At 07:25 PM 25/05/2010, Christopher Fisk wrote:
Yank drive: Plug in USB HDD converter (I have one that does SATA,
IDE and Laptop IDE size plug in one) and scan in a known clean
machine. That way you can have a known clean system doing the scan
and won't have to worry that a rootkit is hiding itself.
I do a variant of this myself, but then I do a secondary scan inside
the actual OS to deal with registry entries and so that programs like
Malwarebytes will work more reliably (MWB) requires the OS to be live
to best scanning, according to the writers.)
I've run into virus's recently that usurp winlogon in win.ini as
well as the explorer.exe shell in the registry.
Oh that happens all the time these days. I have that fix pretty much
automated now.
Hell, once recently even replaced the keyboard driver. Once a
machine is infected it is faster just to yank the drive and scan it
externally to a known good machine.
Have you tried using an MD5 hash on the files in the Windows folder
and subfolders and compared it to a known good hash to try to find
infections? I've been playing with that.
I never trust a virus scan run on a machine that is already
infected. I do run a Malware scan once I get the machine cleared of
virus's on another machine to finalize the registry portion of the scan.
You're absolutely right on this.
T
