From: Daave on
David H. Lipman wrote:

> Well, if you want to gain experince then I suggest using the
> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller
>
> http://www.gmer.net/
> http://download.norman.no/public/Norman_TDSS_Cleaner.exe

Do they have to be installed on the infected PC? Or could I install and
run them on my good PC, scanning the infected drive like I did ealier
with Avira and MBAM?

I ask because I am not familiar with these programs and didn't know if
they had the feature to scan other drives.


From: David H. Lipman on
From: "Daave" <daave(a)example.com>

| David H. Lipman wrote:

>> Well, if you want to gain experince then I suggest using the
>> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller

>> http://www.gmer.net/
>> http://download.norman.no/public/Norman_TDSS_Cleaner.exe

| Do they have to be installed on the infected PC? Or could I install and
| run them on my good PC, scanning the infected drive like I did ealier
| with Avira and MBAM?

| I ask because I am not familiar with these programs and didn't know if
| they had the feature to scan other drives.


If you scan a suspect hard drive through a surrogate PC, it will find malware that may
well be hidden and protected via RootKit techniques more readily. But it will do so ONLY
at the file level of the suspect hard drive. any scanning of the Registry is the Registry
of the surrogate PC and not the Registry of the OS the suspect drive represents. When
scanning via a surrogate PC, standard anti malware software can be used.

When scanning a suspect computer you will have to use anti rootkit software, if a RootKit
is suspected, because the OS of the suspect computer is actually running and thus the
RootKit would also be running and thus protecting itself and hiding from standard anti
malware software.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Daave on
David H. Lipman wrote:
> If you scan a suspect hard drive through a surrogate PC, it will find
> malware that may well be hidden and protected via RootKit techniques
> more readily. But it will do so ONLY at the file level of the
> suspect hard drive. any scanning of the Registry is the Registry of
> the surrogate PC and not the Registry of the OS the suspect drive
> represents.

This confuses me. If I scan the *entire* drive, am I not by definition
scanning the registry on the suspect drive? The registry I'm pretty sure
would be here:

E:\WINDOWS\system32\config

Data is data, no?


From: David H. Lipman on
From: "Daave" <daave(a)example.com>

| David H. Lipman wrote:
>> If you scan a suspect hard drive through a surrogate PC, it will find
>> malware that may well be hidden and protected via RootKit techniques
>> more readily. But it will do so ONLY at the file level of the
>> suspect hard drive. any scanning of the Registry is the Registry of
>> the surrogate PC and not the Registry of the OS the suspect drive
>> represents.

| This confuses me. If I scan the *entire* drive, am I not by definition
| scanning the registry on the suspect drive? The registry I'm pretty sure
| would be here:

| E:\WINDOWS\system32\config

| Data is data, no?


No. Infact the User Hive isn't there, it is in the User's Profle.

The OS of the surrogate PC can't tell that the suspect hard disk is from another computer
or just another drive for the surrugate. Therefore the anti malware scanner will scan the
surrogate OS' Registry and not the Registry of the affected drive.

Example: Take an Outlook PST. The vast majority can not by themselves scan a PST. You
have to load MS Outlook and a MAPI compliant AV scanner and THEN you can scan the contents
of the PST.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Daave on
David H. Lipman wrote:
> From: "Daave" <daave(a)example.com>
>
>> David H. Lipman wrote:
>>> If you scan a suspect hard drive through a surrogate PC, it will
>>> find malware that may well be hidden and protected via RootKit
>>> techniques more readily. But it will do so ONLY at the file level
>>> of the suspect hard drive. any scanning of the Registry is the
>>> Registry of the surrogate PC and not the Registry of the OS the
>>> suspect drive represents.
>
>> This confuses me. If I scan the *entire* drive, am I not by
>> definition scanning the registry on the suspect drive? The registry
>> I'm pretty sure would be here:
>
>> E:\WINDOWS\system32\config
>
>> Data is data, no?
>
>
> No. Infact the User Hive isn't there, it is in the User's Profle.
>
> The OS of the surrogate PC can't tell that the suspect hard disk is
> from another computer or just another drive for the surrugate.
> Therefore the anti malware scanner will scan the surrogate OS'
> Registry and not the Registry of the affected drive.
>
> Example: Take an Outlook PST. The vast majority can not by
> themselves scan a PST. You have to load MS Outlook and a MAPI
> compliant AV scanner and THEN you can scan the contents of the PST.

Didn't know that. Thanks for the explanation.