I’m a virtual newcomer to linux. I’ve experimented with live cds of various distros, but never really got to grips with linux, for simple lack of time…
I once used Puppy to salvage a disk which Windows said was dead, and I often use Ubuntu in a vm, but I still have a lot to learn about linux, and I’m keen to learn it ( I certainly have no intention of buying windows eight).
Now, the thing is, I have an immediate problem and I would like to use linux to fix it. My windows XP installation has been infected by a nasty virus. Normally I’d just revert to a Norton ghost and laugh it off. Problem is, my ghost files are infected too!
I need to use linux to clean the pc, but when I install AVAST! in Ubuntu (live CD) no infections are found. Probably because the virus definitions are four years old. When I update the defs, the AVAST! engine crashes. Game over.
Can anyone pleeeease suggest a way of using linux to clean my windows pc
I tried Bitdefender - no luck. I could barely read the screen, the resolution was so fuzzy, but as far as I could tell, no threat detected. It did help in one respect though. When I asked it to boot from the hard drive I was able to establish that the virus in question was Win32:Hupigon-onx[Trj]. Nice.
Then I tried the AVG rescue disk. That detected no problems, despite the virus DB being the latest available.
Looks like I’m in for the long haul. I can access my files using Puppy, and I’ve an old PC I can use for internet access, so I can take my time over this. The infected machine is firmly offline (except in Linux), so nobody is keylogging anything. I’ve got three busy days ahead, so won’t be able to spend time on this. I’ll report back as and when I have anything to report.
Thanks to anyone who has any suggestions to offer.
This Win32:Hupigon-onx[Trj] thing looks like a particularly nasty piece of work it seems it’s a rootkit as well as a backdoor, I’m not sure if there is any way to wipe it out via any Linux application but there a lot of tutorials online on how to do it both manually and automatically within Windows itself but I wouldn’t want to lean you towards any particular method or tutorial
According to this Avast should detect it
You could however secure any important files via Linux before you start any repair procedures to you Windows installation
Yes, it’s a little charmer isn’t it? Bit of keylogging as a sideline just to add to it’s appeal. I’m tempted to use that feature to type my opinion of the sleazebag who wrote it…
Avast did originally detect the problem, but failed to clean it. When I rebooted I got the message ‘NTLDR is missing’. I don’t quite understand this, since you’d expect a trojan to allow the machine to boot whilst compromising it silently in the background. The way I spotted this one was suspicious behaviour in Firefox. All a bit too obvious for the avarage trojan/rootkit/keylogger.
However, even reinstalling XP got me nowhere, since when I installed SP2 and rebooted, the ‘NTLDR is missing’ message popped up again - presumably the rootkit at work?
I’ll look into the SystemRescueCd option when I get time. Otherwise I might thoroughly erase the windows partition (from linux) and try another reinstall (would this get rid of the rootkit?). I could then restore from an old image file (Norton Ghost) and bring it up to date.
Happily, most of my important data is on other internal drives, some of it encrypted, and backed up on external drives, so I think I can recover from this inconvenience. It’s just that removing the infection would save me a bit of time reinstalling things, and be more satisfying. Mind you, trashing the existing partitions (the one containing XP and the one containing the infected Ghosts) might be safer in the long run. Could I do this from Linux, or would ‘boot & nuke’ be more effective?
If it were me, an infection with a rootkit would only be fixed with a complete nuke of the partition table from a Linux liveCD. Unless I could find a source online that would allow me to do it more surgically (e.g. with dd, if the rootkit resided in a specific area each time, like the boto sector), I’d blat the entire drive and start again. It’s hardcore, but if you don’t eliminate it, you’ll have exactly the same problem when you re-install Windows.
Might I suggest not using XP, as it’s an old pile of junk that isn’t properly supported any more, and switch to a nice new (virus-free) Linux distro such as Lubuntu or Peppermint?
Considering at the lengthy procedures for eliminating the thing anyway, a fresh start is looking more and more appealing.
How would I completely erase the partitions in question from Linux?
Bear in mind we are talking about a partitioned drive - do I need to worry about the other partitions which haven’t so far been found to be infected? Also, if I nuke the system partition do I still need to nuke the partition table? I assume deleting the latter means losing every partition on the drive.
You assume right … deleting/overwriting the partition table will loose ALL partitions.
If you’re SURE the other partitions are clean … just delete the system partition (and possibly any hidden partitions that you don’t recognise)
reinstalling XP will overwrite the MBR anyway.
I’m with Chemicalfan … ditch XP altogether, Microsoft will be dropping ALL support for it next year and it will immediately become an even bigger target for exploits and put your whole network at risk … so why bother reinstalling it at all ?
I know XP’s days are numbered (although as I understand it, over 40% of the world’s corprations are still using it), but I’m running various Windows-based software I don’t want to be without (Truecrypt, to name the most important). Also, my wife is a self-employed bookkeeper who needs to exchange files with her Windows-based clients. So it’s not quite as simple as swapping Linux for Windows - not to mention the learning curve, which I would enjoy, but don’t have the time for…
I’ve been wondering which way to jump for a while now, and Linux ticks most of the boxes, but there’s still hardware compatibilty - I’ve never managed to get any distro running happily on my main PC, other than in a VM.
My instinct is to ditch Microsoft and move to Linux, but that may not be possible overnight. I need a period of dual-booting and learning. Meantime, I need access to my encrypted files and certain Windows/DOS applications. I’ve been thinking about Windows 7 but I hate Microsoft’s approach to licensing/activation. Ultimately, I know I’ll move to Linux. The problem is managing the transition.
Truecrypt works in Linux too
(and/or it’s extremely easy to encrypt your whole home folder in Linux)
Which bookkeeping software does she use ? … let me guess … Sage ?
(if so, there’s AFAIK currently no way to get that to work in Linux … but you could always run XP in a virtual machine in Linux and possibly cut it off from the interweb for safeties sake)
Worst case, you could do the reverse - have a fresh XP install as the master, and have Linux run as a full-screen VM as a startup program in XP. I’m surprised that Xubuntu 12.04 LTS wouldn’t run - that’s supported until April 2015, so while 15 months isn’t great, it’s better than most considering the age of release (technically not as good as XP though ::))
But running XP as the host means it would have to have an internet connection or the Linux client VM couldn’t have one … which leaves XP open to infection again.
My line of thought was to be able to run the Windows apps in an XP VM that had no internet connection … but the host OS did.
XP could be run risk free for ever without an internet connection … any files you need to email/etc., just save them and email them from the Linux host … kinda thing
I will try some of your suggestions as soon as I get a few minutes to myself! At the moment I can’t devote enough time to do it properly, which is a pain, since I’m stuck with a slow, old machine in place of my usual one.
No, it’s not SAGE, Mark. It’s a very old DOS package which she had a hand in designing, so it does exactly what she wants of it.
Ideally, I want to keep an installation of XP for use offline. I’d been thinking of creating a brand new, fully updated one just before microsoft finally pulls the plug on April 8th 2014 and ghosting it, so maybe this virus isn’t such an inconvenience anyway - at least now I can’t forget about it until it’s too late!
I’m going to clean the infected disk one way or another and do that, then I’ll create a dual boot with some flavour of linux (assuming I can get one to run on this hardware). One thing’s for sure, I’ll do all my surfing in a VM in future to avoid this situation.
I will post back and report progress, as soon as I’ve made some!
Thanks again for your time. All suggestions welcome.
Just so you know, I’m still here and I will post back with any progress. I appreciate your suggestions and will try them asap. The thing is, I work for Royal Mail, and it’s Christmas, so I’m not getting much free time.
