Zvi Netiv said:
Not recommended!
state.
The correct approach is to clean an affected system under its own OS and in its
natural working environment and setup. Use safe mode, or better, safe mode
*with command prompt* for that purpose. Read in
www.invircible.com/item/80 how
to do that with ease.
Follow a couple of additional reasons why to not move disks between computers
for disinfection:
In order to accommodate for the additional drive you need to change BIOS
settings. It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead. As said a wise man: Sh*t happens!
Your friend's viruses infecting your PC aren't the main concern for which I
do
not recommend moving disks between computers for disinfection.
The major reason for which it's not worth the hassle is because it's
ineffective! The great majority of malware that account for most infections
today aren't banal file infectors as they were known till a few years ago,
but
worms, Trojans and plug-ins. The removal of the latter consists not only of
the
deleting of the offensive program, but *mostly* of the reversal of the
changes
it did to the system, like in INI files, the registry, etc. "Disinfecting"
without the reversal of these changes, will leave the system in non
functional
state.
Lastly, if the host PC runs under a later NTFS file system, or with advanced
security, you then you risk modifying the slave in a way that will lock out your
friend of his own files and data.
Regards, Zvi
Whilst I can understand that there is a theoretical basis as to why you
would not recommend this cleaning method your opinion is rooted in the
theoretical and not in the practical world that some of us inhabit.
Repairing a badly infected system under the power of it's own OS can be
very, very slow = time-consuming=expensive. In the real world people who
have allowed their PC to get totally gummed up with every bit of malevolent
code there is tend to want a cost-effective solution and if you're in the
business of doing 2 or 3 a day of these technical basket cases then a faster
solution makes sense.
The majority of the 'puters that I get in have, on average, 100+ items that
are detected and removed/quarantined at the first pass (AVG). The second
pass using an alternative (Norton) will usually get me a few more. I have,
in the past, done it the slow way and it is a waste of time. Bear in mind
that, when a system is really gubbed you have to make the decision between
cleaning or wiping. In both cases it is necessary to back up the clients
user files. To do so using their own OS relies on their CD writing software
still being able to function and their system being able to run along at a
sensible speed.
It's true to say that, on a few occasions, its possible to get registry
errors when the drive is replaced into the victim system and this is very
useful indeed as it is nearly always registry calls to files that have been
removed! This means that you get a useful indication of which keys need to
be edited which would otherwise be a bit of a slog. After a while you get to
recognise the level of errors that dictate a wipe as opposed to a repair.
You comment about the changing nature of 'malware', this is true but apart
from the fact that vendors such as AVG and Norton tend to be widening their
detections these days, I fully expect to have to use alternatives such as
spybot,adaware,stinger & hijack this for 'non-infectors' once the OS has
been unburdened somewhat and is able to scan at a decent pace.
<> natural working environment and setup> the systems I get in here are a
long way from anything that could remotely be described as 'natural'
<In order to accommodate for the additional drive you need to change BIOS
settings.>
Nope, a setting of auto detect works just fine for me with the added
precaution of having set 'C only' in the bios.
<It may happen that instead of booting from your drive, you'll end up
booting of your friend's drive instead>
I would suggest that anyone who would make that error would notice pretty
quickly all the new device drivers trying to load and know to hit the off
switch.
You're scaremongering!
<The major reason for which it's not worth the hassle is because it's
ineffective!>
Not true at all, every machine I deliver back is clean and with a lot of
added protection, if I was ineffective I would go bust! simple.
<"Disinfecting" without the reversal of these changes, will leave the system
in non functional state.>
Not true, whilst there are occasion when I have to do a fair amount of
registry editing at later stages, in the majority of cases, it's relatively
simple. When it is not then it's time to wipe and, being pragmatic, I have a
cleaned and complete copy of the clients user files on a separate hard drive
ready to drop back in
You're obviously highly knowledgeable and a specialist in a 'bespoke'
methodology however you have to bear in mind that some of us lowly serfs do
manage to get by and do a proper job using less sophisticated techniques.
B
