Virus help

Bounty · Post by **Bounty** » 2008-05-12 12:03pm

Not for me, for a friend. She's stuck with a trojan (PC with Win XP, not very well maintained) that disabled her AV and before anyone suggests it, reformatting is not a practical option right now. My plan is to see if the AV works in safe mode, but if that fails, are there any AV's that can run as a LiveCD?

Rogue 9 · Post by **Rogue 9** » 2008-05-12 01:34pm

What antivirus does she use?

Bounty · Post by **Bounty** » 2008-05-12 01:48pm

University-issued McAfee. It's tied into the university network authorisation software somehow, so I can't replace it.

ETA: I haven't gotten a look at the PC itself, but the USB stick that infected it carried Trojan-PSW.Win32.OnLineGames.vu (two versions), Worm.Win32.AutoRun.bne and Trojan-Dropper.Win32.VB.wi.

Post by **Edi** » 2008-05-12 03:21pm

Rip the HD out, stick into another disposable machine as a slave drive and then run all the AV software you can from the clean machine on that drive. Trying to install anything else on the machine or running the already compromised AV software is an exercise in futility.

If it's a badly infected drive with a lot of malware on it, you have no guarantee of Windows working correctly after you remove everything. Assuming you can do so in the first place. In that case you are left with the option of nuking the site from orbit, which is the preferred solution with malware that can disable AV software anyway.

Backups to an external HD first, obviously, but those are your options.

Bounty · Post by **Bounty** » 2008-05-12 03:37pm

Rip the HD out, stick into another disposable machine as a slave drive and then run all the AV software you can from the clean machine on that drive.

I could have done that, had this not been a laptop. I don't have an enclosure even if I could pry the drive out.

I might be able to reformat it in a month or so, but *right now* I'm stuck trying to fix it as-is. If it doesn't work, a reformat is still on the cards, but I'd like to exhaust my other options first.

Ariphaos · Post by **Ariphaos** » 2008-05-12 06:01pm

Bounty wrote:
Rip the HD out, stick into another disposable machine as a slave drive and then run all the AV software you can from the clean machine on that drive.
I could have done that, had this not been a laptop. I don't have an enclosure even if I could pry the drive out.

I might be able to reformat it in a month or so, but *right now* I'm stuck trying to fix it as-is. If it doesn't work, a reformat is still on the cards, but I'd like to exhaust my other options first.

3.5" to 2.5" connectors are about $10 or so.

I have pulled systems out of such troubles without reformatting but at the very least you need an appropriate oem xp install disc.

Post by **Edi** » 2008-05-12 06:09pm

Bounty wrote:
Rip the HD out, stick into another disposable machine as a slave drive and then run all the AV software you can from the clean machine on that drive.
I could have done that, had this not been a laptop. I don't have an enclosure even if I could pry the drive out.

I might be able to reformat it in a month or so, but *right now* I'm stuck trying to fix it as-is. If it doesn't work, a reformat is still on the cards, but I'd like to exhaust my other options first.

You don't need an enclosure, you need a cheap-ass adapter. Pull the drive, get an adapter that allows you to do it and set to. Otherwise you're just wasting your time. I did this shit professionally a couple of years back and short of a hard format, that's the only thing that has even a prayer of success

Malware that already disabled your AV software and is reigning unchecked in the machine is not fixable as-is.

Crayz9000 · Post by **Crayz9000** » 2008-05-12 07:39pm

I'd recommend Trinity Rescue Kit for a CD based Linux repair suite. It has NTFS-3G so it can run a full scan, and comes with about three different virus scanners that will update and scan one after the other.

That said, I wouldn't put full hope in it, the best solution as always is a full format and reinstall. However, it might just get the damned trojan...

RThurmont · Post by **RThurmont** » 2008-05-13 07:56am

Actually, that Trinity Rescue Kit looks ideal to me personally. I've been tempted to roll my own LiveCD using rPath that does essentially that, but now that I know about Trinity, that should be insanely useful...

Rogue 9 · Post by **Rogue 9** » 2008-05-13 01:55pm

Bounty wrote:
Rip the HD out, stick into another disposable machine as a slave drive and then run all the AV software you can from the clean machine on that drive.
I could have done that, had this not been a laptop. I don't have an enclosure even if I could pry the drive out.

I might be able to reformat it in a month or so, but *right now* I'm stuck trying to fix it as-is. If it doesn't work, a reformat is still on the cards, but I'd like to exhaust my other options first.

I don't know how well this will work for antivirus, but it works for IM clients and Firefox, so:

Get a portable hard drive or a flash drive that's big enough, and put an antivirus program on it. Plug that into the affected computer, and run the antivirus from the portable drive.

Crayz9000 · Post by **Crayz9000** » 2008-05-13 07:59pm

The problem with that is the host operating system (in most cases Windows) is still running, still infected by the virus/trojan. Most viruses and trojans today have built in defenses that look for and disable known AV software (sort of a reverse of AV signature checking... except they're checking the AV itself).

So even if you plug in the portable drive, there's no telling if a) the AV software will even work to begin with, or b) if the portable drive itself will become infected.