From: Daave on 10 Aug 2010 22:18 David H. Lipman wrote: > Well, if you want to gain experince then I suggest using the > following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller > > http://www.gmer.net/ > http://download.norman.no/public/Norman_TDSS_Cleaner.exe Do they have to be installed on the infected PC? Or could I install and run them on my good PC, scanning the infected drive like I did ealier with Avira and MBAM? I ask because I am not familiar with these programs and didn't know if they had the feature to scan other drives.
From: David H. Lipman on 11 Aug 2010 06:19 From: "Daave" <daave(a)example.com> | David H. Lipman wrote: >> Well, if you want to gain experince then I suggest using the >> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller >> http://www.gmer.net/ >> http://download.norman.no/public/Norman_TDSS_Cleaner.exe | Do they have to be installed on the infected PC? Or could I install and | run them on my good PC, scanning the infected drive like I did ealier | with Avira and MBAM? | I ask because I am not familiar with these programs and didn't know if | they had the feature to scan other drives. If you scan a suspect hard drive through a surrogate PC, it will find malware that may well be hidden and protected via RootKit techniques more readily. But it will do so ONLY at the file level of the suspect hard drive. any scanning of the Registry is the Registry of the surrogate PC and not the Registry of the OS the suspect drive represents. When scanning via a surrogate PC, standard anti malware software can be used. When scanning a suspect computer you will have to use anti rootkit software, if a RootKit is suspected, because the OS of the suspect computer is actually running and thus the RootKit would also be running and thus protecting itself and hiding from standard anti malware software. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 11 Aug 2010 21:04 David H. Lipman wrote: > If you scan a suspect hard drive through a surrogate PC, it will find > malware that may well be hidden and protected via RootKit techniques > more readily. But it will do so ONLY at the file level of the > suspect hard drive. any scanning of the Registry is the Registry of > the surrogate PC and not the Registry of the OS the suspect drive > represents. This confuses me. If I scan the *entire* drive, am I not by definition scanning the registry on the suspect drive? The registry I'm pretty sure would be here: E:\WINDOWS\system32\config Data is data, no?
From: David H. Lipman on 11 Aug 2010 21:36 From: "Daave" <daave(a)example.com> | David H. Lipman wrote: >> If you scan a suspect hard drive through a surrogate PC, it will find >> malware that may well be hidden and protected via RootKit techniques >> more readily. But it will do so ONLY at the file level of the >> suspect hard drive. any scanning of the Registry is the Registry of >> the surrogate PC and not the Registry of the OS the suspect drive >> represents. | This confuses me. If I scan the *entire* drive, am I not by definition | scanning the registry on the suspect drive? The registry I'm pretty sure | would be here: | E:\WINDOWS\system32\config | Data is data, no? No. Infact the User Hive isn't there, it is in the User's Profle. The OS of the surrogate PC can't tell that the suspect hard disk is from another computer or just another drive for the surrugate. Therefore the anti malware scanner will scan the surrogate OS' Registry and not the Registry of the affected drive. Example: Take an Outlook PST. The vast majority can not by themselves scan a PST. You have to load MS Outlook and a MAPI compliant AV scanner and THEN you can scan the contents of the PST. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 11 Aug 2010 23:17
David H. Lipman wrote: > From: "Daave" <daave(a)example.com> > >> David H. Lipman wrote: >>> If you scan a suspect hard drive through a surrogate PC, it will >>> find malware that may well be hidden and protected via RootKit >>> techniques more readily. But it will do so ONLY at the file level >>> of the suspect hard drive. any scanning of the Registry is the >>> Registry of the surrogate PC and not the Registry of the OS the >>> suspect drive represents. > >> This confuses me. If I scan the *entire* drive, am I not by >> definition scanning the registry on the suspect drive? The registry >> I'm pretty sure would be here: > >> E:\WINDOWS\system32\config > >> Data is data, no? > > > No. Infact the User Hive isn't there, it is in the User's Profle. > > The OS of the surrogate PC can't tell that the suspect hard disk is > from another computer or just another drive for the surrugate. > Therefore the anti malware scanner will scan the surrogate OS' > Registry and not the Registry of the affected drive. > > Example: Take an Outlook PST. The vast majority can not by > themselves scan a PST. You have to load MS Outlook and a MAPI > compliant AV scanner and THEN you can scan the contents of the PST. Didn't know that. Thanks for the explanation. |