Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Process for Scanning/Cleaning Another Computer

Status
Not open for further replies.

Glenn9999

Programmer
Jun 19, 2004
2,312
US
Something I'm running into when I suspect another computer has a virus/malware that I'm called to look at: I'm noticing that the process that I always learned ends up falling apart.

I've usually learned that you want to isolate the machine (i.e. clean boot it off a write-protected disk, remove the network/modem cable) before you scan it. Usually the solution requires introducing one or more malware/virus scanners because the computer's user is derelict in either having one or updating one.

So the problem I have is two-fold. First, most of the virus/malware scanners I run into want you to install them onto a drive and safe-mode won't work for them. This means introducing your virus/malware scanner to the possibility of being infected or not working because of the malware/virus. Needless to say, I've found it a trick to get a working live system compatible with these malware scanners on a write-only medium...

Lastly, the scanners refuse to run without a connection to the Internet to update themselves. Now given that the malware might be reloading copies of itself from the net (I had that happen once) or that the malware broke the drivers related to connecting to the Internet (I've had that happen too), how would you accomplish this? I notice most won't allow separate updates and require connection to an update server through the software itself to update.

So what is the process these days? I notice what works on what I have encountered is the use of process explorer (which is stand-alone) to guess at the process and kill it, and then use hijackthis (again stand-alone) to guess where the process loads and remove it. Then reboot. Then if I'm not lucky enough to have Internet access on the computer afterward (and have removed the malware from memory), try to figure out things again from there. Of course, this is all assuming I have the Internet access from another machine to make an educated guess...

But what works all the way through? How do you get a typical malware scanner to be fully-updated and work in such a situation? How is best to fix the Internet drivers on a Windows system if they are messed up?

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy
 
I am using BartPE bootable disk with McAfee antivirus on it. McAfee is not free product, we have enterprise licence. There are also some free products for offline work.
FREE Bootable AntiVirus Rescue CDs
DrWeb Live CD

I personally tried Kaspersky and DrWeb, both done their job well.

===
Karlis
ECDL; MCSA
 
I agree with the DrWeb LiveCD, it is slow but works a charm...

then there is the Avira Rescue System LiveCD which is a bit quicker but just as effective...

Avira AntiVir Rescue System

both do not need the installed OS to be running, as they load their own OS (Linux) and then scan the HDDs...

for OS install, I would recommend MBAM, Malwarebytes AntiMalware, as this little goody finds a lot of stuff, and comes highly recommended from other members here and me personally...

Malwarebytes' Anti-Malware

if MBAM does not install, then renaming the EXE file to something totally different, e.g. tortoise.exe or 123abc.exe, usually works, as there are some malwares out there that monitor common antimalware names and prevent these from installing...

also recommended is that you read some of the FAQ here in this forum, as a lot of them give you some very helpful info to combating the nasties out there...

-Virus/Spyware discussion FAQ Index



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
What AV/Anti-Malware products have you tried that actually refuse to scan without being attached to the web for updates? I mean, I realize that most or all want to check for updates, but I've yet to see one actually flat refuse to scan without updates.

--

"If to err is human, then I must be some kind of human!" -Me
 
I've yet to see one actually flat refuse to scan without updates.
<slightly off topic>
I'm testing Panda's Cloud AV and it does require an internet connection. As the name implies, it uses the internet to check for viruses, etc.. It will run without a connection but it is limited in its usage. No updates needed as it checks its "Collective Intelligence hosted on our servers." It seems to work but I haven't had delete anything yet. I like the interface but it tends to flag some of my tools as "hacker tools and viruses" and it isn't as configurable as others.
</slightly off topic>

I suspect that the poster meant online scanners.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Well, yeah, "online" or "cloud" scanners require a connection - surely that's not what the OP meant, I mean that's kind of a no-brainer. If someone is actually doing this for other folks, they'd surely HAVE to understand the whole concept of an "online" or "cloud" based application of any sort. But I've been wrong before. [smile]

--

"If to err is human, then I must be some kind of human!" -Me
 
I'm well aware of all the tools and have used them all.

And yes I was speaking of offline scanners. I should clarify myself a bit though. Either they refuse to run (or install, sometimes the process is done there) without having connected to the Internet and downloaded updates, or they install with such an old scanning database as to be useless anyway.

I do know that Spybot S&D and Microsoft Security Essentials refuses to perform a scan without being updated first. I would have to test other things specifically to see what these things would do without an Internet connection.

While this behavior is fine for adding one of these products to a clean system, none of the products I have tried seem to do too well with an initial install on an isolated computer system.

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy
 
The answer is downloading the updates manually, and updating offline. Most products allow this.

Spybot S&D is a good example. It will install without an internet connection (at least, last time I tried), and you can download the updates from the page below and install them offline.

Ditto AVG Free and Malwarebytes. Never used Microsoft Security Essentials, though.
 
Okay, to be fair about it (and make sure my memory serves), I did some more testing, and found that AVG, Avira, and Malwarebytes will scan (after you terminate the attempt to update in a couple of cases), but what I found on fresh downloads of all three indicated they used relatively old scanner databases (1-3 months old).

I did notice upon searching the sites (they don't make it too easy), that you can get manual update files for Spybot, AVG, and Avira.

It just seems it's a matter of being ridiculously prepared for the random machine or two that comes along every few months. I'll try the Avira Rescue Disk out soon, too. I found DrWeb LiveCD to be very slow, almost to wonder if it was working right at times.

Now to the other question: What's the easiest/best way to handle the aftermath of these things? Like if a piece of malware trashes the Internet connectivity on the machine once I connect it back up? I can handle replacing system files, but that one usually is the biggest problem I encounter.

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy
 
I've not tried Security Essentials on an infected machine - only tried it at all on one machine, myself, I'm not totally sold yet.

Spybot I've pretty much not touched in quite some time, due to it getting too slow, and not being as affective as a few others, at least in my experience.

Well, I don't see how it could trash the Internet connectivity all that badly.. but I've just not seen that before, I guess... I'd suggest having drivers available for the hardware of the PC you're messing with, so you could reinstall those, and then trying alternate web browsers as well... running Windows Update, and running a general clean-up/tune-up type tool might not hurt - if it's a good one. I prefer Advanced System Care, Glary Utilities, and CCleaner in that regard, currently. Before those, I didn't really have any application I'd trust in that area.

Also, there may be times when you have to do a repair install of Windows - it just depends.

--

"If to err is human, then I must be some kind of human!" -Me
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top