Yeah, now that I think about it didn't we all discuss this AV scanner machine w/
USB-IDE/SATA converter idea a few years ago?
Image & AV scan using this method are the 1st things I do when working on a box these
days.
On 5/25/2010 3:25 PM, Christopher Fisk wrote:
<snip>
Yank drive: Plug in USB HDD converter (I have one that does SATA, IDE
and Laptop IDE size plug in one) and scan in a known clean machine. That
way you can have a known clean system doing the scan and won't have to
worry that a rootkit is hiding itself.
I've run into virus's recently that usurp winlogon in win.ini as well as
the explorer.exe shell in the registry.
Hell, once recently even replaced the keyboard driver. Once a machine is
infected it is faster just to yank the drive and scan it externally to a
known good machine.
Multiple advantages to this beyond the rootkit issue.
1: Your scanning machine can scan multiple drives at once
2: Your scanning system will have all your scanning software installed
and up to date
3: No need to install stuff onto the system you're working on. Saving
the install/uninstall time
4: You can delete the hiberfil, pagefile, %windir%\temp, %userdir%\Local
Settings\Temp, etc to speed up scans
5: Using regedit you can load individual registry files and search for
known issues in the registry prior to booting, allowing you to delete
crap from the HKLM\Software\Microsoft\Run, as well as loading the user's
HCLU registry file found in their %userdir%, allowing you to see what
might be loading that shouldn't be.
I never trust a virus scan run on a machine that is already infected. I
do run a Malware scan once I get the machine cleared of virus's on
another machine to finalize the registry portion of the scan.
