Results 1 to 12 of 12
  1. #1
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I have been thinking about a new (to me at least) technique for cleaning malware infested computers. I have tested it a bit and would like any suggestions and comments from the lounge.

    Microsoft suggests using a parallel installation of windows for this task. This involves installing windows in a separate partition or on a separate hard drive, installing your antivirus tools on the new installation and scanning and cleaning the infected installation from the new installation. For this to work correctly you must use AV tools that can load and scan the registry hive within the nonbooted system, however, when done correctly it works very well and will find viruses and rootkits that are hidden while the infected system is booted.

    My procedure for this is to create an image on a usb drive of the infected system using an imaging tool that can mount the image as a drive.

    I have a laptop that has all my AV tools installed and updated. It includes Malwarebytes Antimalware, Norton Internet Security 2011, Spybot Search and Destroy, Super AntiSpyware, Sophos Anti-rootkit and a few others. I install Macrium Reflect free on the infected machine and create an image of the System partition to my USB drive. I then connect the USB drive to my laptop and scan the drive. After confirming that the drive is clean, I mount the Macrium image and begin scanning and cleaning it. After the image is cleaned, I would lay it back down on the origin drive after reformatting the original drive and overwriting the MBR.

    I have tested the detection process by doing the following.

    1- I have imaged an infected machine and then began scanning the original live system. At the same time I scanned the image using my laptop. The laptop found the same viruses that scanning on the original system found.

    I have not tested past this stage.

    The questions I have are as follows:

    1> Has anyone here tried this type of cleaning using images?

    2> Is there value in scanning a system in the unbooted state from another installation of windows?

    3> Would the image procedure that I describe mimic using a parallel installation of windows to clean the infected system?

    Thanks for your comments and ideas

  2. #2
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts
    Hi :

    To become expert in malware removal, I recommend you "enroll" in
    "Malware Removal University" accessed from www.malwareremoval.com
    The "classes" are taught by experienced, trained, certified, Volunteer
    "Malware Removal Specialists", that either belong to A.S.A.P.
    ( Alliance of Security Analysis Professionals ) and/or U.N.I.T.E
    ( Unified Network of Instructors and Trained Eliminators ) .

    The latter has a recommended "List" of "Schools" at
    www.uniteagainstmalware.com/schools.php
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  3. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    South of the North Pole
    Posts
    919
    Thanks
    0
    Thanked 0 Times in 0 Posts
    1> Has anyone here tried this type of cleaning using images?

    2> Is there value in scanning a system in the unbooted state from another installation of windows?

    3> Would the image procedure that I describe mimic using a parallel installation of windows to clean the infected system?
    Number one, no, but the principal seems sound. Number two, BIG TIME. Let me ask this; does one try to change a flat tire while traveling along the freeway at 65 mph? Number three, I think so, but my procedure has always been to pull the drive and attach it to another system for scanning. Imaging, as with parallel installation, seems like extra work to me, but it does have the advantage of trial running, or testing the cleanup procedure to see if the OS is viable afterward, so that if it weren't, maybe a successful alternate cleanup could be attempted instead of resorting to nuke and pave.

  4. #4
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Byron Tarbox View Post
    Imaging, as with parallel installation, seems like extra work to me, but it does have the advantage of trial running, or testing the cleanup procedure to see if the OS is viable afterward, so that if it weren't, maybe a successful alternate cleanup could be attempted instead of resorting to nuke and pave.
    If that is the only advantage, I agree that the procedure I am attempting is too time consuming. It would be just as easy and somewhat faster to pull the drive, image it with the cleanup computer, and clean the drive using the image as the fallback in case of disaster or if a "nuke and pave" become necessary.

    One advantage I see with cleaning the image and then laying it back on the drive is that you can wipe the drive first ensuring that any boot sector contamination is gone. (you would not want to restore the mbr from the image in this case, most imaging restore software will allow you to write a generic mbr.)

    @Robin,

    Thanks for the links.

  5. #5
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    My whole idea here is to get away from the time of a parallel installation (and for sure a reinstallation.)

    I would be curious what the average clean time is for an infected machine? I have found that even if everything works right (which it never does). I will get no less then 1 1/2hrs in a cleanup and have had some run into 6 hrs. Some of the longer ones have ended in "nuke and pave" and added another 3-5 hours of installing windows, adding programs, running updates and carefully restoring data to be sure I don't bring the infection back in.

    I used to work almost entirely on corporate machines where the policy was "nuke and pave", however, we used images and it was just simply faster and more secure to do an image restore than to try cleanup.

  6. #6
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    You MUST test any backup solution. How far you go with your testing depends on how much pain tolerance you have when it comes time to do a restore.

    At the minimum you should burn a restore disk, boot your system on the restore disk and make sure you can access your images from the restore environment. You should also verify the image after creation and every few images should be mounted to check that you can access the files inside them......

    An ideal test is to install a different drive in your machine and restore the image to that drive making sure that the machine is bootable on the restored drive and that there is not data on other partitions, etc. that you may be missing with your backup. This will help you familiarize yourself with your backup software's interface and will not leave you with the stress of figuring out how it all works while dealing with the added stress of the machine that has crashed. It will also show you any incompatibility between your software's restore environment's drivers and your hardware.

  7. #7
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Quote Originally Posted by mercyh View Post
    I have been thinking about a new (to me at least) technique for cleaning malware infested computers. I have tested it a bit and would like any suggestions and comments from the lounge.

    Microsoft suggests using a parallel installation of windows for this task. This involves installing windows in a separate partition or on a separate hard drive, installing your antivirus tools on the new installation and scanning and cleaning the infected installation from the new installation. For this to work correctly you must use AV tools that can load and scan the registry hive within the nonbooted system, however, when done correctly it works very well and will find viruses and rootkits that are hidden while the infected system is booted.

    My procedure for this is to create an image on a usb drive of the infected system using an imaging tool that can mount the image as a drive.

    I have a laptop that has all my AV tools installed and updated. It includes Malwarebytes Antimalware, Norton Internet Security 2011, Spybot Search and Destroy, Super AntiSpyware, Sophos Anti-rootkit and a few others. I install Macrium Reflect free on the infected machine and create an image of the System partition to my USB drive. I then connect the USB drive to my laptop and scan the drive. After confirming that the drive is clean, I mount the Macrium image and begin scanning and cleaning it. After the image is cleaned, I would lay it back down on the origin drive after reformatting the original drive and overwriting the MBR.

    I have tested the detection process by doing the following.

    1- I have imaged an infected machine and then began scanning the original live system. At the same time I scanned the image using my laptop. The laptop found the same viruses that scanning on the original system found.

    I have not tested past this stage.

    The questions I have are as follows:

    1> Has anyone here tried this type of cleaning using images?

    2> Is there value in scanning a system in the unbooted state from another installation of windows?

    3> Would the image procedure that I describe mimic using a parallel installation of windows to clean the infected system?

    Thanks for your comments and ideas

    (1>) Not worth the time and effort, especially for productivity's sake, a recovered image would be far more expedient.
    (2>) Might be worthwhile as hobbiest means of helping to recover the systems of others who are far less organized, those
    that don't routinely protect their data or operating systems against potential loss...if you fail at least you could say you tried.
    Besides the above, the majority, if not all specialist in the AV/AM computer industry, are merely reactive response based rather than proactive.
    That means you won't ever be 100% certain of eradication, even if you do manage not to make the drive your attempting to clean unbootable (3>) or otherwise
    broken.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  8. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    South of the North Pole
    Posts
    919
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You should also verify the image after creation and every few images should be mounted to check that you can access the files inside them......
    At the very least, do the above and if EaseUS can't mount an image, get one that can.

    (2>) Might be worthwhile as hobbiest means of helping to recover the systems of others who are far less organized, those
    that don't routinely protect their data or operating systems against potential loss
    You're taking about the vast majority of everyday users here, and, scanning an inactive OS partition is S.O.P. for at least one prominent computer repair tech (Carey Holzman of Computer America). Ain't nuthin' hobbyist about it, its the bread and butter of consumer computer tech malware removal.

  9. #9
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I would be curious what the average clean time is for an infected machine? I have found that even if everything works right (which it never does). I will get no less then 1 1/2hrs in a cleanup and have had some run into 6 hrs. Some of the longer ones have ended in "nuke and pave" and added another 3-5 hours of installing windows, adding programs, running updates and carefully restoring data to be sure I don't bring the infection back in.
    I am curious if anyone can do better than these timeframes. I do virus cleanup by the hour and when I run into 10 hours (failed cleanup and then reinstallation) It gets quite expensive for my customer. I am trying to develop a technique that may take a bit longer than 1 1/2hrs every time but will be less than 5 hrs with some assurance of success....

  10. #10
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    (1>) Not worth the time and effort, especially for productivity's sake, a recovered image would be far more expedient.
    beyond a doubt, I am not talking about my own machines or the machines of my regular customers that are covered by nightly image backups.........

    I am talking about machines that have probably never been backed up at all.....

  11. #11
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    South of the North Pole
    Posts
    919
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I do virus cleanup by the hour and when I run into 10 hours (failed cleanup and then reinstallation) It gets quite expensive for my customer.
    Must be on site eh? The only way I know is to gravitate away from on site and to in shop as much as possible because then you can work on many systems at once, which is about the only thing plausible when a lot of scanning and updating is involved, and so you can charge a flat rate for certain job descriptions and be able to average the cost out between the easy jobs and the more time consuming jobs so that the customer is not potentially hit so hard. It can't be too healthy for customer loyalty or maybe even more importantly, customer referrals when the individual job runs long and its by the hour.

  12. #12
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I live in a low population area and do not have enough volume at this point.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •