1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Read infected disk safely?

Collapse
X
1 to 10 of 15 Previous 1 2 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
1 to 10 of 15 Previous 1 2 template Next
    #1

    Read infected disk safely?

    I'm about to try to recover data from a friend's disk, which is infected. The disk is not in a machine any more, and I plan to put it in a USB case and plug that into a PC. The infection apparently came from trying to connect to broadband without first having an antivirus in place. Not sure what it might have but when it was the disk in its machine, it kept running svchost.exe at 100% cpu.

    Any hints here, esp. to avoid infecting my machine?

    Plan A: boot Linux and read it with that.
    Problem A: doesn't see a USB drive.

    Plan B?
    Tags: None
    #2
    There are a couple of Linux based boot utils I know of which will definitely read a locally mounted drive as it can be mounted and the data contained therein. Problem is then running an AV - so forget that I think.

    Plan B - install the drive as a second IDE locally to your machine and sweep with an AV from Linux.

    Plan C - install as USB \ local (IDE?) boot into Win XX safe mode and sweep the infected drive from there.

    Standard Disclaimer: Obviously ensure that you are bang up to date with AV pattern files etc, set it to check files upon access etc. This product may contain nuts, and your home is at risk if you cannot keep up repayments on a loan or mortgage taken out on it etc etc.
    "The Kop's exclusive, an institution, and if you're a member of the Kop you feel you're a member of a society, you've got thousands of friends around you and they're united and loyal"

    Comment

      #3
      Originally posted by expat
      I'm about to try to recover data from a friend's disk, which is infected. The disk is not in a machine any more, and I plan to put it in a USB case and plug that into a PC. The infection apparently came from trying to connect to broadband without first having an antivirus in place. Not sure what it might have but when it was the disk in its machine, it kept running svchost.exe at 100% cpu.

      Any hints here, esp. to avoid infecting my machine?

      Plan A: boot Linux and read it with that.
      Problem A: doesn't see a USB drive.

      Plan B?
      Just so long as you don't boot from the infected drive or run any of the executables you should be able to scan it from Windoze using AVG etc.

      Comment

        #4
        Originally posted by Dr Evil
        There are a couple of Linux based boot utils I know of which will definitely read a locally mounted drive as it can be mounted and the data contained therein. Problem is then running an AV - so forget that I think.

        Plan B - install the drive as a second IDE locally to your machine and sweep with an AV from Linux.

        Plan C - install as USB \ local (IDE?) boot into Win XX safe mode and sweep the infected drive from there.

        Standard Disclaimer: Obviously ensure that you are bang up to date with AV pattern files etc, set it to check files upon access etc. This product may contain nuts, and your home is at risk if you cannot keep up repayments on a loan or mortgage taken out on it etc etc.
        Thanks.

        I reckon that if I'm in Linux then I can do without the AV (could be wrong there). I just have trouble seeing the disk. This is Mandrake, maybe another distro could be the lazy man's way of getting to it?

        I've got a laptop and a small-box desktop here so I can't connect the disk IDE to either (unless I use the offender as the only disk in the desktop, hmm).

        But using Safe Mode is a good idea (I think).

        Comment

          #5
          Originally posted by Churchill
          Just so long as you don't boot from the infected drive or run any of the executables you should be able to scan it from Windoze using AVG etc.
          Thanks, That's what I thought. Update AVG and run it on PC, reboot in safe mode, plug in drive, run AVG on it, then copy data files to CD-R.

          Comment

            #6
            Originally posted by expat
            Thanks.

            I reckon that if I'm in Linux then I can do without the AV (could be wrong there). I just have trouble seeing the disk. This is Mandrake, maybe another distro could be the lazy man's way of getting to it?

            I've got a laptop and a small-box desktop here so I can't connect the disk IDE to either (unless I use the offender as the only disk in the desktop, hmm).

            But using Safe Mode is a good idea (I think).
            To be honest Safe Mode is belt and braces really, so long as your original OS is the one being booted into and no exe are run - it's all good. The HDD is harldly going to jump up and try and throttle you!!! (well they haven't in my experience - but it was a while ago!). So long as you see the offending disk - that's the important thing, USB \ IDE whatever and you are protected by AV on your machine's OS. Usual common sense safeguards apply remove network cable, don't login as admin unless you have to. Treat the HDD as a slightly dodgy guest!!!

            Only possible problem (and I haven't ever had to try it yet) is that you may not be able to add a USB connected drive in Safe Mode - but I could be wrong there. PM me if you need some off board machine specific help.
            "The Kop's exclusive, an institution, and if you're a member of the Kop you feel you're a member of a society, you've got thousands of friends around you and they're united and loyal"

            Comment

              #7
              Originally posted by expat
              I'm about to try to recover data from a friend's disk, which is infected. The disk is not in a machine any more, and I plan to put it in a USB case and plug that into a PC. The infection apparently came from trying to connect to broadband without first having an antivirus in place. Not sure what it might have but when it was the disk in its machine, it kept running svchost.exe at 100% cpu.

              Any hints here, esp. to avoid infecting my machine?

              Plan A: boot Linux and read it with that.
              Problem A: doesn't see a USB drive.

              Plan B?

              P.S. Did he go onto Kazaa? - I think I got that particular case of clap a while ago.
              "The Kop's exclusive, an institution, and if you're a member of the Kop you feel you're a member of a society, you've got thousands of friends around you and they're united and loyal"

              Comment

                #8
                Originally posted by Dr Evil
                P.S. Did he go onto Kazaa? - I think I got that particular case of clap a while ago.
                No, just the net. I've heard that 20 seconds is the average time till infection if you connect to broadband without an AV.

                Comment

                  #9
                  Originally posted by expat
                  No, just the net. I've heard that 20 seconds is the average time till infection if you connect to broadband without an AV.

                  According to SANS the current survival time is 30 mins. Thats 30 mins from going on the net with an unprotected system to being probed and consequently compromised.

                  They keep a history as well which makes for interesting reading
                  "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

                  Comment

                    #10
                    Originally posted by expat
                    No, just the net. I've heard that 20 seconds is the average time till infection if you connect to broadband without an AV.
                    Going on to the net without an AV wouldn't be a problem in itself. It's the not having a patched system and no firewall which gets you infected without doing anything.

                    Most virus/trojan problems are the result of people opening something, whether it's an attachment or downloading some .exe or visiting a page which loads some object or another.

                    Problem is 90% of non-tech people I know seem to have no idea about what can happen, e.g. someone sending a Xmas greeting they just found on some site to 20-30 people even though it's an .exe, and god knows how many just clicking on it...

                    Comment

                    Reply to Thread
                    1 to 10 of 15 Previous 1 2 template Next

                    Advertisers

                    1. Contracting
                      1. General
                        1. Brexit
                      2. Business / Contracts
                        1. Coronavirus Assistance
                      3. Accounting / Legal
                        1. Umbrella Companies
                        2. HMRC Scheme Enquiries
                        3. The Future of Contracting
                        4. IR35 Reform
                      4. Technical
                      5. Welcome / FAQs
                    2. Social
                      1. Light Relief
                      2. Social / Events
                    Working...
                    X