[/QUOTE]
That started like a question ("If...") and ends as a description of an
existing problem. Which is it? I ask, because if it's an existing
problem you are sitting with, then I'd want to know more details to
guide further advice, else I'd have to keep it general.
There are two broad approaches:
A) "Just" wipe and rebuild the system
The idea here is that because you wipe the installation, you kill the
virus and thus you can be sure you are virus-free. But the adverse
impact is huge, and the more you mitigate that impact by saving and
then restoring "data" files, the more likely you will re-infect the PC
from an infected backup. Even if the system is clean when rebuilt,
you'd have lost patches, which may mean you'll be infected within a
few minutes of connecting to the 'net again.
See
http://cquirke.mvps.org/reinst.htm
This solution may make sense if:
- your original installation was poorly-setup
- you have no need to salvage data
- you have a small set of apps you need to use
- you have a well-maintained system image to restore
- you want to force an original state on your users
All but the first of these apply in corporate computing, which is
where the norm of "just wipe and rebuild" comes from.
B) Detect and manage the malware
This used to be easy in the earlier days on Win9x, both because there
weren't quite so many different malware around, and because that OS
could be formally scanned from DOS diskette boot with DOS-based av.
See
http://cquirke.mvps.org/9x/virtest.htm
But DOS can't read NTFS, or FATxx volumes > 137G, so one needs a
better solution for XP. It exists, but not on a plate from Microsoft;
Google( Bart PE) unless you know Linux well enough to use any one of
several CDR-booted Linux alternatives. Linux isn't really safe for
writing to NTFS, which may make Bart a better bet.
This solution may make sense if:
- your original installation was fully-patched and well set up
- you have a large number of apps and setting to preserve
- your data is on the same PC
- your backup facilities are poor
- using your "recovery" or installation CD will lose all patches
This situation is typical in consumerland.
Ah, Malke's pretty much said it all...
If you can get into Safe Mode, you can clean up your machine. It isn't
clear from your posts if you can get into Safe Mode or not
If you can get into Safe Mode, here are malware removal steps:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
If you can't get into Safe Mode, you can create a Bart's PE with
antivirus tools on it and do the scan from there:
http://www.nu2.nu/pebuilder/
Or you can slave the hard drive in a working XP box as suggested and
scan with an av that way, although there is always the possibility of
infecting the host XP install.
Another alternative is to retrieve your data with either a Bart's PE or
Knoppix (a Linux distro that runs from cd) and then do a clean install.
http://www.knoppix.net
All of these solutions require a fairly high level of computer skills.
Only you know what your skill level is. If this work isn't your cup of
tea, take the machine to a professional computer repair shop
So in summary, it's:
1) Clean from Windows via online scanner
- advantage: Scanners are free and up to date
- disadvantage: Malware has the highest level of control
2) Clean from Windows via installed av
- slightly less dangerous than (1)
- still relies on the malware allowing you to clean it
3) Clean from Windows Safe Mode
- suppresses many malware, making these safe to clean
- nearly as easy as (1) and (2)
4) Clean from Windows Safe Mode Command Prompt Only
- suppresses more malware than (3), thus safer
- not as easy as (1-3) if you are used to using a GUI
5) Drop hard drive into other PC, clean from there
- as wide a range of av tools as (1+2), which is great
- less likely to be running the malware, so safer than (1-4)
- but scanners may miss things if relying on registry clues
- may also fail to properly clean as wrong registry in effect
- risk of infecting the host PC
- risk of Windows writes further corrupting a sick file system
6) Bart CDR boot, run scanners from there
- avoids running the malware, so safest approach
- the Bart CDR is read-only, so can't be infected
- reasonable range of scanners and tools
- does not initiate writes to the HD, unlike (1-5)
- a plugin exists to use the hard drive's registry, unlike (5)
- but CDR must be prepared on a clean system
- skills and research required to use plugins to add tools
7) As per (5), (6) or using parallel install, but using Linux
- different skill set required to use Linux
- difficulty in managing Windows registry
- difficulty in handling NTFS safely
- may be suitable if you already know Linux
My approach is to start with (6), then (4), then (2). If I need a
wider range of scanners, I may add (5) and do (1) from this setting
also - it's safer doing an online scan if the OS you booted up is that
of a clean host PC, and not the installation you're trying to clean.
Suitable av scanners, and compatibility:
- Bit Defender 8 on-demand scanner; for (2-5)
- Trend SysClean on-demand scanner; for (2-5 and 6)
- McAfee SuperDat command-line scanner; for (2-5 and 6)
- Sophos command-line scanner; for (2-5 and ?6)
These catch only a few malware, but are worth adding:
- McAfee Stinger small-range scanner; for (2-5 and 6)
- Avast Cleaner small-range scanner; for (2-5 and 6)
Free resident av (install only one of this category):
- AVG 7; for (2-5)
- Avast av; for (2-5)
- AntiVir 7; for (2-5), perhaps (6)
Anti-spyware scanners generally need registry access:
- AdAware SE; for (2-4) and (6) if used with RunScanner
- Spybot SD; for (2-4) and (6)
- MS Antispyware / Defender; (2) only
- Ewido anti-malware; (2-4)
Integration checkers need registry access to work; no (5):
- MSConfig; for (2-4) and (6) with RunScanner
- HiJackThis; for (2-4) and (6) with RunScanner
- Nirsoft utilities; for (2-4) and (6) with RunScanner
Rootkit behaviour detectors must be run "dirty", i.e. (2) not (5-6):
- F-Secure Blacklight Beta; may catch some
- Rootkit Revealer, which may be harder to interpret
Generally I scan for commercial malware after tackling the more
hard-core stuff. Because I'm more worried about side-effects of
removal than malicious counter-action, I detect but don't clean from
(6) and then clean from (4), so that I have the Undo info on the
system and I can use System Restore as well.
System Restore is one of two major "hidden traps" from which malware
can re-infect the system (the other being email mailboxes that hide
attachments). I normally:
- scan System Restore data via (6)
- leave this data in place
- create a new and clean baseline restore point when clean
- test the system is working OK
- then use Disk Cleanup to purge all but this last restore point
HTH... in your case, it sounds as if you may have other problems that
could put data at risk, so I'd tread very carefully.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
