Safe mode for virus checker

[Kim]

Hi, I just tried to run a virus scan in safe mode as
instucted by an earlier post( I have a trojan horse &
trying to get rid of it) I shut down system restore and
rebooted into safe mode to do the virus scan and it would
not run. I got a message that the driver core was not
working on AVG virus checker. What do I do now? Please
help!! I have windows XP. Thank you.
Kim

 

[David H. Lipman]

Kim:

Are you saying that AVG refuses to run in Safe Mode ?

Can you access the web ? If so, go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp)
and/or Trend
(http://housecall.antivirus.com ) and perform an online scan of your platform.

Please report back your results. If that doesn't help, I have another solution but I will
only provide it to you via email it concerns the McAfee Command Line Scanner. If the online
scanners fail, reply back with your email address but make sure you MUNGE your email address
!

Dave



| Hi, I just tried to run a virus scan in safe mode as
| instucted by an earlier post( I have a trojan horse &
| trying to get rid of it) I shut down system restore and
| rebooted into safe mode to do the virus scan and it would
| not run. I got a message that the driver core was not
| working on AVG virus checker. What do I do now? Please
| help!! I have windows XP. Thank you.
| Kim

 

[Guest]

Nearly every program will be unavailable while in Safe Mode (including anti-virus software).

 

[David H. Lipman]

Not True !

It is standard practice to clean a PC in Safe Mode due to the fact that only the OS Kernel
is running not extras including; viruses, Trojans and Internet worms. They usually can't
be cleaned/deleted in normal mode because their File Handle is open.

However, you can't guarantee all AV apps will run in Safe Mode. Especially FREE AV
software.

Dave



| Nearly every program will be unavailable while in Safe Mode (including anti-virus
software).

 

[Guest]

Had a similar problem turn off system restore boot normal
and run av program and that will take care of the problem

 

[Guest]

Also make sure that your Av app has the most current virus
definations

 

[David H. Lipman]

The point is to use the AV in Safe Mode to clean/delete infected files that CAN'T be
cleaned/deleted in normal mode because the File Handle(s) are open.

Dave



| Had a similar problem turn off system restore boot normal
| and run av program and that will take care of the problem
| >-----Original Message-----
| >Hi, I just tried to run a virus scan in safe mode as
| >instucted by an earlier post( I have a trojan horse &
| >trying to get rid of it) I shut down system restore and
| >rebooted into safe mode to do the virus scan and it would
| >not run. I got a message that the driver core was not
| >working on AVG virus checker. What do I do now? Please
| >help!! I have windows XP. Thank you.
| >Kim
| >.
| >

 

[Alex Nichol]

Hi, I just tried to run a virus scan in safe mode as
instucted by an earlier post( I have a trojan horse &
trying to get rid of it) I shut down system restore and
rebooted into safe mode to do the virus scan and it would
not run. I got a message that the driver core was not
working on AVG virus checker.

Safe Mode bypasses the loading of drivers or services beyond the base
system. This will include the resident service used by AVG.

There should be no need whatever to go into Safe Mode to run AVG. If
this was a case where it has found a virus in a restore point, which it
cannot access to delete, this is the wrong way to go about it. Ensure
you have a new, clean restore point, then go to
Start - All Programs - Accessories - System Tools - Disk Cleanup
and use the 'More Option' to delete all but the latest restore point.
The infected one will go.

 

[cquirke (MVP Win9x)]

On Fri, 16 Jan 2004 21:59:30 -0500, "David H. Lipman"

It is standard practice to clean a PC in Safe Mode due to the fact that only the OS Kernel
is running not extras including; viruses, Trojans and Internet worms. They usually can't
be cleaned/deleted in normal mode because their File Handle is open.

A flawed approach, given that malware can infect the OS itself.

However, you can't guarantee all AV apps will run in Safe Mode. Especially FREE AV
software.

Nah, it's not about the av, it's about the malware. May fail if:
- malware is active (many ways to patch into the OS, even Safe Mode)
- malware has nuked the av (as many do)

Malware that nukes av tends to handle a long list of these, with the
big commercial av's (NAV, McAfee etc.) at the *top* of the list.

Rather than fret about which ?doomed Windows-hosted av you are going
to use, get OUT of the HD-based Windows alltogether (if you can - i.e.
had the sense to avoid NTFS).

See http://users.iafrica.com/c/cq/cquirke/virtest.htm

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul

 

[David H. Lipman]

You are correct. However you and I know that there are tiers of approaches to disinfection.
There is no ONE way to disinfect for the 10's of thousands of infectors. Ultimately it is
best to boot outside the infected OS and scan the infected hard disk. This could be by
removing the infected system hard disk and placing it in an another PC with AV software
th3en using the surrogate's AV software to scan the infected hard disk another approach is
booting from DOS and using a Command Line Scanner like FProt or McAfee. However, I believe
that you use their tiered response. Try method A, if it fails, method B, if that fails,
method C.

Booting in Safe Mode and using the AV package to scan and clean/delete infectors is one of
the first in the tiered approach to infector eradication. It has proven itself too worthy
to be denied.

Dave



| On Fri, 16 Jan 2004 21:59:30 -0500, "David H. Lipman"
|
| >It is standard practice to clean a PC in Safe Mode due to the fact that only the OS
Kernel
| >is running not extras including; viruses, Trojans and Internet worms. They usually
can't
| >be cleaned/deleted in normal mode because their File Handle is open.
|
| A flawed approach, given that malware can infect the OS itself.
|
| >However, you can't guarantee all AV apps will run in Safe Mode. Especially FREE AV
| >software.
|
| Nah, it's not about the av, it's about the malware. May fail if:
| - malware is active (many ways to patch into the OS, even Safe Mode)
| - malware has nuked the av (as many do)
|
| Malware that nukes av tends to handle a long list of these, with the
| big commercial av's (NAV, McAfee etc.) at the *top* of the list.
|
| Rather than fret about which ?doomed Windows-hosted av you are going
| to use, get OUT of the HD-based Windows alltogether (if you can - i.e.
| had the sense to avoid NTFS).
|
| See http://users.iafrica.com/c/cq/cquirke/virtest.htm
|
|
|
| >--------------- ----- ---- --- -- - - -
| Dreams are stack dumps of the soul
| >--------------- ----- ---- --- -- - - -

 

[cquirke (MVP Win9x)]

On Sat, 17 Jan 2004 17:39:11 -0500, "David H. Lipman"

You are correct. However you and I know that there are tiers of approaches to disinfection.

Yep, and some are safer than others.

There is no ONE way to disinfect for the 10's of thousands of infectors. Ultimately it is
best to boot outside the infected OS and scan the infected hard disk.

Yep - what I refer to as a "formal virus check". Detection is always
safe in this mode, some malware can confound cleaning (see Jeefo.A).

This could be by removing the infected system hard disk and placing it in an
another PC with AV software th3en using the surrogate's AV software to scan
the infected hard disk

That can be fraught with peril, especially in the case of NTFS...
- risk of infecting the host PC (\Autorun.inf, Desktop.ini...)
- risk of auto-upgrading the dropped-in HD's NTFS version
- merging of magic-CLSID content locations into common namespace
- inability to apply changes to dropped-in HD's registry
- NTFS may block access to "protected" files
- destruction of SR data stores (XP HD in XP system)
- automatic writes to dropped-in HD (if sick file system of HD)

another approach is booting from DOS and using a Command Line Scanner
like FProt or McAfee.

That's what I'd recommend, but NTFS gets in the way bigtime.

Try method A, if it fails, method B, if that fails, method C.

I'd not give malware the wriggle-room; you may not survive method A.

The situation: You are looking for hostile code that is hiding from
you, and that has already penetrated what defences you have. By
definition, you don't know what it is you are looking for, so you can
make no assumptions of the scope it may be restricted to.

Malware exists that is aware of attempts to remove it, and which will
strike back punitively if provoked. So it's a roll of the dice, like
running accross a freeway blindfolded; just because it usually works
out OK doesn't mean you should make a habit of it

Booting in Safe Mode and using the AV package to scan and
clean/delete infectors is one of the first in the tiered approach
to infector eradication. It has proven itself too worthy to be denied.

It's the best hope NTFS victims may have, but that doesn't make it any
safer. I'd prefer to work from the outside in, i.e.:
- isolate the system
- verify hardware is fit to work on
- verify file system is safe to write to
- formally exclude/research/?clean traditional malware
- informally exclude/manage commercial malware (via AdAware etc.)
- eyeball startup axis and other run points
- apply patches and risk management
- reconnect to the outside world

You won't always get a second chance if you pull the short straw.

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul