How to scan data on a thumb drive to be SURE the host system isn't infected

[TangleWeb]

I recently took in a newer Dell running Windows XP Home sp3 that was badly infested with “Windows Antivirus Pro” malware. It was so bad that it was throwing a DCOM error & spontaneously rebooting before any attempts at a cure could be performed. I personally like to recover user data & perform a clean install of the OS & applications in cases like this, because that way you’re “sure” it’s clean & you generally get better performance after a clean install as well. I’ve found that often the time involved is shorter as well.

I removed the SATA hard drive from the infected system, installed it in a system I use for data recovery & recovered about 3 GB of user data, including the typical pictures, documents, email (.pst in this case) & some other data & saved it to a thumb drive I use for that purpose. I then performed a clean install of Windows on the infected system, downloaded & installed drivers, applied all Windows Updates.

Then I did something REALLY stupid. I was in a hurry & wanted to kick off the data transfer, so it would be done when I came back from work, so I inserted the thumb drive into the system BEFORE I installed the A/V software & IMMEDIATELY infected the system! I haven’t made a stupid mistake like that in a while. Anyway, I removed the thumb drive, booted from the XP CD & did another clean install.

This leads me to my question; what do you use to scan a thumb drive & what software do you run to be sure that a USB flash memory drive doesn’t infect the scanning machine when connected?

~Dave

 

[atlanticjim]

With these nasties, I pull the infected drive and attach it to my bench computer with a USB SATA/PATA cable and disinfect it with MBAM/AVG/Superantispyware. Only then do backup data to a DVD or USB (usually a DVD so the client has a hard backup.) Then N&P and reload.

BTW. What program do you use to copy the client's data for backup and restore?

 

[TangleWeb]

With these nasties, I pull the infected drive and attach it to my bench computer with a USB SATA/PATA cable and disinfect it with MBAM/AVG/Superantispyware. Only then do backup data to a DVD or USB (usually a DVD so the client has a hard backup.) Then N&P and reload.

BTW. What program do you use to copy the client's data for backup and restore?

That's an excellent tip. To scan the drive in the host (data recovery) computer BEFORE recovering the user's data.

I don't use a program to backup the user's data, I copy it manually to a USB attached external hard drive or flash memory drive. I only get what's required. Usually the contents of the My Documents folder of each user profile, the all users desktop, mail (depending on the client)Windows Address Book, things like the .NK2 file for Outlook, folders in the root like Kodak pictures, etc., etc.

 

[atlanticjim]

Usually the contents of the My Documents folder of each user profile, the all users desktop, mail (depending on the client)Windows Address Book, things like the .NK2 file for Outlook, folders in the root like Kodak pictures, etc., etc.

I know I have asked for this before but I am still looking for a proggy that will trace and copy data from ALL the common and uncommon locations (Outlook being most notorious). My Documents retrieves 90% but when I have to get that bagpipe music from that oddball program, and the client forgot he even had it. . I don't want to miss it.

BTW. I am NOT kidding about the bagpipe music, fortunately the client was looking for only that from an old crashed laptop.

 

[TangleWeb]

I've found that nothing beats a thorough manual investigation of the directory structure of the hard drive(s).

One of the things I check is the "Recent" documents folder in the user's profile. By checking this, you can see what documents & files they're opening & where they're storing them. So if it's a bizarre spot, you'll still find the data to recover it.

C:\Documents and Settings\User_Profile_Name\Recent

You can make yourself a checklist of places to check & files to save. The .Nk2 file is important for users who use Outlook. This is the nick cache & is how Outlook auto-completes the email address of someone they’ve emailed before. Of course you have to turn on viewing hidden files.

 C:\Documents and Settings\ User_Profile_Name \Application Data\Microsoft\Outlook

Is where the .NK2 file islocated.

For the Windows Address Book (.wab file)

C:\Documents and Settings\ User_Profile_Name \Application Data\Microsoft\Address Book

For Outlook Express in XP

C:\Documents and Settings\ User_Profile_Name \Local Settings\Application Data\Identities\{4F134A95-2034-41A9-A5C2-45B9D7E3ADA4}\Microsoft\Outlook Express

You probably already know this stuff, but others lurking & reading the thread may not

I sometimes use FolderSize by RoteBeta Software to see where large amounts of data are stored, especially if I suspect that the user may be saving files to a non standard location.

If it’s a really important PC & the OS isn’t too hosed, I sometimes image the entire drive & save it to an external HD. That way if you miss something, you can always go back & get it.

 

[PcTek]

What do you use to protect usb sticks? Easy...

Tanglewood,
I use avast u3 edition. It is avast on a usb stick. It is $20 for 2 years. It sets up a firewall on the usb stick that scans all incoming material for viruses. It can scan itself. It can scan the host machine. Try it out.
And it automatically updates itself when you plug it in to a machine somewhere.

 

[rballard77]

With these nasties, I pull the infected drive and attach it to my bench computer with a USB SATA/PATA cable and disinfect it with MBAM/AVG/Superantispyware.

This is exactly how i clean an infected hard drive.

As PcTek stated you could use a U3 usb drive that has a built in AV. Thanks for the tip on Avast U3. Avast is an excellent AV in my opinion.

Avast if installed on the computer will also give you the option to scan a usb drive that has been connected, and in my experience has stop the infection from spreading to the machine when the usb drive was connected if the infection was already present on the usb.

 

[iladelf]

My biggest issue with pulling the HDD and scanning it in a known-clean machine is that it doesn't completely remove said issues (not that I've found anyway). Lots of stuff is still active in the infected drive's registry, and can only be removed once booted in its original machine.

At least, that's what I've found (unless I'm missing something, which if I am, let me know!). To me, it's almost like doubling your work.

Nowadays, I try booting into safe mode and running Unhackme right up front to kill the majority of the issues, then follow with the MBAM/SAS combo. If I can't get into safe mode, then I go the UBCD for Win route, load up either a second CD with kill tools (if it has 2 drives) or use my write-protected Ridata USB drive to pull kill tools from.

Not easy nowadays to kill this garbage, for sure. Almost on a case-by-case basis, for me.

 

[PcTek]

Avast U3

well...
i just wrote a post on avast u3 showing it's features. aside from that... the normal way to get the customers data is just to :

1.) pull the drive
2.) put the drive into your data recovery pc
3.) run your script to copy all the "known" data files to the recovery
drive on your data recovery pc.
your recovery script should copy device drivers also.
4.) get the customers windows key, and install cd's, or partition.
5.) put the drive back in the customers pc
6.) reinstall windows and activate it.
7.) reinstall all hardware via drivers
8.) reinstall all updates and system os patches
9.) install antivirus
10.) copy all recovered data back to the customers pc using reverse
recovery script, with networking.

Here is a link to a special pc testing bench case that makes it easier to pull drives or just use a usb to 3 head drive connector gadget.
http://www.xoxide.com/hs.html <- check that out... and this...
The following is a device to attach disks via usb cable.
http://www.buy.com/prod/usb-2-0-to-ide-sata-converter-cable-by-eforcity/q/loc/108/207655867.html
They make them for scsi too.