> How can I SAFELY test an external HD for viruses?

joe7dust · 05-03-2009, 07:58 PM

Basics:
I have a USB HD that I suspect has a virus on it. I want to check it and clean it, but I'm a bit scared to plug it into my working computer. The only two things I can think of is, disable Autorun from USB in Windows and make sure some AV software is running when I plug it in. I'm posting here because I want to know if there is some kind of software made specifically for this, like a "sandbox" for the USB HD to play in without affecting my machine.

A little background:
I reformatted the internal HD and reinstalled Windows to fix a problem this guy had with the PC only working in Safemode, it seemed to work fine but just a day or two he had intermittent issues again and now it only works in safemode again. I suspect the external HD he backed up all his data to contained a virus that caused the problems in the first place, and then when he put his new software on the fresh install it was reinfected. It's either that or a hardware issues, which I doubt and seriously hope it's not because thats a lot harder to fix.

An update:
I just tried to reinstall Windows XP from the SAME disc as I did before and it did a 15 minute "hang" at the "checking for previous installations of Windows" screen. I am running Memtest 86+ overnight, then in the morning will write zeros to the HD for hours, and then maybe test a couple other bits of hardware. Hopefully someone replies with a good sandbox program for safely checking that external USB for viruses by tomorrow. However, I'm starting to think it's the hardware.

Another update:
It won't even boot in Safe Mode now! Hangs at mup.sys driver loading
Memtest86+ ran for 4 hours, no problems
Currently Zero-filling the HD to test it, should be done by morning
Just talked to him and apparently it said "HD failure imminent" while booting one day

so I'm expecting this zero-fill to fail and can just replace the HD. However, I would still like an answer to my original question relating to safe virus handling involving PnP devices.

joe7dust · 05-07-2009, 01:49 PM

I haven't bumped and been very patient for 4 days, but I see many many 1-3 day waiting times in other people's posts. The rules say you work from the bottom up, so I think perhaps a mistake was made.

tetonbob · 05-07-2009, 02:27 PM

Hello -

The preposting sticky topic indicates that a thread which has received no reply for 3 days may be bumped.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

I've merged your two topics.

That said, you've posted in the malware removal section, and not posted our required logs. It seems your topic might be better suited for our General Security forum, as it doesn't appear as though you're asking for malware removal help, which is what this forum is for. If you are, then you need to post the logs we require to begin an analysis.

More info to follow.

tetonbob · 05-07-2009, 02:49 PM

To try to answer what seems to be your main question...

I would be very careful about hooking up a suspect drive to anything but a dedicated bench machine, one that can be sacrificed if need be. That's how I approach such things at my bench. I have one machine for just such occasions. It's not networked, and no data loss if it happens to get infected.

It also depends on what infection is suspected or already identified. If it's a pe file infector such as Virut or Sality, I'm not sure I'd try to recover anything off it.

Ok, to your question....if you're determined to try, yes, at the very least, isolate the machine you intend to hook the external to from any network or internet. Then, disable autoruns. Use the method outlined here:

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

And, you can run Flash_Disinfector, which will help prevent autoruns on the host and any attached USB devices.

Download Flash_Disinfector.exe from here and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.

I use VMWare virtual machine, and disable all shares. It's been able to help prevent crossover infections from guest to host, but it has been known to happen.

I've not used Sandboxie, but it might be something like what you're looking for, or Returnil.

You may want to repost this in the General Security section, where you'll be able to get a broader set of replies.

joe7dust · 05-07-2009, 05:17 PM

Thankyou very much, this will surely help me in my future fixes. Will this be archived for a long time so I can just bookmark this or should I save it offline?

tetonbob · 05-07-2009, 07:18 PM

Oh, yes, threads don't generally get deleted. If the issue is resolved, it gets moved to a No Reply section of the forum, but you'll be able to refer back to it.

Glad to help.

05-03-2009, 07:58 PM	#1 (permalink)
joe7dust Registered User Join Date: May 2009 Posts: 83 OS: xp sp3	> How can I SAFELY test an external HD for viruses? Basics: I have a USB HD that I suspect has a virus on it. I want to check it and clean it, but I'm a bit scared to plug it into my working computer. The only two things I can think of is, disable Autorun from USB in Windows and make sure some AV software is running when I plug it in. I'm posting here because I want to know if there is some kind of software made specifically for this, like a "sandbox" for the USB HD to play in without affecting my machine. A little background: I reformatted the internal HD and reinstalled Windows to fix a problem this guy had with the PC only working in Safemode, it seemed to work fine but just a day or two he had intermittent issues again and now it only works in safemode again. I suspect the external HD he backed up all his data to contained a virus that caused the problems in the first place, and then when he put his new software on the fresh install it was reinfected. It's either that or a hardware issues, which I doubt and seriously hope it's not because thats a lot harder to fix. An update: I just tried to reinstall Windows XP from the SAME disc as I did before and it did a 15 minute "hang" at the "checking for previous installations of Windows" screen. I am running Memtest 86+ overnight, then in the morning will write zeros to the HD for hours, and then maybe test a couple other bits of hardware. Hopefully someone replies with a good sandbox program for safely checking that external USB for viruses by tomorrow. However, I'm starting to think it's the hardware. Another update: It won't even boot in Safe Mode now! Hangs at mup.sys driver loading Memtest86+ ran for 4 hours, no problems Currently Zero-filling the HD to test it, should be done by morning Just talked to him and apparently it said "HD failure imminent" while booting one day so I'm expecting this zero-fill to fail and can just replace the HD. However, I would still like an answer to my original question relating to safe virus handling involving PnP devices. Last edited by joe7dust; 05-03-2009 at 08:19 PM.

05-07-2009, 01:49 PM	#2 (permalink)
joe7dust Registered User Join Date: May 2009 Posts: 83 OS: xp sp3	What should I do if I think my post has been overlooked? I haven't bumped and been very patient for 4 days, but I see many many 1-3 day waiting times in other people's posts. The rules say you work from the bottom up, so I think perhaps a mistake was made.

05-07-2009, 02:27 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,594 OS: 2000 Pro; XP Pro; XP Home	Re: What should I do if I think my post has been overlooked? Hello - The preposting sticky topic indicates that a thread which has received no reply for 3 days may be bumped. NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help I've merged your two topics. That said, you've posted in the malware removal section, and not posted our required logs. It seems your topic might be better suited for our General Security forum, as it doesn't appear as though you're asking for malware removal help, which is what this forum is for. If you are, then you need to post the logs we require to begin an analysis. More info to follow. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-07-2009, 02:49 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,594 OS: 2000 Pro; XP Pro; XP Home	Re: > How can I SAFELY test an external HD for viruses? To try to answer what seems to be your main question... I would be very careful about hooking up a suspect drive to anything but a dedicated bench machine, one that can be sacrificed if need be. That's how I approach such things at my bench. I have one machine for just such occasions. It's not networked, and no data loss if it happens to get infected. It also depends on what infection is suspected or already identified. If it's a pe file infector such as Virut or Sality, I'm not sure I'd try to recover anything off it. Ok, to your question....if you're determined to try, yes, at the very least, isolate the machine you intend to hook the external to from any network or internet. Then, disable autoruns. Use the method outlined here: http://www.us-cert.gov/cas/techalerts/TA09-020A.html And, you can run Flash_Disinfector, which will help prevent autoruns on the host and any attached USB devices. Download Flash_Disinfector.exe from here and save it to your desktop. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. I use VMWare virtual machine, and disable all shares. It's been able to help prevent crossover infections from guest to host, but it has been known to happen. I've not used Sandboxie, but it might be something like what you're looking for, or Returnil. You may want to repost this in the General Security section, where you'll be able to get a broader set of replies. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-07-2009, 05:17 PM	#5 (permalink)
joe7dust Registered User Join Date: May 2009 Posts: 83 OS: xp sp3	Re: > How can I SAFELY test an external HD for viruses? Thankyou very much, this will surely help me in my future fixes. Will this be archived for a long time so I can just bookmark this or should I save it offline?

05-07-2009, 07:18 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,594 OS: 2000 Pro; XP Pro; XP Home	Re: > How can I SAFELY test an external HD for viruses? Oh, yes, threads don't generally get deleted. If the issue is resolved, it gets moved to a No Reply section of the forum, but you'll be able to refer back to it. Glad to help. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009