Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 11
Report Inappropriate Content
Message 1 of 164

Secured2k BootCD - Malware/Rootkit Removal

*******McAfee Update*******

CleanBoot 2.0 was released to enterprise users in April 2011. It won't be available under your grant id. One will have to call into McAfee support quoting KB71921 and they will provide you a special grant id to download CleanBoot.

June 18, 2009, Version: 1.7.0

Secured2k's Boot CD

A tool to recover from malicious software and rootkits


This tool is free, however I do accept optional donations, constructive feedback, and success/failure stories for the time, energy, and knowledge put into creating this tool.

I made this tool for the many users out there that have had trouble with malware and rootkits, especially as the AntiViruses out there can detect the bad files but can not remove them due to the technology used in the malware.


This CD was NOT created by McAfee, Microsoft, or any other security software company.

This CD was created by a volunteer under the alias, "Secured2k", for the emergency use and repair of Windows PCs running Windows 2000/XP/2003 and Vista/2008/7 with an x86 compatible processor. While I have tried to ensure the safety of this program, the authors of the programs used in this CD are in no way responsible for any damages or losses caused by the use of this tool.


Boot CD Information

  • Windows RE v6.1.7260, 32-bit English
  • McAfee VirusScan Command Line Scanner
  • ESET Online Scanner v3
  • QTWeb Browser 2.5
  • Xenon File Manager
  • 7-Zip Archive Manager 4.65
  • jkDefrag 3.36
  • Autoruns 9.5

Download ->Create Secured2k BootCD.exe [~148 MB]


How to Create this CD

  1. Simply download and run "Create Secured2k BootCD.exe".
  2. Click YES to start the process.
  3. After the files are extracted, you will be asked to include drivers detected on the system. Use this if you are on the system you will want to run the Boot CD on.
  4. You will be given an option to download and include the DAT files in the CD. This is a good idea as it will allow you to scan your computer from the boot CD if the CD can not start the your network.
  5. When the Active@ ISO Burner appears, you may configure the options for CD burning (only if needed) and create/burn the data to a writable CD/DVD-R/RW disc.

Note: The ISO file is created in the All Users or Public Profile Desktop under the name, "Secured2k BootCD.ISO"

How to boot using the CD

After the CD/DVD is burned, restart your computer with the CD in the computer. Some computers may start the CD automatically while others may require pressing a key at the boot up sequence. Two of the most common are ESC for HP/Compaq and F12 for Dell. Some systems may require you to enter the BIOS and change the boot order.

What the CD Will Do

  • The Windows Memory test will start and check for errors. The CD wil continue to boot the test is complete. You may press ESC to cancel.
  • Once the boot CD has started, you will see a blue background with the Windows Version in the lower right corner.
  • Read through the information and complete the user verification page.
  • The system will begin to start an automated process. If you have the need to use wireless or to change some of the startup options, click the Initialization Control before the 7 second timer is up.
  • When the system is done starting up, a taskbar will be shown at the bottom of the screen. To access the programs in the Boot CD, Right-Click on the blue desktop background. A menu will appear that will allow you to start each program.

Using the programs on the CD

WARNING: Removing system files and registry entries by mistake will break the system!

  • Xenon File Manager - The recommended way to manually locate and delete/move/rename files.
  • 7-Zip - Used in case you need to create/extract an archive - Can serve as a file manager too
  • Autoruns - Used to show what starts up with your Offline Windows. DO NOT use the Verify Signatures, it will crash the program.
  • Registry Editor - Used in case you need to manually edit the registry.
  • jkDefrag - Automatic and complete defragmentation for performance
  • Command Terminal - For advanced use only
  • Task Manager - For informational use only
  • McAfee VirusScan - This Antivirus will scan and clean your system of known detected malware.
  • ESET Online Scanner - Another AntiVirus program that may detect things McAfee does't.
  • QTWeb - Webkit web browser. Some sites will not work with the default privacy mode on.
  • TeamViewer QS - Remote Support is available if an Internet Connection is available. You need to provide the remote user with the provided Partner ID and PIN.
  • Wireless Configuration - Use this if you started the CD with Wireless support but need to correct the settings entered.

Bonus: QuickScan (for use in Normal Windows)

I've included QuickScan (QS.EXE) in the root folder of the CD. This is a utility for Windows 32/64-bit that will auto-update and run without installing drivers or registry entries into your system. This tool should work even if McAfee is not installed, working, or updated as long as there is a working internet connection.

After downloading the DAT and engine files, the scanner will check and attempt to clean what it finds in Memory and registered files in the system. This scan generally takes less than 5 minutes (2 min for me) and can quickly determine if you have something in your system.

Message was edited by: Mark (secured2k) on 2/1/10 9:16:18 AM EST

Message was edited by: SamSwift on 21/09/11 17:07:20 IST
163 Replies
Level 11
Report Inappropriate Content
Message 2 of 164

Re: RE: Secured2k BootCD - Malware/Rootkit Removal

Common Issues/Problems

  • The Boot CD blue screen crashes on Driver loading - The CD will try to load drivers found on the CD by default. You can also tell the system to load drivers from the Windows installation on the Hard Drive. If one of these drivers is not stable or compatible with your hardware or with Windows, the system may crash. Use the Initialization Control to uncheck loading drivers from the CD/HDD.
  • Can't Find a hard drive - This is usually because the system does not have a driver for your hard drive controller. There are other possibilities such as drive encryption, boot sector viruses, and actual hardware failure.
  • Can't find an Internet IP - This usually happens when the network is started but no adapters can be found or the system could not get an IP address from the DHCP server. For those with a static IP, manual configuration would be needed via NETSH.
  • The McAfee scanner Cleans something that isn't a virus - The McAfee scanner files are located on the first hard drive found with enough free space (usually C:). It creates it's own backup folder that matches the hard drive's serial number. This number will most likely be unique for each computer. It is a set of 8 hexidecimal characters (ex. C:\ABEF1290\Backup)
  • McAfee/ESET scan and clean, but the system restarts and the virus returns - This is because you have a virus the AVs do not yet know about or you have a hole in your security allowing reinfection. The way around this is manual removal.
  • Wireless Support - The SSID is case sensitive (SSID and ssid and SSid are all different). If the Boot CD can support your wireless device, clicking on "Network Name (SSID):" should bring up a text file showing what networks are available as well as the authentication and encryption methods.

  • After using the CD to remove a virus, I cannot start Windows normally. It constantly reboots or shows a Blue Screen error STOP: 0x0000007B
    A STOP: 0x0000007B error means that Windows could not load a driver for your hard drive storage system. This is most likely caused by a virus that modified or replaced a legitimate Windows driver file and the AntiVirus scanner detected this change and deleted the file. In order to get your system booting again, you will need to check the log file for the .sys file that was removed and replace it with a matching clean copy. On many Windows XP 32-bit systems, I find Windows has some backup drivers located at "C:\Windows\ServicePackFiles\i386". In the Boot CD, you can replace the missing file by copying it back to its original location. For example, if ATAPI.SYS was deleted because it was infected, I would copy the file from C:\Windows\ServicePackFiles\i386\ATAPI.SYS to where ATAPI.SYS was originally located. Usually this is "C:\Windows\System32\Drivers". Another commonly infected driver file is the Intel Mass Storage device driver, IASTOR.SYS.

  • After using the CD to remove a virus, I cannot log into Windows. Windows appears to log me in but immediately logs me back out.
    The virus changes the USERINIT Registry value from "C:\Windows\System32\userinit.exe," to "C:\Windows\system32\some.bad.file.that.was.removed.exe". Since the antivirus scanners removed the bad virus file, Windows could not process the userinit function and then logs the user out.

          The solution in this case is to use the registry editor in the BootCD to Navigate to the following key and make sure the contents show the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit : (REG_SZ) : C:\Windows\system32\userinit.exe,

Message was edited by: Mark (secured2k) - Updated FAQ for 2 common issues. on 2/1/10 9:29:45 AM EST
Level 11
Report Inappropriate Content
Message 3 of 164

RE: Secured2k BootCD - Malware/Rootkit Removal

Changes since v1.6 & v1.7:

Boot CD Creator
- Checks and alerts for new versions of the BootCD is one is available.
- Removed old resources to shrink the image size a little.

Boot CD Environment
- Uses Windows 6.1.7260 32-bit English
- Updated Readme and verification page
- Added Advanced Startup control page to control CHKDSK, network startup, wireless, driver loading, and screen resolution.
- Bug fixes in the UI
- Added the option to find network drivers on the hard drive and load them
- Removed the system status screen and replaced it with text on the background
- Added Wireless support for Open/Shared(WEP 64/128-bit)/WPA-PSK/WPA2-PSK networks.

VirusScan Interface
- Now will try to get the latest version information at start each time.

ESET Scanner
- Now properly shows the EULA and updates the program to the hard drive.
- The log file and quarantined files are now stored on the Hard Drive and are not lost on reboot.

Changes since v1.3 & v1.4:

Boot CD Creator
- will not run in Safe Mode
- gives the user the option to include PCI/USB network adapters and PCI SCSI Adapters (Raid Controllers)
- removed extra files from the DAT download to the CD; DAT and Engine version files are created for reference.
- supports unicode driver inf files
- included the Windows Memory Tester; A basic memory test will automatically run when the CD starts.
- organized boot files
- removed EFI and non-English support files for the boot manager
- CD Volume label added to the ISO

Boot CD Environment
- Readme information and user verification is displayed first
- If drivers are found on the CD, the user has the option to load them. Drivers should only be loaded on the same system that was used to create the CD.
- Hard Drive file systems are checked and repaired. If there is more than 1 hard drive, they will be checked as well.
- The shell now includes some basic system info and a rearranged menu.
- Removed some themes from the environment.
- added Autoruns Startup Manager for the offline OS
- added Registry Editor for the offline OS
- Task Manager
- TeamViewer QS - For remote support if an internet connection is available. You would need to provide the randomly generated PIN and Partner ID.
- jkDefrag in included.

McAfee VirusScan Interface
- Option are now displayed at the start.
- Added the option to use BETA DATs
- Added the option to use DATs on the CD if found

RE: Secured2k BootCD - Malware/Rootkit Removal

I'm having trouble using the BootCD, and I'm hoping that you can help me. I'm far from a computer expert, so please keep that in mind. I can follow directions just fine, but a 3rd-grade-level explanation would be much appreciated.

I downloaded and ran the CD creation application on a different computer than the one I'm trying to clean. When I attempt to run the CD on the infected machine (an old Dell Inspiron with XP) by pressing F12 during the boot sequence and opting to boot from the CD drive, here's what happens:

A blue screen entitled "Windows Memory Diagnostics Tool" starts and runs for a few seconds. Then, a black screen appears with a white progress bar across the bottom and which says, "Windows is loading files...". Then a different black screen says "Starting Windows".

Then, a blue screen appears, which says:
A problem has been detected and Windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.
If the problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.
Technical Information:
***STOP: 0x0000000A (0x04090001, 0x00000002, 0x00000000, 0x8c14986B)

Help? Thanks!
Level 11
Report Inappropriate Content
Message 5 of 164

RE: Secured2k BootCD - Malware/Rootkit Removal

I'm sorry you are having trouble with the Boot CD.

Unfortunately, the error you posted generally means you have a hardware problem or your hardware is not compatible with the drivers included on the CD. Ideally, the line after STOP: 0000000A... would include a file name where the error happened but IRQL_NOT_LESS_OR_EQUAL usually always points to hardware misbehaving with the drivers.

The base system that starts up is almost identical to what the next version of Windows will use to start up. If your computer blue screens on the kernel init, then you will not be able to use the CD system until the hardware issues are resolved.

The other option you have is to use a Windows 2000/XP/2003/Vista/Server 2008 CD to start up the computer and use the recovery console or command prompt to manually fix your system. This method is usually more technical thatn what the normal user will want to do which is why I made this BootCD.

I would be interested in your hardware configuration (what's in your PC).

RE: Secured2k BootCD - Malware/Rootkit Removal

Thanks for your response. I have a standard-build Inspiron 6000. I believe that the hardware configuration is very similar to (if not exactly the same as):

1.6 GHz Intel Pentium M 730 (Sonoma), 533MHz FSB and PCIe x16 chipset
15.4 inch WSXGA+ LCD Panel (Samsung)
512 MB DDR2 400 MHz ram
60 GB Ultra ATA Fujitsu 4200rpm hard drive
64 MB ATi Mobility Radeon X300
Microsoft Windows XP Home
24x CD-RW/DVD (Sony)
Intel 2200 b/g internal wireless card
6-cell lithium ion battery
4 USB ports
1 IEEE 1394 FireWire port
Secure Digital I/O card slot
1 PCMCIA card slot
2 front facing speakers
VGA output
Optional S-Video and composite video out with adaptor cable
Audio-out (headphones) and Mic-in
Integrated 10/100 network Ethernet card
Internal 56k modem

Unfortunately, I don't have the Windows XP CD, so that's not an option. Would you recommend running RootRepeal at this point? Any insight that you can provide would be outstanding. The machine is being affected by NTOSKRNL-HOOK. Please let me know if you'd rather I start a new thread.

Thanks again!
Level 11
Report Inappropriate Content
Message 7 of 164

RE: Secured2k BootCD - Malware/Rootkit Removal

Please post a new thread with the results from RootRepeal.
Level 7
Report Inappropriate Content
Message 8 of 164

RE: Secured2k BootCD - Malware/Rootkit Removal

outstanding boot CD mate, saved my bacon when my director got our first virus infection in 9 years - trojan brought in the virus and VSE did it's job in killing/cleaning, but this unfortunately altered the 8 EXE files date stamp to the date they were cleaned. Some of these were important system files, which could affect future patches/updates.

Ran your CD (which i downloaded the other week as a precaution, and extra utility to have), cleaned the whole desktop and restored the files from another XP system (used the McAfee On-Access list to get the filenames in question). Verified it was clean before removal from isolation and allowed back on the LAN.

very good method to update the ISO before burning, found the Win7 interface an nice touch too.

many thanks.
Level 11
Report Inappropriate Content
Message 9 of 164

RE: Secured2k BootCD - Malware/Rootkit Removal

Thank you for the feedback.

Update Info:
Some have asked if I plan to keep the AVs updated. I do not need to do this as the AV engines and DAT files come directly from the AV company when the CD is created or run.

I do not plan to update the CD any more unless there are major bugs or updates needed. For example, when Microsoft releases the final RTM Windows 7 Code, I will update the CD again; but there may not be any new features or fixes.
Level 7
Report Inappropriate Content
Message 10 of 164

Will this help me?

I think I have the same problem with the NTOSKRNN HOOK virus. When I run McAfee, it says it finds one problem & corrects one problem. When I run it again, it says the same thing sometimes, other times, it stops & says it can't finish the scan. I even get the blus screen at times. Also, when I type a web address, it ends up taking me to a completely different website. I am using a Dell Dimension desktop. My son's Dell Inspiron laptop is now doing the similar things things & won't run the McAfee scan at all. We are both running Windows XP. Before I take my computers in & spend $150 on them, could this CD help us? FYI: I am not a computer expert!

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community