[Novalug] [Ma-linux] OT: Need help repairing W2K box

Jay Hart jhart at kevla.org
Thu Oct 30 19:03:12 EDT 2008 

thanks for all the suggestions and replies.  I've got this fixed, for now, but
the box will be getting an upgrade to something else soon.  I don't trust it,
and here is why:

Main complaint: Excel has problems running, and trojan found during
troubleshooting.

1  Trying to expand the svchost.exe file (via Windows) and replace the
infected file (via Linux live CD) last night kept resulting in the file being
infected.

2. I took my W2K install CD to work and (assuming my machine at work was
clean) I expanded the file to a thumb drive (all via Windows)

3. Came home at lunch and using a Linux live CD only, copied the file from the
thumb drive to the correct location under Windows.  No use of Windows used
during this process. File should be clean, clean, and clean.

4. Reboot box into safe mode, do a scan on svchost.exe using ClamWin, file is
reported as infected.  To say the least, I'm stunned. Didn't expect that.

5. Brainstorming back at work with others they think something is loading at
startup, so I check to see what is running in startup, nothing unusual found.
Also run scan at 4:42pm on svchost.exe, and the file is still infected.

6. For whatever reason, at this point I decide to update the virus db for
ClamWin (which is usually done at 5:30pm daily) at 4:43pm.

7. After updates installed, I run a scan of svchost.exe, and the result is
that now svchost.exe is clean, and no log entries show it as being
fixed/repaired.

8. Ok, not believing this result, I open Excel, and the freakin thing opens
fine, including any file I throw at it (it wouldn't open any files yesterday).

9. And, all those AV sites I couldn't get to yesterday, now they work fine today.

10. So, the box seems to be working today, I didn't do anything to it that I
can say "Yupe that fixed it", and now I don't trust it.  Only thing I can
think of is that ClamWin had some problem, but that doesn't make sense
either...

11. Just to be safe(r), I installed all the critical updates just now.

Again, thanks for your your replies.

Jay

> On Thu, Oct 30, 2008 at 09:42:30AM -0400, Jon LaBadie wrote:
>> On Thu, Oct 30, 2008 at 08:09:21AM -0400, Jay Hart wrote:
>> > I'll try that.  My biggest problem right now is expanding the svchost.exe
>> from
<snip>

More information about the Novalug mailing list