The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
TechInterview.org
CityDesk
FogBugz
Fog Creek Copilot


The Old Forum


Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

[W2K] Virus won't let me install AV

Although I had Free AVG installed, a virus closed it down, and won't let me either restart it, uninstall and reinstall it, or install another AV like ClamWin.

Can Clamwin read NTFS partitions and be loaded from a DOS boot floppy, so that it can remove viruses without booting into Windows? If not, what would you recommend I do?

Thank you.
TheFred
Saturday, December 30, 2006
 
 
I'd consider restoring your back up copy.

What other AVs have you tried. How about web scans?
Stephen Jones Send private email
Saturday, December 30, 2006
 
 
Infortunately, this host was not cloned, and I don't haven another W200x/XP host around: There's just a 98 host available, so hooking up an NTFS drive as slave won't work.

I'll see if I can install and run some AV while in safe mode tomorrow.

Isn't there a Linux live CD that can read/write NTFS partitions for viruses?

Thanks.
TheFred
Saturday, December 30, 2006
 
 
If you have an extra hard drive laying around, install Win2K + AVG on that and use it to scan your infected drive.

Saturday, December 30, 2006
 
 
Yup, I'll do this if there's no other solution.
TheFred
Saturday, December 30, 2006
 
 
The Ultimate Boot CD (UBCD) might fit the bill.  IIRC, it can read/write NTFS, and has a few virus scanners included.
It's at ultimatebootcd.com.
jbf
Saturday, December 30, 2006
 
 
I use a Knoppix CD for this kind of stuff.

Works great, and is very flexible.
Shane Harter Send private email
Saturday, December 30, 2006
 
 
First, unplug your network connection.

Then start Windows in safe mode (F5 during the boot sequence, during the loading of the BIOS). Check your registry for processes that start themselves during boot. These are usually at:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run
HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
HKCU/Software/Microsoft/Windows/CurrentVersion/RunOnce

Delete any suspicious entries from that list.

Also, look in your Start Menu > Programs list for any rogue executables in the Startup folder. Be sure to look in your own user account ("Documents and Settings\username") as well as in the global locations ("Documents and Settings\All Users" and "Documents and Settings\Default User").

Then restart Windows in normal mode and see whether the virus is still running.

It's possible (and maybe even likely, I dunno) that the virus has infected itself into one or more of your system files. If that's the case, you may need to reinstall Windows.

Good luck :)
BenjiSmith Send private email
Sunday, December 31, 2006
 
 
Try repair the install before reinstalling.
TheGrue
Sunday, December 31, 2006
 
 
Boot in safe mode and try to install AVG
moronica
Sunday, December 31, 2006
 
 
There is only one safe way to get rid of it: Format the hard drive and make a fresh reinstall.
Secure
Sunday, December 31, 2006
 
 
Much much simpler than all of the above:


Try pressing F8 when the machine boots then go into "safe mode with network support".

Now do whatever you need to do...
Jimmy Jones
Sunday, December 31, 2006
 
 
Also check out Rootkit Revealer by Sysinternals.

Sunday, December 31, 2006
 
 
+1 rootkit revealer
I had similar problem, this tool was the only thing that could detect the infestation
n
Sunday, December 31, 2006
 
 
Thanks everyone. I'll give Rootkit Revealer a try, as none of the above worked :-/ The pop-ups are gone, but I can't...
- launch or reinstall AVG
- install the open-source AV Calwin (both AVG and Calwin fail at the very end: Looks like the virus knows about those and catches the install)
- boot in Safe Mode (BSOD).

Still, Happy new year :-)
TheFred
Sunday, December 31, 2006
 
 
The Sysinternals forums are a good place for info.

If you want to get into a conversation about kernel hooking or blue pill vs. red pill, that's the place.

Monday, January 01, 2007
 
 
TheFred,

I say it again: The only safe way is a format and a complete new installation. You don't know what is messed up and now installed in your system, and you can't be sure that anything will be found, deleted and repaired. Connecting this system to the internet is playing with the fire.

The repair option can only be a temporary solution to rescue your data and learn your lesson about regular backups.

BTW: How many days are you now trying to rescue the system? And how long would it have taken to make a reinstallation and reconfiguration in the first place?
Secure
Monday, January 01, 2007
 
 
Secure > I say it again: The only safe way is a format and a complete new installation.

I know that, but I'm tired of reinstalling my parent's PC if I can avoid it ;-)

> BTW: How many days are you now trying to rescue the system? And how long would it have taken to make a reinstallation and reconfiguration in the first place?

I haven't tried for _days_ to repair it. I asked this question in a couple of places, which didn't take me that long to ask and read answers. Then I spent the afternoon yesterday trying the different things above, while reading magazines while waiting for things to work. Simple :-)

Reinstalling the whole thing, including all the applications, reconfiguring them, making sure each data file hasn't been contaminated (if at all possible) would take me even longer. Been there, done that.

Happy Easter :-)
TheFred
Monday, January 01, 2007
 
 
TheFred,

Ah, okay, I know this scenario.... ;)

Make one more reinstall and reconfigure. When anything is done and clean, take a complete hard disk image.

When you want to install new stuff or update anything:
- Backup the user data (verify that it is okay and can be restored!!!)
- Restore the image.
- Install and update.
- Make a new image (verify!).
- Restore the user data.

If infections and other stuff happens on a regular base, this will save you tons of work and trouble in the future.
Secure
Monday, January 01, 2007
 
 
Secure > Make one more reinstall and reconfigure. When anything is done and clean, take a complete hard disk image.

Yup, that's what _I_ would have done the last time, but someone else did it, and I was too late to the party to make one.

It's amazing that there's no market for some lighter-weight computer safe from viruses.
TheFred
Monday, January 01, 2007
 
 
Get them a Mac mini for xmas.
Matthias W. Send private email
Monday, January 01, 2007
 
 
When you are all done fixing this mess, set them up as a Limited User account. I did this on my inlaw's Win2K system and I've never had to go back. That was two years ago. Before that I was over there every month cleaning up spyware and viruses.

Windows is very secure if it is run from a Limited User Account. After all, Linux users don't go around running everything as root all the time. Why should we?
dood mcdoogle
Monday, January 01, 2007
 
 
Matthias W. > Get them a Mac mini for xmas.

Not possible. Some of the softwares they use are Windows-only.

dood mcdoogle > When you are all done fixing this mess, set them up as a Limited User account.

That's what I had in mind. Do most apps today run OK when logged on as limited user, or are there still too many that were built thinking the user had full access?
TheFred
Tuesday, January 02, 2007
 
 
most apps should be fine from a LUA. most common things that don't run properly from LUA are games in my experience.
jk
Tuesday, January 02, 2007
 
 
There are still too many that are built thinking that the user has full access. My inlaws only use Juno and surf the web so it was easy for me. YMMV.

All three of my XP machines at home are set up as limited users. I'm very happy with it. I use mostly Microsoft products so I don't have any trouble.

A really good place to start is at this blog. Aaron Margosis has a bunch of tips for how to do it.

http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

I made the switch and I couldn't be happier. And my inlaws are too.
dood mcdoogle
Tuesday, January 02, 2007
 
 
Back to Sysinternals, here is article that might help for a workaround:

http://blogs.technet.com/markrussinovich/archive/2006/03/02/running-as-limited-user-the-easy-way.aspx

You can use the PsExec utility called from a batch file to run an app under a different account.

Tuesday, January 02, 2007
 
 
If that PC ends up being unusuable, next time, I'll clone the partition after a clean install, and check whether all apps run OK as a limited user.

Thanks everyone.
TheFred
Tuesday, January 02, 2007
 
 
I've written my own little RunAsAdmin application that I use to execute processes as an administrator. It's pretty simple using the .NET framwork's System.Diagnostics.Process class to launch something with different credentials. I even put the admin user name and password in a config file so I don't have to prompt for it all the time. It's not a commercial app so the odds of some hacker knowing to even look for it on my machine is next to nil. And if they are looking for it I've got bigger problems anyway. So that helps me with things like changing firewall settings and installing things like flash players in IE. I don't have to use the fast user switching feature. I can just click on an icon to run IE as an admin account.

I have very few things that I need that for. Most of them are just normal admin-protected OS applets (like firewall, the services control panel, and such). My little program just makes it much easier to run as a limited user without having to log off or switch users all the time.

Of course, Vista will help tremendously in this regard. I can't wait to upgrade.
dood mcdoogle
Tuesday, January 02, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz