Any risk when installing virus-hit HD as slave in other pc?

[James Williams]

I am trying to help out a friend whose PC (running Win XP Home) will no
longer boot beyond the 'Welcome' screen due to a virus (or viruses). He has
installed Norton Internet Security 2004 (but after the event - too late it
seems)

So, I was considering putting his hard drive as a slave in my own PC, which
has up to date virus software on it, and trying to remove the virus(es) that
way.

I am wondering whether this is risky in terms of infecting my own PC, which
is virus-free. As I will be booting from my own hard drive, is there any
risk that the virus(es) on my friend's hard drive will copy themselves onto
mine (and potentially screw it up) before I get the chance to run the virus
software?

Thanks in advance

 

[brushes]

I am trying to help out a friend whose PC (running Win XP Home) will no
longer boot beyond the 'Welcome' screen due to a virus (or viruses). He has
installed Norton Internet Security 2004 (but after the event - too late it
seems)

So, I was considering putting his hard drive as a slave in my own PC, which
has up to date virus software on it, and trying to remove the virus(es) that
way.

I am wondering whether this is risky in terms of infecting my own PC, which
is virus-free. As I will be booting from my own hard drive, is there any
risk that the virus(es) on my friend's hard drive will copy themselves onto
mine (and potentially screw it up) before I get the chance to run the virus
software?

Thanks in advance

I use exactly this technique on a regular basis (about 8 times a week) to
clean client's systems and in two years haven't had any problems although I
am very careful to update both running av programs first (Norton & AVG) and
always prior to connecting the infected slave. It's one hell of a lot faster
than running the infected drive in 'active' mode. In my case it would not be
so critical if an infection did 'leak' over as the machine is used for no
other purpose. I would not go so far as to say that there isn't any
possibility of a leak merely that it hasn't happened to me...yet

One precaution I did take when setting this system up was to format a drive
and set up the programs I need and then put it on the shelf. In the event of
a calamity I would just have to swap them over. A further precaution is that
I back-up clients (user) files to a separate partition after an initial scan
and then scan again on that partition

good luck

B

 

[GSV Three Minds in a Can]

I am trying to help out a friend whose PC (running Win XP Home) will no
longer boot beyond the 'Welcome' screen due to a virus (or viruses). He has
installed Norton Internet Security 2004 (but after the event - too late it
seems)

So, I was considering putting his hard drive as a slave in my own PC, which
has up to date virus software on it, and trying to remove the virus(es) that
way.

I am wondering whether this is risky in terms of infecting my own PC, which
is virus-free. As I will be booting from my own hard drive, is there any
risk that the virus(es) on my friend's hard drive will copy themselves onto
mine (and potentially screw it up) before I get the chance to run the virus
software?

Should not be a problem. Virus software needs to be =executed= before it
can do anything .. unless your system disk has a 'look for new .exe
files one any volume you find mounted and execute them' command, you
should be safe. 8>.

if you accidentally go opening anything on the infected disk which
claims to be a .jpg and is really a .scr, and you Windows is
sufficiently antique, then you could have problems. One hopes you am
smarter.

 

[Zvi Netiv]

I am trying to help out a friend whose PC (running Win XP Home) will no
longer boot beyond the 'Welcome' screen due to a virus (or viruses). He has
installed Norton Internet Security 2004 (but after the event - too late it
seems)

So, I was considering putting his hard drive as a slave in my own PC, which
has up to date virus software on it, and trying to remove the virus(es) that
way.

Not recommended!

I am wondering whether this is risky in terms of infecting my own PC, which
is virus-free. As I will be booting from my own hard drive, is there any
risk that the virus(es) on my friend's hard drive will copy themselves onto
mine (and potentially screw it up) before I get the chance to run the virus
software?

Your friend's viruses infecting your PC aren't the main concern for which I do
not recommend moving disks between computers for disinfection.

The major reason for which it's not worth the hassle is because it's
ineffective! The great majority of malware that account for most infections
today aren't banal file infectors as they were known till a few years ago, but
worms, Trojans and plug-ins. The removal of the latter consists not only of the
deleting of the offensive program, but *mostly* of the reversal of the changes
it did to the system, like in INI files, the registry, etc. "Disinfecting"
without the reversal of these changes, will leave the system in non functional
state.

The correct approach is to clean an affected system under its own OS and in its
natural working environment and setup. Use safe mode, or better, safe mode
*with command prompt* for that purpose. Read in www.invircible.com/item/80 how
to do that with ease.

Follow a couple of additional reasons why to not move disks between computers
for disinfection:

In order to accommodate for the additional drive you need to change BIOS
settings. It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead. As said a wise man: Sh*t happens!

Lastly, if the host PC runs under a later NTFS file system, or with advanced
security, you then you risk modifying the slave in a way that will lock out your
friend of his own files and data.

Regards, Zvi

 

[brushes]

Not recommended!

state.

The correct approach is to clean an affected system under its own OS and in its
natural working environment and setup. Use safe mode, or better, safe mode
*with command prompt* for that purpose. Read in

www.invircible.com/item/80 how

to do that with ease.

Follow a couple of additional reasons why to not move disks between computers
for disinfection:

In order to accommodate for the additional drive you need to change BIOS
settings. It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead. As said a wise man: Sh*t happens!

Your friend's viruses infecting your PC aren't the main concern for which I
do
not recommend moving disks between computers for disinfection.

The major reason for which it's not worth the hassle is because it's
ineffective! The great majority of malware that account for most infections
today aren't banal file infectors as they were known till a few years ago,
but
worms, Trojans and plug-ins. The removal of the latter consists not only of
the
deleting of the offensive program, but *mostly* of the reversal of the
changes
it did to the system, like in INI files, the registry, etc. "Disinfecting"
without the reversal of these changes, will leave the system in non
functional
state.

Lastly, if the host PC runs under a later NTFS file system, or with advanced
security, you then you risk modifying the slave in a way that will lock out your
friend of his own files and data.

Regards, Zvi

Whilst I can understand that there is a theoretical basis as to why you
would not recommend this cleaning method your opinion is rooted in the
theoretical and not in the practical world that some of us inhabit.

Repairing a badly infected system under the power of it's own OS can be
very, very slow = time-consuming=expensive. In the real world people who
have allowed their PC to get totally gummed up with every bit of malevolent
code there is tend to want a cost-effective solution and if you're in the
business of doing 2 or 3 a day of these technical basket cases then a faster
solution makes sense.

The majority of the 'puters that I get in have, on average, 100+ items that
are detected and removed/quarantined at the first pass (AVG). The second
pass using an alternative (Norton) will usually get me a few more. I have,
in the past, done it the slow way and it is a waste of time. Bear in mind
that, when a system is really gubbed you have to make the decision between
cleaning or wiping. In both cases it is necessary to back up the clients
user files. To do so using their own OS relies on their CD writing software
still being able to function and their system being able to run along at a
sensible speed.

It's true to say that, on a few occasions, its possible to get registry
errors when the drive is replaced into the victim system and this is very
useful indeed as it is nearly always registry calls to files that have been
removed! This means that you get a useful indication of which keys need to
be edited which would otherwise be a bit of a slog. After a while you get to
recognise the level of errors that dictate a wipe as opposed to a repair.

You comment about the changing nature of 'malware', this is true but apart
from the fact that vendors such as AVG and Norton tend to be widening their
detections these days, I fully expect to have to use alternatives such as
spybot,adaware,stinger & hijack this for 'non-infectors' once the OS has
been unburdened somewhat and is able to scan at a decent pace.

<> natural working environment and setup> the systems I get in here are a
long way from anything that could remotely be described as 'natural'

<In order to accommodate for the additional drive you need to change BIOS
settings.>

Nope, a setting of auto detect works just fine for me with the added
precaution of having set 'C only' in the bios.

<It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead>

I would suggest that anyone who would make that error would notice pretty
quickly all the new device drivers trying to load and know to hit the off
switch.

You're scaremongering!

<The major reason for which it's not worth the hassle is because it's
ineffective!>

Not true at all, every machine I deliver back is clean and with a lot of
added protection, if I was ineffective I would go bust! simple.

<"Disinfecting" without the reversal of these changes, will leave the system
in non functional state.>

Not true, whilst there are occasion when I have to do a fair amount of
registry editing at later stages, in the majority of cases, it's relatively
simple. When it is not then it's time to wipe and, being pragmatic, I have a
cleaned and complete copy of the clients user files on a separate hard drive
ready to drop back in

You're obviously highly knowledgeable and a specialist in a 'bespoke'
methodology however you have to bear in mind that some of us lowly serfs do
manage to get by and do a proper job using less sophisticated techniques.

B

 

[Zvi Netiv]

Whilst I can understand that there is a theoretical basis as to why you
would not recommend this cleaning method your opinion is rooted in the
theoretical and not in the practical world that some of us inhabit.

I suspect that you haven't understood a single phrase of my post. Moreover,
from your own post seems that you lack some basic understanding of the
principles involved in bulk cleaning.

Repairing a badly infected system under the power of it's own OS can be
very, very slow = time-consuming=expensive.

Nonsense. Running the latest version of Stinger from local "safe mode with
command prompt" is much faster and effective than moving the affected drive(s)
to your clean machine. I would think that the first cleaning run with Stinger
would be over before you finish removing the drive from the affected PC, not to
speak of mounting it (or them) in your clean machine.

In the real world people who
have allowed their PC to get totally gummed up with every bit of malevolent
code there is tend to want a cost-effective solution and if you're in the
business of doing 2 or 3 a day of these technical basket cases then a faster
solution makes sense.

We agree here. Only that your approach isn't cost-effective.

The majority of the 'puters that I get in have, on average, 100+ items that
are detected and removed/quarantined at the first pass (AVG). The second
pass using an alternative (Norton) will usually get me a few more. I have,
in the past, done it the slow way and it is a waste of time. Bear in mind
that, when a system is really gubbed you have to make the decision between
cleaning or wiping. In both cases it is necessary to back up the clients
user files. To do so using their own OS relies on their CD writing software
still being able to function and their system being able to run along at a
sensible speed.

Your products selection used for first run confirms my above statement. The
above two products, especially when used from external (to the system under
cleaning) boot will worsen the problem as they will eliminate crucial giveaways
that are required to reverse changes to system files like registry, INI files,
etc. Better use a cleaner like Stinger for that purpose. I suppose that there
exist similar products from other producers as well. To fit the role of first
run cleaner, the product should cater for multiple threats (dedicated cleaners
for a specific virus won't do), be self contained and not exceed the capacity of
a single floppy, and reverse registry changes of the viruses it caters for.

It's true to say that, on a few occasions, its possible to get registry
errors when the drive is replaced into the victim system and this is very
useful indeed as it is nearly always registry calls to files that have been
removed!

You lack knowledge on the extent of changes done to the registry in order to tie
in the malware. "Calls to files that have been removed" are the least problem
in that domain!

This means that you get a useful indication of which keys need to
be edited which would otherwise be a bit of a slog. After a while you get to
recognise the level of errors that dictate a wipe as opposed to a repair.

You wouldn't need working so hard on fixing the registry if you used a different
approach.

You comment about the changing nature of 'malware', this is true but apart
from the fact that vendors such as AVG and Norton tend to be widening their
detections these days, I fully expect to have to use alternatives such as
spybot,adaware,stinger & hijack this for 'non-infectors' once the OS has
been unburdened somewhat and is able to scan at a decent pace.

For your information, Stinger is a virus cleaner. Moreover, all four utilities
you mention require that you boot of the affected local operating system! There
is no point running them when booted of an external OS. What do you do before
running Spybot, or HJT, reinstall the drive in the original PC?

If you are open to suggestions, then try running Stinger *first* from safe mode
with command prompt, then followed by Spybot S&D. A full featured AV scan is
fine for final cleaning, for the reasons explained.

the systems I get in here are a
long way from anything that could remotely be described as 'natural'

.... then it isn't cost-effective either. ;-)

[snip]

<It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead>

I would suggest that anyone who would make that error would notice pretty
quickly all the new device drivers trying to load and know to hit the off
switch.

Wanna bet?

You're scaremongering!

<The major reason for which it's not worth the hassle is because it's
ineffective!>

Not true at all, every machine I deliver back is clean and with a lot of
added protection, if I was ineffective I would go bust! simple.

It only proves that your customers understand even less, to your luck!

<"Disinfecting" without the reversal of these changes, will leave the system
in non functional state.>

Not true, whilst there are occasion when I have to do a fair amount of
registry editing at later stages, in the majority of cases, it's relatively
simple. When it is not then it's time to wipe and, being pragmatic, I have a
cleaned and complete copy of the clients user files on a separate hard drive
ready to drop back in

The only instances in which I had to format and rebuild a drive after a virus
incident is when the virus payload triggered (CIH, Magistr, Opaserv.Q) and
trashed the partition. In all other cases, the drive could be restored to
functional state, with all files on it, without formatting. In extreme cases
you may need to reinstall the OS.

You're obviously highly knowledgeable and a specialist in a 'bespoke'
methodology however you have to bear in mind that some of us lowly serfs do
manage to get by and do a proper job using less sophisticated techniques.

There is nothing sophisticated here, just common sense, and some training. Try,
and see.

Regards, Zvi

 

[futureworlds]

ROTFL!!

I see Netiv is still up to his old tricks after all these years. Gotta give
the kook credit for tenacity anyway.

Bottom line is that booting from clean media is the only way to ensure
you're working in a clean environemnt. Not working in a clean enviroment
means results can be less than best case. Booting from one hard drive to
work on another is an extension of the time tested "boot from a clean
floppy", with the notable exception that write protecting a bootable drive
is problematic at best.

There IS a possibility of infecting your boot drive. Backups are critical.
There's also some minor problems associated with cleaning a "non-active"
drive in the modern world but they're miniscule compared to the benefits of
having a drive isolated from the tools that you're using to clean it with.
Netiv has a point, but it's an insignificant one.

As it has always, Netiv's advice can be discarded as the same self serving
SPAM wrapped in sensationalism and salted with lies it has been since even
before Vesselin thoroughly discredited both his software and his entire
antivirus philosophy years ago.

 

[James Williams]

Should not be a problem. Virus software needs to be =executed= before it
can do anything .. unless your system disk has a 'look for new .exe
files one any volume you find mounted and execute them' command, you
should be safe. 8>.

if you accidentally go opening anything on the infected disk which
claims to be a .jpg and is really a .scr, and you Windows is
sufficiently antique, then you could have problems. One hopes you am
smarter.

Many thanks everyone for the advice. Seems the debate proceeded to get a
little heated!!

Anyway, in the end I put the friend's HD in my PC as a slave, succeeded in
finding and removing 5 viruses and 305 files which were adware, spyware etc,
then backed up his data (only)

Subsequently I did a fresh install of Win XP and copied back his data. He is
delighted as the PC is running as fast as when it was new 3 years ago.

And now with Norton Internet Security 2004 and a password on the system to
prevent the kids from using it to download all sorts of dodgy stuff, he
hopes it will not happen again!

Thanks all.

James