While trying to fix up somebody's aging laptop, it has finally
dawned on me that a virus scanner running under XP cannot always
find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
and so-on-and-so-forth.

I routinely image a build with an eye to restoring said image
if/when things go South.... but, of course, it's important that
the image be of a good, uninfected system.....

To that end, here's what I come up with as a procedure for
maximizing the chances of a good image, using Avast as the
anti-virus utility:

---------------------------------------------------------------
1) Tell Avast to write a log of scan results
(the log seems to default to
C:\Documents and Settings\All Users\Application Data\Alwil
Software\Avast5\Report\aswboot.txt).

2) Run an Avast Boot-time scan.

3) Inspect the resulting log, just for good measure.

4) If infections are found/supposedly remedied, run
the boot scan again, looking for a clean log.

5) Run a disk disc check to make sure there are no
bad sectors (I use "HdTune").

6) Run ChkDsk C: just for good measure.

7) Image the supposedly-clean system
---------------------------------------------------------------


Am I missing anything? For starters, I am assuming that the
boot-time scan will catch everything that the under-XP scan will.
--
PeteCresswell

"(PeteCresswell)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> While trying to fix up somebody's aging laptop, it has finally
> dawned on me that a virus scanner running under XP cannot always
> find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
> and so-on-and-so-forth.
>
> I routinely image a build with an eye to restoring said image
> if/when things go South.... but, of course, it's important that
> the image be of a good, uninfected system.....
>
> To that end, here's what I come up with as a procedure for
> maximizing the chances of a good image, using Avast as the
> anti-virus utility:
>
> ---------------------------------------------------------------
> 1) Tell Avast to write a log of scan results
> (the log seems to default to
> C:\Documents and Settings\All Users\Application Data\Alwil
> Software\Avast5\Report\aswboot.txt).
>
> 2) Run an Avast Boot-time scan.
>
> 3) Inspect the resulting log, just for good measure.
>
> 4) If infections are found/supposedly remedied, run
> the boot scan again, looking for a clean log.
>
> 5) Run a disk disc check to make sure there are no
> bad sectors (I use "HdTune").
>
> 6) Run ChkDsk C: just for good measure.
>
> 7) Image the supposedly-clean system
> ---------------------------------------------------------------
>
>
> Am I missing anything? For starters, I am assuming that the
> boot-time scan will catch everything that the under-XP scan will.

I don't know how Avast's boot-time scan works, but since Alureon and
others can place code in the MBR to hide their shenanigans, it might
be that booting to the recovery console (or a PE boot CD) and running
fixmbr would be a good step to take. Probably after scheduling the
Avast Boot-time san but before booting back to Windows for the scan to
take place.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's
something big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.

I would also run the Window's Disk Defragmenter on the drive before copying
the "image", as a very last thing to do.

==

Cheers, Tim Meddick, Peckham, London. :-)




"(PeteCresswell)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> While trying to fix up somebody's aging laptop, it has finally
> dawned on me that a virus scanner running under XP cannot always
> find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
> and so-on-and-so-forth.
>
> I routinely image a build with an eye to restoring said image
> if/when things go South.... but, of course, it's important that
> the image be of a good, uninfected system.....
>
> To that end, here's what I come up with as a procedure for
> maximizing the chances of a good image, using Avast as the
> anti-virus utility:
>
> ---------------------------------------------------------------
> 1) Tell Avast to write a log of scan results
> (the log seems to default to
> C:\Documents and Settings\All Users\Application Data\Alwil
> Software\Avast5\Report\aswboot.txt).
>
> 2) Run an Avast Boot-time scan.
>
> 3) Inspect the resulting log, just for good measure.
>
> 4) If infections are found/supposedly remedied, run
> the boot scan again, looking for a clean log.
>
> 5) Run a disk disc check to make sure there are no
> bad sectors (I use "HdTune").
>
> 6) Run ChkDsk C: just for good measure.
>
> 7) Image the supposedly-clean system
> ---------------------------------------------------------------
>
>
> Am I missing anything? For starters, I am assuming that the
> boot-time scan will catch everything that the under-XP scan will.
> --
> PeteCresswell

"(PeteCresswell)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> While trying to fix up somebody's aging laptop, it has finally
> dawned on me that a virus scanner running under XP cannot always
> find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
> and so-on-and-so-forth.
>
> I routinely image a build with an eye to restoring said image
> if/when things go South.... but, of course, it's important that
> the image be of a good, uninfected system.....
>
> To that end, here's what I come up with as a procedure for
> maximizing the chances of a good image, using Avast as the
> anti-virus utility:
>
> ---------------------------------------------------------------
> 1) Tell Avast to write a log of scan results
> (the log seems to default to
> C:\Documents and Settings\All Users\Application Data\Alwil
> Software\Avast5\Report\aswboot.txt).
>
> 2) Run an Avast Boot-time scan.
>
> 3) Inspect the resulting log, just for good measure.
>
> 4) If infections are found/supposedly remedied, run
> the boot scan again, looking for a clean log.
>
> 5) Run a disk disc check to make sure there are no
> bad sectors (I use "HdTune").
>
> 6) Run ChkDsk C: just for good measure.
>
> 7) Image the supposedly-clean system
> ---------------------------------------------------------------
>
>
> Am I missing anything? For starters, I am assuming that the
> boot-time scan will catch everything that the under-XP scan will.


A boot scan may catch more than a scan from within Windows, but you are
still booting from the hard drive, so it is not as good as a scan from a
CD boot. Avast is also not the best when it comes to detection rate.

To scan the system from a CD boot, create and use a Rescue CD from
either Kaspersky or BitDefender.

Kaspersky Rescue Disk 10
http://support.kaspersky.com/viruses/rescuedisk?level=2

BitDefender Rescue CD
http://download.bitdefender.com/rescue_cd/

Using The BitDefender Rescue Cd -
http://forum.bitdefender.com/index.p...howtopic=16602


Finally, if a root kit is detected on a system, I would recommend wiping
the hard drive, NOT cleaning it and imaging it. Once the system has a
root kit, you are beyond the point where an image that can be trusted
should be made.

Help: I Got Hacked. Now What Do I Do?
http://technet.microsoft.com/en-us/l.../cc512587.aspx

Help: I Got Hacked. Now What Do I Do? Part II
http://technet.microsoft.com/en-us/l.../cc512595.aspx

Invasion of the Computer Snatchers
http://www.washingtonpost.com/wp-dyn...401342_pf.html

--
Glen Ventura
MS MVP Oct. 2002 - Sept. 2009
CompTIA A+
http://dts-l.net/