Scanning while in PC or on USB 2

[njellis]

Doing a lot of Adware/Spyware removal, I've wondered for some time now which is the most efficient method of removal.

If you remove an infected harddrive and connect it via USB to another machine, and run a scan: does it do as through of a job as if you loaded the program on the infected HD and did a scan?

If it does then I might as well do it that way from now on. But I'm thinking it wouldn't scan the registry entries on the USB drive. I'm also thinking it might not find everything since they wouldn't be active running processes.

Thanks for your time and responses!
Nick

 

[wahnula]

If you remove an infected harddrive and connect it via USB to another machine, and run a scan: does it do as through of a job as if you loaded the program on the infected HD and did a scan?

This would violate one of the first rules of spyware/virus warfare: isolation and containment. By connecting an infected HDD to a healthy PC you run the risk of spreading the virus.

On the infected box, remove it from the network, connect it to a lone Internet connection, update your definitions, disconnect it from the Internet, then perform your scans without removing the drive. It will also be much faster than over USB.

Tony

Users helping Users...

 

[njellis]

Lets assume I don't care about connecting it to another computer and that infection spreading... 1. MY protection is all updated and 2. assuming I did get infected, I'm sure I could take care of it.

I've also found that using an infected computer to scan itself, sometimes doesn't help. This is because sometimes the problematic programs that are infecting the computer attack the common programs that are trying to eliminate them...

But again, all that aside, I was asking what's the most effective / fast way to remove issues since I do this often. Using someone's P3 100Mhz PC w/ 384Mb of ram takes many hours per scan =) Connecting it to MY laptop reduces that to 15-20 mins. But if it isn't as through, then that's something I need to keep in mind. However it also has the potential to be MORE thorough since the offending applications are NOT running.

--Thanks! =)

Nick

 

[electronicsfreak]

Connecting the drive to another computer and cleaning up is dangerous for the files as removing them might accidently remove a main system file which will cause windows to be unbootable.

The best thing to do is load in safe mode and remove all you can that way. Anything left use killbox or unlocker to remove. If for some reason they will not remove it then load the drive in another computer and then remove the leftover stubborn file.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[DTracy]

What I do sometimes is to start the infected computer with BartPE and then scan/clean the drives. This way the infected drives were not used to startup the computer and supposedly none of the files are open or locked.

Regards,
David.

 

[wahnula]

To answer the OP's question, it can be done over USB, we are agreeing that it shouldn't be done over USB.

As an aside, the "I can handle it" attitude might sneak up & bite you someday. No single program (or suites of programs) can protect against everything past and/or future. A word to the wise...

Tony

Users helping Users...

 

[kjv1611]

I'm puttin' a star on that one, wahnula.

njellis,

His point is a VERY good one. Just because it CAN be done does not mean that it SHOULD.

You know, you CAN drive down the road at 150MPH if you have a car that'll do it, but in most scenarios, you probably SHOULDN'T.


--

"If to err is human, then I must be some kind of human!" -Me

 

[njellis]

Alright alright.

For the record, I use Acronis, and have it automated so that it backups my entire PC twice weekly. So, if we assumed a worst case scenario that somehow an inert file that was scanned was able to pass itself to my system, get PAST my security software, THEN embed itself so deeply that I was unable to remove it by using any of the numerous utilities out there, AND/OR by hand... I would THEN be able to access my backups, and select up to two months of backup's.

Oh, and before you say "Aha! but the backups may get corrupted too", they're password protected. But perhaps, it circumvents that... I ALSO have a bi-monthly SECOND usb hard drive that I backup my data with and hide in the house... should anyone break into the house and steal my equipment. (Yes, my files are very important to me).

SO, though it's POSSIBLE that all of that happens, perhaps we can come to some consensus that it's EXTREMELY unlikely to happen.

The question was asked because I would prefer not to rape my customers and charge them 60/hr for 8 hours using THEIR system to scan, presuming their system is slow. This was the case with a recent client. The PC was a 1Ghz P3, with 256MB of ram. A single Scan took 4 hours. We all know most of the time you need to run multiple scans with different products to throughly take care of the problem. So using HER system, it took over 20 hours to run 4 different scans. Now, 20 hrs at 60 bucks an hr would come out to be oh.. 1200 bucks? For some reason, call me silly, I just cant see myself charging a customer 1200 bucks to clean their old PC worth 2 or 3 hundred.

SO, in order to fix these computers, and NOT rape my customers, I was looking for the most efficient way of dealing with these situations...

It is all simply in an effort to better care for my customers. =)

(P.S. -- Although driving 150MPH on the freeway in the city with my mustang might not be a good idea.... it is far far less of a bad idea if I were say in the Mojave desert. Point being, out of the 100+ computers I've connected that have been infected, I've YET to have a single issue. Perhaps I'm just lucky but we understand that the files are inert. They are not running, and cannot magically spring to life. If they DID, once again, a LOT of things would have to happen before the computer was completely lost.... we're talking the planets would all have to line up, right as a Gama ray burst reached our solar system from another star exploding, which interacted with the gravitational currents, causing a rip in space-time......)

 

[njellis]

(P.P.S -- I don't see an Edit or I would of added onto the previous post. The machine I use to scan customers computers is a work-laptop. So if I WERE to lose everything, it'd really be no big deal. I'd simply slap on windows again and be good to go. Everything of value is stored in the desktop. But for the sake of saying "it could hop onto your laptop then spread over your network when you get home...." you can THEN follow the previous post of sequence of events that would have to happen in order for me to lose my data.)

 

[kjv1611]

Well, unfortunately, unless you are somehow smarter than all the security "experts" out there, then at some point your computer will get infected, and you won't even know about it until it's too late.

That means your password protected backup will be infected.

That means that if indeed you do share files between computers, you risk contaminating any other pc, such as your precious desktop.

And since you didn't notice when you were infected, you won't really know how far back you need to go. Just suppose an infection goes unnoticed for 3 months. Well, that'd be past your backup scheme, correct, and I'd imagine it'd have time to get into your other system by network as well.

It may not be all that likely, but all it takes is one instance of such occurring to wreak havoc.

--

"If to err is human, then I must be some kind of human!" -Me

 

[wahnula]

...and not to pile on, but virus/spyware recovery has a tried-and-true set of procedures. Why "re-invent the wheel" if you don't have to? I appreciate your concern for your customers, but they don't necessarily need to pay for every second that their machine is running, just the time you are actively working on it.

I look at the Internet as a river of slime like in Ghostbusters II. You need to be careful what you let into your world. I've had some PCs so spyware-infested they would not boot, In these cases, I turn all my networked machines OFF until I solved the problem and the machine is "safe" again.

Please realize there is no need for a defensive stance, everybody here wants you to succeed; we are offering these procedures for a reason, and you are free to do what you wish with the information.

Tony

Users helping Users...

 

[njellis]

Thanks guys. I really do appreciate the site, I think it's the best resource on the net for information.

I simply wanted to know what the most efficient way of resolving an issue of an infected machine given time and effectiveness, and haven't yet got an answer on that. Instead, I got a bunch of "you shouldn't do that, because it COULD do X, Y and Z." I understood before I even asked the question that there is a potential for the connected computer to get infected (albeit slight). Hence that wasn't the question asked.

I know many techs in many areas that do the USB procedure. I often scan using their machine (if it's fast enough). However since much of my work is "in their home", I have the option of fixing it there, or making a 2nd trip sometimes over 25 miles each way w/ gas costing 4 bucks a gallon heh...

Anyways, thanks for the input.

 

[njellis]

kjv1611, you suppose a lot of things. =)

I suppose I had better build a nuclear bomb shelter for my system as well... and have an isolated ventilation system. Just in case someone uses a corrosively chemical weapon that eats away the hard drive!

And let us not forget the risk of an EMP bomb!

The point was: like the "super security experts", I try to have a fairly reasonable level of protection. Even the super security experts will tell you, there's no such thing as a 100% safe computer. They protect themselves up to what can reasonably be accounted for... As is mine.

 

[sggaunt]

nlellis: This was your original post

If you remove an infected harddrive and connect it via USB to another machine, and run a scan: does it do as through of a job as if you loaded the program on the infected HD and did a scan?

I think this question was answered i.e No.

I wonder are you confusing this with the use of a USB RAM stick for Virus clean up?
This is a way of isolating AV/Malware removal tools, by running them from a RAM Stick, even better if you can boot into an isolated OS on the stick.




Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[wahnula]

njellis,

A good compromise would be to have extra RAM in your kit(from PC100 to DDR266, DDR400, DDR2-400, etc) that you could install in the problem machine to speed things up a bit. Or, if you do in-home repair, tell the customer that it "has to go back to the shop" for proper clean-up, then your meter will not be running while the scans are doing their thing.

When I take a PC in for repair, I do a thorough cleaning (bursts of canned air, outside) and re-seat all connections. This could not be done properly in the customer's home (unless they have a workbench), not to mention the added pressure of the customer looking over your shoulder. As for gas charges and travel time, they should be listed under "mobilization" and charged accordingly. Sometimes it's not possible nor practical to clean a computer on-site, unless it's a server or other mission-critical device.

Tony

Users helping Users...

 

[ronin77]

njellis---

In my experience, the only rational and economical way to clean the tough infections and hijackings I see today is to clean the drive and registry with an external system. Trying to clean an infected system by *using* the infected system to clean itself is usually a waste of time.

I'm an independent technician, and I've been scanning infected drives by USB to remove viruses for several years (easily >100 systems) and have never gotten an infection on my "decontamination" PC.

Like you, I have an easily-hosed-and-restored configuration with updated security, but I've never even seen an attempted cross-infection unless I tried to execute or open a contaminated file on the infected drive. ...And even then, it was easily caught and thwarted.

I'm sure all the Ivory-Tower Pros will want to ex-communicate me for my violation of the Sacred Canons of IT Security, but I can say from both knowledge and experience that the risk of cross-contamination from scanning an infected drive via USB is very low. (Assuming reasonable precautions are taken.)

The risk of deleting a necessary system file is real. I avoid this by doing a scan-only of the system folder first, then checking the list of contaminated files found before deleting them. Frankly, I rarely find any system files infected, anyway.

My basic methodology:

1.) Boot the infected system from a UBCD and use EZ PC Fix to locate and delete the key malicious and/or suspicious registry entries (start-ups, logins, toolbars, etc.)

2.) Reboot to safe mode, do a fresh install and update of Spybot S&D from USB (Internet disabled) and run it twice.

3.) Remove the drive and scan for remaining viral components on a different system. Based on what turns up (something always does), I may do additional tests and registry cleaning.

FYI, I find that getting rid of even the "tough" infections is relatively easy. The really difficult part is repairing the damages done to various system components by the infection (e.g. admin rights and permissions) -- especially on XP Home.

 

[njellis]

Thanks everyone for the input and discussion. =)

 

[SimonDavies]

In all honesty why not create a PE disk and do it that way?
I use a disk that has the ability to be updates with the latest def files and be recompiled to fit back onto an 8cm cd, boots into either dos or a PE environment (and if it's the PE environment it can also go online to make use of online scanners as well) and means I don't have to go to the trouble of removing hardware, having additional hardware and worrying about potentially infecting more than one machine.

It's a win win in my opinion.

There are a number of places to investigate PE disks, have a look out for BartsPE and perhaps go over to MSFN.org for some more advice.

SimonD.

The real world is not about exam scores, it's about ability.

 

[ronin77]

Simon--

That is certainly a viable option, and I have also done that.

It's really a question of what resources and environments are available to the technician. For me, it's usually faster to pull the drive and clean it "externally" using both manual and automated processes.

My key point is that it's very unlikely (IMO) to get rapid and (cost-) effective results using an infected system to scan itself, regardless of what software is used.

 

[KornGeek]

I can see both sides of this. On one hand, it is definitely safer to keep the drive on the infected computer and avoid any risk of spreading the infected files. On the other hand, I have taken many shortcuts in order to get the job done right; sometimes that's they best course of action for that situation.

One aspect that I haven't seen mentioned is the idea of infecting the drive with something from your system. Although the odds of this seem very slim, imagine how you customers will feel if their systems get hit by something that they got from you.

I would suggest presenting them with options (scanning using their computer, scanning connected to yours, offsite cleaning, etc.) and letting them know the potential risks and rewards of each choice. I don't think you're doing them any favors by arbitrarily choosing to use your PC to do the scans.

That's my 2 cents, and probably overpriced at that.