Scanning from boot cd vs running it in windows

E

ell

Well-Known Member
Reaction score
451
Just curious, I've read two opinions of which snags the malware best, from booting from a cd and running the scans or running the cd from the desktop. Whats is your preferred method?
 
Always best to run them in windows because the registry hive is loaded.

Depends on the infection, sometimes you have to run scans out of windows to just be able to work in windows. I dont typically use boot disks to run virus scans.
 
Knightsman said:
Always best to run them in windows because the registry hive is loaded.

Depends on the infection, sometimes you have to run scans out of windows to just be able to work in windows. I dont typically use boot disks to run virus scans.
Click to expand...

thats kind of what I'm finding these days. More and more I am doing removals in windows after I've already run scans from boot cd. I'm going to start running the cd's from the desktop now for a bit and see if I get faster results. A agree sometimes the boot cd is required when I can't even get to the desktop.
 
Also if you are not familiar with the most important system files, you can potentially prevent windows from restarting if a system file is infected and then removed via boot disk.

A good way around it is to remove the infected file and then run sfc /scannow before restarting.
 
Last edited:
What about rootkits? can they be just as easily removed while running windows?
 
I havent had a problem. Typically if your using a scanner, it will remove it on restart so the file is not locked.
 
even if running the scans from a cd? Wouldn't the scanner have to be installed to remove on reboot?
 
I like normal mode best but all the malware is running and that means it could take a few goes to get everything to go. I rarely see people recommend using Safe Mode anymore but I usually still try that first, mainly because I think all my tools will work whereas most of my antimalware tools won't work from a windows based boot disk. If Safe Mode doesn't work I usually reach for the boot cd.

I used to do everything possible in normal mode, but all the active malware can be very impeding
 
Last edited:
iisjman07 said:
I like normal mode best but all the malware is running and that means it could take a few goes to get everything to go. I rarely see people recommend using Safe Mode anymore but I usually still try that first, mainly because I think all my tools will work whereas most of my antimalware tools won't work from a windows based boot disk. If Safe Mode doesn't work I usually reach for the boot cd.

I used to do everything possible in normal mode, but all the active malware can be very impeding
Click to expand...

Exactly, if Rkill doesnt help, I just run a quick scan with malwarebytes, and it normally allows me into normal windows.
 
iisjman07 said:
I like normal mode best but all the malware is running and that means it could take a few goes to get everything to go. I rarely see people recommend using Safe Mode anymore but I usually still try that first, mainly because I think all my tools will work whereas most of my antimalware tools won't work from a windows based boot disk. If Safe Mode doesn't work I usually reach for the boot cd.

I used to do everything possible in normal mode, but all the active malware can be very impeding
Click to expand...

I have to agree that this is my process, I dont really have many situations where I cant get into safe mode at least, manually delete the bulk of the nasties, then it usually at least prevents it from starting windows or stopping exe files from opening, then I run some scans...

But....if I cant get into it at all, depending on how lazy i feel, I will either slave the drive to the os and delete the virus files, or I will reach for a boot cd...

I have not noticed any difference in scan speed vs scanning in windows safe mode...
 
Behavioral scanning is more effective from within the host OS, so if you're hoping for heuristic performance, it's best to attempt a scan from within the OS first.

Of course, the best idea of all is to manually inspect drivers and registry keys from remotely first, make any necessary changes, and then boot to check for remnants.
 
thanks everyone, glad I posted this, guess I will opt to scan first from the desktop from now on!
 
My usual (non-manual removal) method:

Use Plop-Linux to run an Antivir scan on the mounted hard drive (Example log file).
Boot into Windows and run malware-bytes and Spybot, TDSSKiller.

Check the logs, look for false positives (the example log shows 2, the norton downloader.vbs script, but didn't matter we removed the expired norton installation).

The reason I use an offline scan is mainly out of habit, I was used to having to mess with programs that blocked Regedit / Cmd / taskmgr so I would scan offline to get those out of the way first and then go in and run cleaner software afterwards. I have a WinPE 2.0 that I can PXE boot as well, I just prefer the Plop-linux method because I can customize it better.

When I was cutting my teeth as a young tech UBCD4Win was a staple in my toolbox.
 
I still do most all my virus removal from Safe Mode (if not using ERD Commandar or Live CD). Mainly do to habit. Most of the viruses I see now-a-days, seem to run full force in Safe Mode, like in normal mode. I still feel that hopefully Safe Mode will stop some of the virus, making it easier to remove.

I do my clean up most of the time in Normal Mode.
 
AdamsAPlus said:
I still do most all my virus removal from Safe Mode (if not using ERD Commandar or Live CD). Mainly do to habit. Most of the viruses I see now-a-days, seem to run full force in Safe Mode, like in normal mode. I still feel that hopefully Safe Mode will stop some of the virus, making it easier to remove.

I do my clean up most of the time in Normal Mode.
Click to expand...

Manual removals of the Antivirus2010 variants that lock you out "This is a virus! Taskmgr is a VIRUS!!!" I usually do from safe mode with command prompt, those don't load then. Usually find whatever is in the %appdata% folder and get rid of it. If you have to have a gui you can type "explorer" from the command window and it will open up without running the usual gambit of startups the other safe modes open too.
 
You must log in or register to reply here.

Similar threads

backwoodsman
[SOLVED] Blank screen after Windows update
Replies
8
Views
883
britechguy
britechguy
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
861
NviGate Systems
NviGate Systems
HCHTech
Windows 11 folder sharing problem
Replies
19
Views
2K
HCHTech
HCHTech
HCHTech
Permission Hell
Replies
12
Views
2K
Sky-Knight
Sky-Knight
britechguy
How in the world does one boot from USB these days?!!
2 3
Replies
48
Views
5K
lan101
lan101
Back
Top