I am trying to help out a friend with a virus trashed HD. It's a Win XP Home machine with an expired copy of 2002 NAV. I ran Norton's Online scanner on it and he is loaded with infected files. There are some things he'd like to save on the drive though, so I'd like to avoid nuking it if I can. I have extra copies of both SW 2005 and AV 2005 which I will let him use if there is a way to install them on an infected machine and/or boot/scan from them (or whatever). FYI, there are far too many infected files to remove them one at a time; 400+. I checked with Symantec's online support, and they just pointed me back to the FAQ's I'd already read. Any ideas would be appreciated, including "I'm wasting my time", if in fact that's the case. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Installing & using NAV or SW to clean an infected drive 1
- Thread starter latenite
- Start date
-
1
- #2
MrPlough69
IS-IT--Management
Your best bet would be to put the hard drive in another computer as slave, then scan/clean it from there. You could also back up any work that he wants.
I would also recommend that you use several different virus scanners on such an infected drive e.g. nod32, kaspersky to make sure that all of the infected files are removed (don't install more than one real time scanner at once though).
Also it would be worth doing a spyware scan with spysweeper (best one imho).
All of the above software is available in trial versions to boot!
I've cleaned up a few pcs this way with great success.
Cheers.
I would also recommend that you use several different virus scanners on such an infected drive e.g. nod32, kaspersky to make sure that all of the infected files are removed (don't install more than one real time scanner at once though).
Also it would be worth doing a spyware scan with spysweeper (best one imho).
All of the above software is available in trial versions to boot!
I've cleaned up a few pcs this way with great success.
Cheers.
- Thread starter
- #3
MrPlough69,
Good call; I hadn't thought of that (obviously as indicated by my post
My only concern is what are the chances of infecting the master drive in the "good" machine when I boot. Could I make the master read-only or something? I'm new at this.
Thanks,
Latenite
Good call; I hadn't thought of that (obviously as indicated by my post
My only concern is what are the chances of infecting the master drive in the "good" machine when I boot. Could I make the master read-only or something? I'm new at this.Thanks,
Latenite
MrPlough69
IS-IT--Management
The only way you could get infected is if you happened to double click on one of the infected files without your virus scanner enabled.
Also you can't make your windows drive read only because windows needs to write to the disk on startup, and frequently when booted.
hope this helps,
Cheers.
Also you can't make your windows drive read only because windows needs to write to the disk on startup, and frequently when booted.
hope this helps,
Cheers.
- Thread starter
- #5
Again, Thanks.
Also, I'm not thinking real clear as to the Read only comment since common sense, as you said, indicates that Windows has to write to the drive on boot. I need to quit writing these questions so late at night
One last question though; can I use a Firewire/USB external drive enclosure to house and connect the infected drive for scanning as opposed to making it a slave in my clean computer? Just easier for me from a handling standpoint.
Thanks again,
Latenite
Also, I'm not thinking real clear as to the Read only comment since common sense, as you said, indicates that Windows has to write to the drive on boot. I need to quit writing these questions so late at night
One last question though; can I use a Firewire/USB external drive enclosure to house and connect the infected drive for scanning as opposed to making it a slave in my clean computer? Just easier for me from a handling standpoint.
Thanks again,
Latenite
MrPlough69
IS-IT--Management
Heya,
You sure could stick it in an external caddy thing, the only thing is it would take much longer to scan the drive than if you had it connected to an IDE channel, due to the limitation of firewire/usb.
I believe the speed of firewire/usb2 is roughly 400mbit and IDE will more than likely handle whatever speed the harddrive is (depends entirely on the hard drive but likely to be over 50-60MiB/s)
Cheers
You sure could stick it in an external caddy thing, the only thing is it would take much longer to scan the drive than if you had it connected to an IDE channel, due to the limitation of firewire/usb.
I believe the speed of firewire/usb2 is roughly 400mbit and IDE will more than likely handle whatever speed the harddrive is (depends entirely on the hard drive but likely to be over 50-60MiB/s)
Cheers
- Thread starter
- #7
Latenite, MrPlough,
I agree with the general process -- and I'd like to add these three comments:
1) Scan using another PC. Do it while you're making a backup. (i.e. if the drive shows up as E: on the 2nd PC, do "xcopy *.* c:\Backup /e/c/h" from the E: dos prompt) [start, run.. cmd, OK, type "E: <enter>", command above]
2) The host (infected) PC is probbably going to be destroyed -- unless those are 400 instances of *ONE* virus. If you're seeing multiple viruses - chances are the machine was never maintained (windows updated, virus scanner used/updated).. Be prepared to re-install the entire operating system and all the applications.
3) Using a USB enclosure isn't going to be too slow.. so long as the machine it's plugged into supports USB2.0 and so does the Enclosure. (most WinXP systems will work USB2.0 just fine) USB 2.0 is rated for 480Mbps, which is roughly 60MB/sec. In practice -- it's a good enough bus. I disagree with MrPlough's statement -- I doubt you'll see a significant difference with USB2.0 vs. internal ATA133. If you're not comfortable opening your machine -- don't open it. Lose 5-10 minutes with the enclosure -- and be safe.
Best,
-- Scott.
I agree with the general process -- and I'd like to add these three comments:
1) Scan using another PC. Do it while you're making a backup. (i.e. if the drive shows up as E: on the 2nd PC, do "xcopy *.* c:\Backup /e/c/h" from the E: dos prompt) [start, run.. cmd, OK, type "E: <enter>", command above]
2) The host (infected) PC is probbably going to be destroyed -- unless those are 400 instances of *ONE* virus. If you're seeing multiple viruses - chances are the machine was never maintained (windows updated, virus scanner used/updated).. Be prepared to re-install the entire operating system and all the applications.
3) Using a USB enclosure isn't going to be too slow.. so long as the machine it's plugged into supports USB2.0 and so does the Enclosure. (most WinXP systems will work USB2.0 just fine) USB 2.0 is rated for 480Mbps, which is roughly 60MB/sec. In practice -- it's a good enough bus. I disagree with MrPlough's statement -- I doubt you'll see a significant difference with USB2.0 vs. internal ATA133. If you're not comfortable opening your machine -- don't open it. Lose 5-10 minutes with the enclosure -- and be safe.
Best,
-- Scott.
- Thread starter
- #9
Scott,
Thanks for the suggestions. Actually, before I received your email, I went ahead and pulled the drive and connected it to channel 1 of my machine, took ownership, and away I went. My friend's machine is a Dell and the drive was easy to pull, and my panel was off anyway, so it was no big deal. NAV nailed about everything except the w32klez infections (at least as far as I can tell so far), and there are a bunch of those. I've downloaded Symantec's Klez tool and I'm going to run that tonight.
So as far as 2) is concerned, we'll see what happens after I run the tool and rescan the drive. And, FYI, you are right, the machine had not been maintained at all as far as updates, etc., were concerned.
Relative to 3), I was really curious if I could do it that way more than anything (as well as avoiding having to open up my machine). Obviously, in the future, if someone asks if I can fix their drive, the USB enclosure might be an easier way to do things with an infected system.
Per 1), am I running the backup for any reason other than just having a backup before I scan/repair/delete the infected files? Just curious.
Also per 2), part of this is a self-education exercise; if I can fix the drive, great, if not, I'll nuke it and reinstall. In either case, the process has been educational, in part because of the tips from you and MrPlough69.
Again, thanks,
Latenite
Thanks for the suggestions. Actually, before I received your email, I went ahead and pulled the drive and connected it to channel 1 of my machine, took ownership, and away I went. My friend's machine is a Dell and the drive was easy to pull, and my panel was off anyway, so it was no big deal. NAV nailed about everything except the w32klez infections (at least as far as I can tell so far), and there are a bunch of those. I've downloaded Symantec's Klez tool and I'm going to run that tonight.
So as far as 2) is concerned, we'll see what happens after I run the tool and rescan the drive. And, FYI, you are right, the machine had not been maintained at all as far as updates, etc., were concerned.
Relative to 3), I was really curious if I could do it that way more than anything (as well as avoiding having to open up my machine). Obviously, in the future, if someone asks if I can fix their drive, the USB enclosure might be an easier way to do things with an infected system.
Per 1), am I running the backup for any reason other than just having a backup before I scan/repair/delete the infected files? Just curious.
Also per 2), part of this is a self-education exercise; if I can fix the drive, great, if not, I'll nuke it and reinstall. In either case, the process has been educational, in part because of the tips from you and MrPlough69.
Again, thanks,
Latenite
- Status
Similar threads