PDA

View Full Version : Scanning D Drive



rgATL
2008-04-07, 22:31
Hey,

I'm sure this had been asked, but I can't seem to come up with the right search terms to find it. I'm hoping someone can point me in the right direction:

I went to a song lyrics site (plyrics.com I think), and it was kind enough to give me some sort of malware (adware, spyware, maybe virus/trojan). It was taking over my laptop (launching IE windows, installing software, etc), so I turned it off. I've taken the original (infected) system drive out and put in another hard drive, making the infected drive the D drive now. (Both drive have Win XP installed). I've scanned both drives with Symantec Antivirus 10, and it found Trackware.Webhancer; I'd now like to scan with other software (including Spybot).

How can I use Spybot to scan the infected drive (the D drive now); it looks like Spybot only checks the C drive.

Thanks,
rg.

Zenobia
2008-04-07, 22:51
Please see here:
http://forums.spybot.info/showthread.php?t=12271

rgATL
2008-04-08, 01:59
Thanks for your reply.

With the infected drive as D, I scanned with Symantec Antivirus 10, Spybot 1.5.2, and AdAware. Symantec found Trackware.Webhancer, and Adaware found Virtumonde; both of which they said they removed.

So, thinking that everything is now fixed, I put the hard drive back in as the system drive and booted from it. Windows XP was extremely slow to load, and when it did, I got 10-20 RUNDLL errors reading:


Error loading C:\DOCUMEN~1\"username"\LOCALS~1\Temp\dcfqpsfml.drv

The specified module could not be found.

This error also comes up if I try to open any application (Spybot install file, IE browser, etc) or try to access the desktop properties -- this happens in BOTH normal boot AND safe mode.

In addition, the task manager has been turned off -- and when the computer sits idle (as I've been typing this post on anther laptop), a "screensaver" of beetles eating the desktop comes on (not sure if this is related, but I've never seen it before).

Any thoughts?

Thanks,
rg.

rgATL
2008-04-08, 02:26
Sorry, forgot to mention that desktop wallpaper has changed to a blue background with a "warning" in the middle of the screen with something to the effect of, "your computer may be infected with spyware."

So, I can't do anything at all, so I'm not sure how to run Spybot or HijackThis.

Thank you so much,
rg.

chi-va
2008-04-08, 15:46
Sorry for the interruption Zenobia. I don't think that Spybot-S&D would scan the drive automatically.

Quoted from the FAQ:

"There are different ways to search for spies. One would be to search the complete registry and hard disk for suspicious entries and files. That can take a lot of time.

Spybot-S&D takes advantage of the fact that all spies have to anchor themselves at a few places over the system to get active. It starts to search at this places, following the information gathered there to catch the whole spy."

The problem is that the removed drive has its own system and Spybot-S&D would only scan the current system by default. It doesn't matter if the default system has two or more drives but scanning an additional system could be a problem because it is unlikely that it has left any "anchors" in the current system yet. It would be different if the "external" drive has already infected the secondary system because then there would probably be some traces.

There are some possibilities to use Spybot-S&D in the described configuration:

1. Use Spybot-S&D with BartPE or create your own Spybot-S&D live CD
http://www.safer-networking.org/en/faq/43.html
http://forums.spybot.info/showthread.php?t=21313

2. Use the command line parameter /allhives
http://www.safer-networking.org/en/faq/41.html

3. Add the complete infected system(or only the system folders), in "Settings->Download directories". This should allow you to scan the whole drive for infected files. This procedure is not recommended because it takes a lot of time.

4. Ask for help in the malware removal forum. Before you post there it is very, very important to read this first:
http://forums.spybot.info/showthread.php?t=288

You should prefer the first solution if it is possible. With this you can left the drive in its own hardware configuration. If you are not familiar with live CDs then please ask for help in the malware removal forum. I'm sure that the experts there could help you to remove the roque antispyware software and the rest of the problems.

Please correct me if any of the statements are completely wrong.

rgATL
2008-04-08, 19:59
Thank so much for your reply.

As I have another hard drive from which I can boot, do I need a BartCD? Can I just boot from the other hard drive (with the infected drive installed as D drive) and use the /allhives option?

The FAQ (http://www.safer-networking.org/en/faq/41.html) refers to two installations on the same drive. Will /allhives find other (physical) drives as well?

Thanks,
rg.

chi-va
2008-04-09, 01:30
You can just boot from the other drive and Spybot-S&D should be able to find drive d: with /allhives. There will be a list of found registry hives and so you can confirm if it has found it or not. I never have noticed any spyware on my system since yet and so I cannot tell you how good Spybot-S&D will work with /allhives. There is not much reported about this feature in this forum.

Don't forget you can still get help at the malware removal forum. It may help this forum if you report your experiences with the /allhives parameter.

rgATL
2008-04-11, 07:56
Hey,

So, I tried the /allhives switch. It finds the Window installation and all user profiles on my C: dirve, but it did not find the installation on the D: drive.

Other than adding the entire D drive as my "download directory" in settings, how can I get Spybot to check the instalation on the D drive?

Thanks,
rg.