Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two Spybot scans yield different results

Status
Not open for further replies.
goombawaho

goombawaho

MIS
Oct 7, 2007
6,597
US
Okay - I do a lot of virus/spyware removal in my job. What I typically do is scan the HDD from a Bart PE boot disk using the latest version/definitions of Spybot and Mcafee.

A strange thing I notice is that I run the scan do a "Fix all problems" in Spybot and then reboot the PC in safe mode and do a 2nd scan from within Windows. Interestingly, Spybot seems to report that it found some of the same spyware it just detected/deleted via Bart PE (maybe a registry entry or two - nothing major).

QUESTION: So, is something different in the detection process when it runs from boot CD vs. hard drive? the bottom line is that I want to be able to be sure that the nasty stuff is gone and only having to scan once would be nice.
 
Sort by date Sort by votes
Can you post the results of what it keeps finding?

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
It doesn't KEEP finding the same spyware. Scanning using Bart PE, it might find like 14 things and then I hit "Fix Selected Problems" and it does its thing. Ok, let's say one of those is "SpyLocked". It says it repaired it with nothing left to be done.

Then I boot the same computer in Safe Mode and do a scan using the Spybot installed on the HDD, and it finds a registry entry for Spylocked.

So, it's like the Bart PE version found 98% of the spylocked entries and removed them, yet the HDD scan found a little bit remaining. I'll have to document this better next time I do the scan procedure.
 
Upvote 0 Downvote
Download and run ccleaner

(if you have nero uncheck it from the applications tab on ccleaner)

next download avg anti spyware

(delete everything it finds)

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
I'm sorry to report that you are not answering my question. You are answering with respect to the specific example I gave you and I'm talking about generalities here.

Perhaps I'll just wait until I have some exact data to post unless someone else has experienced what I'm speaking of.
 
Upvote 0 Downvote
Speaking as someone who works for a company that sells and troubleshoots virus software and disinfects PCs I can tell you that you have 2 ways of scanning for viruses. 1) fast, which will undoubtedly miss things...bet on it or 2) right, which requires a few passes of different AV/AS engines. Now with small things where there is only 1 infection like smitfraud it usually requires smitfraudfix. But if it's a serious infection with multiple types of infections, you better get real comfortable with running a couple scans with each infection. Even in safemode, smitfraud runs it's executable files, or it has dll files hooked into explorer.exe(the GUI of windows, not to be mistaken with iexplore.exe) which cant be deleted until explorer.exe is stopped.
 
Upvote 0 Downvote
Again, people are NOT addressing my question, but it's partially my fault for not posting an exact example. That will follow the next time I encounter the behavior. Until then, just disregard this question.
 
Upvote 0 Downvote
QUESTION: So, is something different in the detection process when it runs from boot CD vs. hard drive?

ANSWER: No, except that with running it from CD you get exclusive access to files, as nothing is started so you will delete more infections that way.
 
Upvote 0 Downvote
Ahh, but that is why asked the question. The observed behavior is that when I run an OFFLINE scan first and remove everything found, a follow-up scan within Windows Safe Mode still finds remnants of what was (supposedly) removed.

I would agree that what you stated SHOULD be the case/behavior, but it doesn't seem to be, hence my question!!!!
 
Upvote 0 Downvote
1.) When you scan from the CD, it does find almost all, and removes them...

2.) upon reboot, some malware respawns... thus you may get double findings...

3.) to eliminate the possibilities of respawning, clean all RESTORE POINTS, double check all AUTOSTART entry point (all 29 start ramps in windows XP), and you should be not getting doubles after that...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
That's an interesting thought, but before I do my scan from Bart PE, I always do an Autoruns inventory of what's starting up in the system and shut anything suspicious down. And I always turn off System Restore before I do anything.

What I really don't understand is that if I scan for and remove "malwareX" using the Bart PE Cd and spybot, why should there be any of it left to re-spawn upon the next bootup - especially in Safe Mode, which I always boot to after the BartPE scan.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
122
goombawaho
goombawaho
javierdlm001
  • Locked
  • Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
110
2ffat
2ffat
Noway2
  • Locked
  • News
Symantec Sued For Running Fake "Scareware" Scans 1
Replies
4
Views
116
BadBigBen
BadBigBen
madcap86
  • Locked
  • Question
Google search results redirecting to spam pages
Replies
12
Views
183
Noway2
Noway2
OldProfessor
  • Locked
  • Question
Old/deleted saved scans still running
Replies
2
Views
44
OldProfessor
OldProfessor

Part and Inventory Search

Sponsor

Back
Top