scan a suspect HD in a healthy machine?

Got a strange one. My friend gave me her computer, says it is loaded with viral activity, weird boot behavior, sometimes a male voice speaks when she closes programs. I don’t have any more info than that for the moment, but I have no reason to doubt her. There is quite a bit of data she wants to save from her HDD before I fdisk it and re-install her Win98se.

I have been trying to do an online virus scan on her machine with trend micro and with symantec so I can identify the viruses/trojans? and disable them. Unfortunately, both of these programs tell me that the activeX controls are either missing or set wrong in IE 5.5. I went in and set them correctly, according to their instruction, but still, neither program works even with the changes. I ran SFC, and it showed only two altered system files (including setupx.dll). On boot, there is an error message stating that her AV, PCcillin, failed to initialize.

Since all this is typical viral behavior, I am prepared to believe that this virus has disabled ActiveX on her machine (among other dastardly things). I have not been able to find a source to download and install ActiveX files "“ I tried the MS update, and there was nothing there specific to her machine about updating any ActiveX files. So now I’m left with a possible workaround that I am posing to this group for your valuable opinions...

My question is this: I want to copy off her data files before I fdisk and reformat her HDD and reinstall Win98se for her. I don’t want to copy off any infected files. Since I can’t ID and kill anything from online resources, can I install her HDD as a slave in my own machine and scan her HDD with my AV program (which is current), to disable any Viral activity on her HDD?

I too am running W98se on my own machine, with CA’s Etrust. I have copied off all my important files on my second hard drive which will be out of the machine when hers is put in. If nothing is activated from her hard drive (which will become a slave drive in my machine), and if it is scanned immediately, I should be able to de-activate any viruses/trojans and then put her drive back in her machine, right? If I activate her drive with auto detect in my bios, will my AV let me scan the drive?

If anyone has had to do any workarounds like this, can you give me the benefit of your experience? TIA

-maureen

 

maureen,

This is exactly what I did recently. I had computer problems and tried the online scans. Nothing was found, but I wasn't convinced. I took the drives out of the system and put them in as slave drives in my other system. ran a scan on them with my up to date Norton's software. Everything came out clean. I didn't experience any problems. Of course, if the drive is infected, I'm not sure if the result would be different.

Best bet, if you go that route, is to backup all your info first. Just in case.

Mike

 

F-Prot AV runs in dos. Free.

 

Mike: Well, it’s good to know someone else thinks like me! I’m still a little nervous to put that drive in my machine. One of the items on her agenda was to install a CD-RW so I did that first. Now if I can install the burning software successfully, I’m going to burn off her data onto a CD. Then I can re-establish her HDD, reinstall her programs including a current AV program, import her data into a folder and scan the folder. We’ll see if that works. If not, I’m going to have to go with your remedy and see if her HDD tries to infect my master drive. IF so, I’m expecting my AV to get in its way!

Mark "“ what a nice site this is. However, there does not appear to be a downloadable scanning mechanism to identify which virus is causing the trouble on this machine "“ the site has approx 39 free tools specific to different viruses. Since I don’t know the virus(es) I am dealing with, this could be a very time-consuming process going at it one by one. Thanks though, I’m bookmarking it for sure. When this is resolved, I’ll post back with the results.

thanks all.

- maureen

 

maureen,

You could also scan the burned CD in your system before reloading her hard drive. There shouldn't be any possibility of infection that way. Just a thought! Let us know how you come out.

Mike

 

maureen

F-prot is the place to download the free DOS version of F-prot.

Reboot to DOS and change to the f-prot directory and run f-prot. Set the program to scan everything and good luck.

 

Well, hi guys. I installed the CD-RW and the burner software on the infected machine so I could burn off her data. Once I did that, I could not get into windows. Windows loaded after boot up, but it froze immediately upon loading. The mouse moved, but could not open anything including the start button on the task bar. After 4 reboots and no ability to move around in windows, I was left with no choice but to put the HDD in my own computer.

I backed up everything of my own on my 2nd HDD, downloaded and installed the latest dat file update on my AV, changed the jumper on her HDD and put it in my machine. The bios recognized it right away, and I scanned the new D: drive immediately with my AV. 0 viruses found! So I went online and tried some online scans with Trend Micro and Panda, again: 0 viruses found. I tried a scan for trojans and it studied my ports (I don’t understand that), but again it reported no trouble. So whatever it is/was, is not detectable by AV security programs.

(Didn’t use online scan with Symantec or McAfee because they don’t give you a choice of scanning just a single hard drive like Trend Micro "“ when I got to Panda it gave me a choice of HDDs only, and I got stuck with a scan of mine and hers. Took well over an hour to scan the combined 97,675 files)

After getting all those clean reports, I copied off the critical data from her HDD onto my own master HDD, changed the jumpers and put her HDD back in her machine. I tried a Windows re-install, and it worked fine, the machine was stable and responsive. So I talked with the owner to see if she still wanted to go ahead with a reformat, since with a reformat she will lose some programs on the machine now that she doesn’t have disks for.

But she remains sure it has a virus. At random times, upon closing programs, she told me that a voice would say, "Uh oh." She was getting an error message about corruption with normal .dot in Word. She said her AV program indicated it had a virus at one time but apparently she didn’t know what to do about it, and she feels she didn’t give the correct answer to the options she was presented with. So she believes it persisted "“ possibly spread. She definitely wants to start over from scratch, so I’m back in the trenches for a while.

Thanks for all your help. I have no idea what this was, whether it was a virus, a worm, a trojan or simply some messed up system files. I wish I did know; maybe if I had an ID, my experience would have helped someone else. When I get done posting this, I’ll be running a scan on my machine again. I don’t expect to find anything. If I get any surprises, I’ll post back. After all, that was my original question : Can I scan an "infected" slave drive with my own AV and not infect my master drive? Don't know that we can answer that question even if my scan comes back clean...

P.S. Bill, thanks for setting me straight on the F-prot. I didn’t realize you had to download a trial version of the program to run the scan, the page I linked over to looked like a list of various tools to download for specific problems. I plan to go back and visit that site… when I have time

cheers everybody.

-maureen

 

maureen,

Strange problem indeed. I would think that with all the scans that you have done, the drive is clean. I would lean towards a file that has run amuck. The voice at program closings is really strange. I would convince your friend to reformat the drive and see what happens. Since this has been going on for a little bit, I would think that the AV companies would know about and have a detection file for it. Something should have shown up.

What programs does your friend have that she would like back? Maybe some of the good people here have the programs and can get a copy for her.

Along with the format and reload, if you go that route, reseat all the cards, memory, cpu, cables, etc. Hopefully, things will work out for you and your friend. Keep us updated.

Mike

 

Maureen, It's easy to see why your friend came to you for help.

 

Mike "“ we went ahead with the format & install. I too had pretty much decided that she had some weird wav file set (accidentally or on purpose) to a windows event, but I don’t have speakers hooked up on the machine, so I could never witness it.

She was willing to lose the programs for the sake of a clean install. Most of what she had which was important to her, I have too -- such as Office 2000, Photoshop, etc.; so I am putting them back on for her. (Her machine was second hand, and came with these things on it but no disks)

Things like PCcillin, Win RAR "“ I have decent substitutes for them. I’m going to insist on a firewall too, and show her how to use it. Fortunately, she has install disks for the things I don’t have, like Quick Books Pro, MS Money, etc. She’ll lose her junk programs like CD labeling programs, other graphic things that came bundled with her printer software, clip art, a font installer (!), Encarta, some cooking program, etc.

So I think we got it covered, but thanks. As I sit here now on my DSL writing this post, her machine is downloading and installing 10 mb of Win updates and service packs at 56k on the house phone - needless to say, the phone’s been pretty quiet around here for a considerable while.

The fun part was locating her data files in programs I am not familiar with, and then figuring out how to import them now that the programs are re-installed. Researching all that out on the internet was a full day right there!

Hey, Zephyr, thanks for joining in! that’s quite a compliment from a pro like you!

well, cheers again everyone. Things are looking good. Appreciate all the input.

- maureen

 

56K...I remember those days. The long download times, the peace and quiet from sales calls! You're going through alot of work for your friend. Thank God for good friends! Hopefully, this will take care of the problems and she will be set. She should be able to pick up the software here and there. Hace her look at eBay, MSBCD , #9 Software , Unbeatable Deals , Directron Software , and Overstock to name a few.

Mike