Clean an Infested Hard Drive as a Slave in another PC

[GaryRouth]

Some of the recent waves of viruses and worms have the ability to render a system unbootable, even in Safe Mode. It’s for such cases that this article is written: The most important advice upfront is this: if you are unsure of any details – don’t continue until you’re sure [post a thread in the forums – you’ll get the quickest answer there] Or try another method, such as using DOS tools.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Since many households now have more than one computer, an option when faced with a serious virus/spyware infection is to open the infected computer up, remove the hard drive, and “slave” it in another computer, which we’ll call the “Helper PC”, and clean the infected drive there.

***During the repair, while in the Helper PC the infected drive MUST NOT be booted from! It’s probably easiest if connected as a SLAVE drive and NOT as a MASTER, and NOT listed in the Boot Order menu in the Helper PC’s bios setup = or the result can be two infected computers!***

For this to work, the “Helper PC”
1) must scan clean just before the “visiting” drive is added (the one that will be “slaved” and cleaned)
2) must have up-to-date antivirus/antispyware programs installed and active
3) must have an installed and active firewall
4) must have a compatible hard drive cable and connector [“port”]
5) must have a compatible file system. A Windows 2000/XP system can see and scan slaved hard drives from Win95/98/ME as well as Win2000/XP. A Windows 95/98/ME system will only be able to see and scan slaved hard drives from Win95/98/ME. […that is, without the help of third-party programs …]
6) *must have it’s boot drive as the first boot device listed in it’s Bios, to prevent accidentally booting from the “visiting/slave” drive (which would infect both computers)
7) . . . it’s best to remove both computers from any networks during the cleaning.

On the “Helper PC”: Entering Bios Setup/ Checking the Boot Order
Most computers will display a banner message on the monitor at system powerup that reads something like “Press F1 (or DEL or F10, etc) to Enter Setup”. Press the key mentioned in your computer’s banner as soon as possible during startup. If the banner doesn’t display long enough for you to read it, you can try pressing the Pause button on your keyboard to pause the display long enough (then you can press the space bar to continue the boot sequence).
Once in the Bios menus, look for an item listed something like “Boot Order” or “1st Boot Device”. [If you’re not sure how to get around in your Bios screens, there is usually a guide along the bottom of each screen]. Set the first boot device to the Helper PC’s bootable hard drive. On most PCs, this will be either C, HDD-0, or simply “Hard Disk”. When using parallel IDE hard drives [the older IDE technology that uses 40wire and 80wire ribbon cables – (UltraATA-33 is a example of a 40wire, UltraATA-66 is an example of an 80wire)], usually the hard drive containing the operating system is the “Master” on the “Primary IDE Controller” on the motherboard, and is assigned the drive letter C in Windows. Note: if the Helper PC’s system drive is the newer IDE type, the serial ATA [often abbreviated SATA, and which uses the slender single wire cable and smaller connector], check in the manual for the motherboard as to which designation the SATA drive receives, and be sure that the IDE controller on which the infected drive is slaved comes AFTER the SATA drive, or simply ensure that the IDE controller on which the infected drive is slaved is NOT listed in the Boot Order, and that “Boot Other Device” is disabled. This will prevent any possibility of booting from the infected drive by mistake.
Before moving the infected hard drive to the Helper PC the jumpers and connectors need to be sorted out. If using Master/Slave jumpers – simply make sure that the Helper PC’s system drive is jumpered as “Master”, and that the infected hard drive is jumpered as “Slave”. If using Cable Select, make sure that the Helper PC’s system drive is on the Master connector: the last one (on the IDE cable: the blue connector is on the motherboard, the gray connector in the middle of the cable is the Slave, and the black connector at the end farthest from the motherboard is the Master). Put the infected hard drive as Slave on an available cable. If using a RAID array, don’t disturb the mirrors, it’s easier to just free up a cable by borrowing one from a temporarily disconnected optical drive.

Once all is setup, the Helper PC should start normally, and you can scan the infected drive with the antivirus/antispyware tools of the Helper PC.

Once clean, remember to restore the jumpers and cabling back to their original order in both the Helper PC and in the formerly infested (but now clean) computer.

If the infected PC formerly did not have installed and active firewall/antivirus/antispyware tools, locate, install, and setup these tools before re-connecting to a network.

. . . Gary

[P.S. this has been written in a hurry – so any techs who wish to add corrections or further details, please do! ]

[Markoman01027]

Excellent work Gary!

[diver203_98]

Excellent Gary, and thank you. With the number of new viris coming out all the time, I am sure this will be very valueable information. Great work.

[Panama Red]

Nice work as usual, Gary! I've done exactly what you describe on several occassions to save data from an infected drive. In extreme cases where you plan to reinstall the operating system once the infected drive is cleaned, you can reformat the visiting/slave drive while in the Helper computer. Just gotta be sure to reformat in a format compatible with your operating system. Fat32 for Win98 and NTFS for Win2K and XP.

[glc]

Note that this will only detect and clean/delete infected files. It will not fix any configuration files or the registry because they are not active - so possibly expect a ton of errors when you put the "cleaned" drive back in where it came from and you try to boot from it. These will have to be fixed manually with Regedit or a 3rd party registry tool.

[HNPFL]

I had this same problem with my machine but it was on a laptop so I couldnt put my hd in a "Helper PC" so I found this great antivirus software that will run a great virus scan on boot. so before any operating system loads this antivirus loads up and scans and deletes virus', worms, spyware, and ad ware.