.

Your computer should now be virus-free and back to working conditions. Do note, however, that many viruses can cause irreversible damage to your operating system. Luckily, most are simply spam and malware that are attempting to sell you something and do not cause internal damage. If you have removed the virus but still find your computer functioning improperly, you may have been one of the unlucky ones and acquired a malicious virus whose purpose is to cause problems within the system. If this is the case, then backing up your data and reloading your operating system may be the final solution.

 

About Aaron St. Clair

Aaron St. Clair is a tech guru studying Computer Science at Appalachian State University in Boone, North Carolina. When he's not tinkering with new gadgets, modding systems, or slaving away at the mercy of the Tech-Recipe overlords, you can find him exploring the high country.
View more articles by Aaron St. Clair

The Conversation

Follow the reactions below and share your own thoughts.

  • jshal

    The link for Hiren’s BootCD is not valid. 404 error…

    • David Kirk

      I had no problem with the link. I just downloaded it.

      • http://www.tech-recipes.com/ Aaron St. Clair

        When he posted the comment the link was indeed broken. But, I’ve fixed the link!

        • David Kirk

          Cool. Thanks to both of you! :)

  • pmshah

    Do you realize that Hiren’s Boot CD is full of pirated software ? How could you possibly recommend it (although it is excellent) on your web site? BTW this (15.2) is more than 6 months old !

    • Aaron St. Clair

      MalwareBytes is freeware and is the only program covered in this article. The modified Win XP may be of some concern though… I’ll investigate it a bit further, I may need to come up with another alternative.

  • Tim

    When loading Malewarebytes the program will not update. I run the scan regardless and it says it found 4 viruses. I restarted to have them removed but unfortunatley I still have the virus. Any ideas? Thanks

    • http://www.tech-recipes.com/ Aaron St. Clair

      Any idea what the virus is? Is it a fake antivirus, FBI MoneyPak, or something else? During the update process, did it bring up an error message? Updating MBAM on the Mini XP only replaces the MBAM definition file in memory, then runs the scan. The update shouldn’t fail… When you restarted, you restarted into regular mode, yes? Not back to Hiren’s BootCD?

    • Aaron St. Clair

      It’s also possible that you did not select the correct HDD. Malwarebytes will find 3-4 “infections” on the Hiren’s BootCD Hard Drive, as some of the tools included on the CD could be considered malicious.

    • aaaaaa

      you have to click on the internet icon to load the net drivers. Its takes a minute. i usually close open the ie icon a few times(technically opera)>

      • alx359

        This. The author would need to update the piece, to clarify the step of clicking the IE icon first, before updating Malwarebytes, or get any kind of updates running at all. I’m not familiar with the package and wasted a good time thinking the package was defective, until finally finding it by accident.

  • Sirdick

    I like the HBC APPROCH. Da bigest hit on the head is how to remove da same virus if it is re-instal by Wscript.exe and rundll32 on STARTUP. Da nullifies all these. Wat cn u do in SUCH SITUATION…!

  • Kenny

    The antimalwarebytes will not update it just closes the update Window right when I press check for update

    • Scotty Dean

      I had the same issue with the update automatically closing. I then tried to first open an internet connection (using a Hiren’s BootCD), at which time several functions ran/occurred/opened, and I then had a live/active internet connection. When I then tried the update button for malwarebytes, it proceeded to work correctly….>

      • jamie

        > I used the Hirens CD and it removed the virus but now when I restart Windows, it openswith Cmd prompt saying that the User is not recognized operable program or batch file…what did I do wrong??!! Please help!!!

  • Kenny

    Perhaps the mini xp needs to be connected to the Internet in order to download updates? If so how do we connect to our wireless router using mini xp?

  • Will

    I did not see any thank yous in the comment section…So i just wanted to say THANK YOU!!!! Even though Malwarebytes is still scanning, I just wanted to say thank you for the work you have done :) Have a great day!

  • kenny

    Well the problem is that I don’t think the wizard is picking up my wireless drivers or my wireless connection. The only option I get is a realtek Pcie GBE family controller and it will not connect to the internet. (It just says disabled) I’ve tried doing install all hardwares before trying to set up the wireless wizard and it did not solve it. Then I tried to use wired option and ran the network set up but the internet would not work despite the pe network manager 0.56 says its connected.

  • Cameron

    I can’t get the anti malware to update. I have only wireless & it won’t stay connected.

    • Karlien Neuhoff

      HOW Please tell me (: >

  • Cameron

    Ok, I got it to update, now it won’t pick up the right malware. I do a full scan on just the C drive(my main drive) but it will only pick up the stuff in the virtual computer even when it’s not selected

  • Mike

    can i load this onto a memory stick instead of a cd/dvd? Then choose this method in boot menu?

  • Randall

    My computer is infected with the MoneyPak ICE version of the ransomware virus, it has disabled all 3 safe modes (computer reboots after I log in), so I used Hiren’s BootCD method described here.

    I carefully followed all the steps given here (burned CD on a clean computer, booted infected computer from CD, ran Mini XP, launched Internet icon to have internet acccess, updated MBAM to latest definitions, ran full scan on the D: drive (local disk). No problems were found by MBAM!

    Rebooting normally shows the virus is still there, I am locked out of my computer. Has anybody found a solution to this latest version of this moneypak virus?

  • johnny

    AVG Virus Protection is flagging a virus during the download of the hirensbootCD I already lost one pc can’t afford to lose another. I’m aborting.

  • Karlien Neuhoff

    It does not say successfully updated it just keeps going like nothing happened. How important is it to update?

  • Stewpac

    Awesome man…worked great! Thx!
    Just had to use the wireless network connection icon on Hiren’s desktop screen of Mini XP to find my wireless network….Malwarebytes then was able to update with no issues…….also, never mind the people on here who commented about pirated stuff possibly being on Hirens Boot CD. I paid over $100 bones for 3 copies of family Norton 360, but have had numerous virus’ get thru (now that should be a crime, making billions off a virus program that doesn’t do as advertised)….this last virus that got thru Norton 360 was the FBI Moneypac that does’nt allow any safe mode to work properly……good luck getting Norton power eraser to work when safe mode is shot.

    peace

    • sharonnie

      >Hey Stewpac, this method allowed you to get rid of the ICE Cyber virus?

  • Laura

    Question I get as far as loading mini windows XP and it stalls-only loads a third of the way. Help!

  • denis

    hey could you give the download link of the theme you used .

  • sharonnie

    Hi, I am going to try this soon as I get home. Will this work for the FBI moneypak/ ICE Cyberware crime virus? I’ve tried everything else, none of the safemode methods have worked.

    • http://www.tech-recipes.com/ Aaron St. Clair

      Should remove any variant of the virus.

  • Ronny

    I downloaded the hiren’s cd. I tried opening it on my infected computer, under the boot menu, I only saw the options “hard drive”, ‘optical drive’, and “usb cd”. I choose the optical drive, and it said the cd booted and took me to the mini xp desktop, but under programs, it does have explorer, I had to go to ‘my computer” on the desktop. Under that, it only showed my ram drive (local disk), and the mini xp (local disk). And I do not see the HBCD icon on the desktop for me to choose. I tried doing a search for hiren, it can’t be found… Did I download it incorrectly or something? I had the hardest time trying to download it, it kept saying “unexpected end of archive” or “corrupt” or something. I finally clicked something and was able to make it copy to a cd like you showed. How were you able to make it download straight to WinRAR without these error messages. And usually the download time would say anywhere from 1 1/2 hrs to 4 hrs.

    • http://www.tech-recipes.com/ Aaron St. Clair

      It’s possible that you downloaded it incorrectly. The software isn’t the most reliable either. This is basically a last resort method. The only thing I could really recommend is trying to download the boot-cd .iso from another PC with a more reliable internet connection. You really shouldn’t be getting anything corrupt from the link provided.

  • Gabriel

    Hi,

    I had the UKash Police virus on my computer. I went through this guide and it removed the virus, I can access the computer again. I installed a fresh copy of windows 7 and ran the scan again to see if everything was back to normal. I still have that PUM.Hijack.Help showing up in malwarebytes.

    What is this registry entry ? Is it a malware ? Do I need to remove it ?

    I tried deleting the file with malwarebytes, but it comes back as soon I reboot the computer. Anything with Hijack in it’s name sounds pretty nasty ….

    Thanks for your help and this great guide !

  • Larry

    You can also start up in safe mode on many windows systems, at boot up tap the F8 key until menu comes up and select safe mode with networking this will allow you to update malwarebytes that is on your computer if you have installed it, The best program to remove malware, then run malwarebytes update and do a full scan check the malware for malwarebytes to remove them then reboot and kiss the malware goodbuy.

  • Christie

    I completed the above process and I “believe” it removed the virus, however, when I shut down and re-started it goes to a black screen and says there is no bootable device, insert a boot disk and hit any key. I had already went back in to BIOS and changed the boot order and after getting the error message, I have verified its in the correct boot order 3 more times but still will not boot. I then put the Hirens Boot CD back in and chose the first option to “boot from the internal drive” and it brought up the Compaq Recovery options. I hope that is a good sign but the only option it lets me choose is to go to a command prompt. Any ideas on what I type in there??

  • Ray

    But how to get wifi network support with hirens??

  • Angad Srivastava

    Does this delete any data?

  • karthi

    how to reset win 7 admin password pls update

  • Sam

    dude. you’re amazing. THANK YOU! This worked like a charm. definitely going into my bag of tricks. Nothing else would remove this hijack virus as it had disabled even Safe mode with Command prompt. Thanks again!

  • edgy

    Thanks for the detailed instructions. I ran through everything and it worked but the virus remains. When I’m in Mini-XP booted from the CD my Local drive (C:) has zero data and says its not formatted. It appears the virus has created a hidden boot partition where all my old data and the virus reside. When running mini-XP I can see a local drive (C:) with 74.3GB (out of an 80Gb HDD) but there are NO files and it’s not formatted. The missing 5.7Gb that contains my windows XP OS and all my files isn’t visible when running winXP.

    Any way to get the hidden partition visible to the Malwarebytes scan?
    Can’t boot in any safe modes also..
    Help!

  • david l

    A self declared tech guru, no false modesty then, before I read that little bit (I would delete Aaron it makes you sound up your own bottom) I was going to say thanks a big thank you for showing you can indeed update definition files to the ram drive. Thanks again

    ahhh im so sorry the website called you it, oops

  • John Diamond

    Well thought out article, thanks for your time

  • srrrr07

    The boot CD worked to fix the latest Homeland Seurity MoneyPak virus.
    Thanks Aaron for posting these instructions :)
    It was tough at first as none of the three safe modes worked to correct the issue. The boot CD didn’t worked the first time as I ran the antimalaware program without doing the update. The update required an internet connection on my laptop which I typically use a wirless internet connection on (I could not get Hiren’s mini Windows XP to set up even though I ran the wirless utility)…the secret to establish the internet connect was to use a wired connection. I plugged an internet CAT5 cable from my router directing into my laptop and then I was able to establish the internet connection by first opening internet explorer (opera) – icon shown on desktop after booting into Hiren’s mini Windows XP. After I saw google show up I knew I had the internet connection. The next trick I had to do was increase my virtual memory because I kept getting a ‘not enought virtual memory’ error when I tried to run the malaware program. I increased the virtual memory from 0 mb to 65 mb. From there I was able to run the update and the scan worked to remove this virus.

  • Mike

    Hi there

    I’m unable to update malwarebytes anit-malware? Are you able to update Hiren’s BootCD to the latest updates on all those software?

    The problem I’m having is:
    - desktop picture and a few icons are missing
    - a virus has created a false drive
    - Unable to install RKill or Unhide.exe
    - I’ve been at it for a week now

    Thanks in advance
    CHEERS :)

    • Mike

      > OK, I manage to update ‘Malwarebytes’ by installing the wireless on ‘mini windows XP’ desktop. Would be good to add this to your Article.

      Kind regards,
      M

  • Massol

    Thanks bro, this tutorial is very useful for me

  • Rama D

    Your scan report shows a list of 3 malicious software and one in registry. All of them from MiniXP which has been loaded. What does that mean? The MiniXP has viruses?

  • John Yuda

    can the hiren’s bootcd be extracted to a usb drive and loaded thru a usb port on a dell mini 9 laptop

  • John Yuda

    can the hiren’s bootcd be extracted to a usb drive and loaded thru a usb port on a dell mini 9 laptop