Two Spybot scans yield different results

[goombawaho]

Okay - I do a lot of virus/spyware removal in my job. What I typically do is scan the HDD from a Bart PE boot disk using the latest version/definitions of Spybot and Mcafee.

A strange thing I notice is that I run the scan do a "Fix all problems" in Spybot and then reboot the PC in safe mode and do a 2nd scan from within Windows. Interestingly, Spybot seems to report that it found some of the same spyware it just detected/deleted via Bart PE (maybe a registry entry or two - nothing major).

QUESTION: So, is something different in the detection process when it runs from boot CD vs. hard drive? the bottom line is that I want to be able to be sure that the nasty stuff is gone and only having to scan once would be nice.

 

[electronicsfreak]

Can you post the results of what it keeps finding?

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[goombawaho]

It doesn't KEEP finding the same spyware. Scanning using Bart PE, it might find like 14 things and then I hit "Fix Selected Problems" and it does its thing. Ok, let's say one of those is "SpyLocked". It says it repaired it with nothing left to be done.

Then I boot the same computer in Safe Mode and do a scan using the Spybot installed on the HDD, and it finds a registry entry for Spylocked.

So, it's like the Bart PE version found 98% of the spylocked entries and removed them, yet the HDD scan found a little bit remaining. I'll have to document this better next time I do the scan procedure.

 

[electronicsfreak]

Download and run ccleaner

http://www.filehippo.com/download_ccleaner/

(if you have nero uncheck it from the applications tab on ccleaner)

next download avg anti spyware

http://www.ewido.net

(delete everything it finds)

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[goombawaho]

I'm sorry to report that you are not answering my question. You are answering with respect to the specific example I gave you and I'm talking about generalities here.

Perhaps I'll just wait until I have some exact data to post unless someone else has experienced what I'm speaking of.

 

[w1nn3r]

Speaking as someone who works for a company that sells and troubleshoots virus software and disinfects PCs I can tell you that you have 2 ways of scanning for viruses. 1) fast, which will undoubtedly miss things...bet on it or 2) right, which requires a few passes of different AV/AS engines. Now with small things where there is only 1 infection like smitfraud it usually requires smitfraudfix. But if it's a serious infection with multiple types of infections, you better get real comfortable with running a couple scans with each infection. Even in safemode, smitfraud runs it's executable files, or it has dll files hooked into explorer.exe(the GUI of windows, not to be mistaken with iexplore.exe) which cant be deleted until explorer.exe is stopped.

 

[goombawaho]

Again, people are NOT addressing my question, but it's partially my fault for not posting an exact example. That will follow the next time I encounter the behavior. Until then, just disregard this question.

 

[w1nn3r]

QUESTION: So, is something different in the detection process when it runs from boot CD vs. hard drive?

ANSWER: No, except that with running it from CD you get exclusive access to files, as nothing is started so you will delete more infections that way.

 

[goombawaho]

Ahh, but that is why asked the question. The observed behavior is that when I run an OFFLINE scan first and remove everything found, a follow-up scan within Windows Safe Mode still finds remnants of what was (supposedly) removed.

I would agree that what you stated SHOULD be the case/behavior, but it doesn't seem to be, hence my question!!!!

 

[BadBigBen]

1.) When you scan from the CD, it does find almost all, and removes them...

2.) upon reboot, some malware respawns... thus you may get double findings...

3.) to eliminate the possibilities of respawning, clean all RESTORE POINTS, double check all AUTOSTART entry point (all 29 start ramps in windows XP), and you should be not getting doubles after that...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[goombawaho]

That's an interesting thought, but before I do my scan from Bart PE, I always do an Autoruns inventory of what's starting up in the system and shut anything suspicious down. And I always turn off System Restore before I do anything.

What I really don't understand is that if I scan for and remove "malwareX" using the Bart PE Cd and spybot, why should there be any of it left to re-spawn upon the next bootup - especially in Safe Mode, which I always boot to after the BartPE scan.