Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92231 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Scanning files in Virtual Windows?

  • Please log in to reply
3 replies to this topic

#1 mcaren


    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 15 October 2007 - 02:38 PM

I'm not sure where to post this question... Also, please forgive me if I'm asking something that's been asked a zillion times (I did a search on "Virtual" but didn't see anything that looked like an answer). I also have never used an OS emulator yet, so I hope this isn't a stupid question! I wondered if you could burn potentially infected files on CDs and scan them while in a Virtual copy of XP -- without infecting the host computer. I was curious because I'm working on a super-infected computer and the owners want to keep some files (mostly photos, although unless I can use the Kodak software used to produce the albums to un-album them (into jpg files?) I might be adding them as Kodak albums -- which I suppose could contain malicious code?). I'll be burning those files onto CDs. I don't know enough about malware to know if it is likely that I could re-infect their newly reformatted machine by scanning those files afterwards. I've got a Mac and a PC that dual boots with Ubuntu -- and wondered if I'd be putting my machines at risk if I was able to scan files virtually. If I had time for this (which I'm not sure I do), I'd probably be using QEMU on a Mac (Intel Mac, if that makes a difference). I don't know if the OS hosting the emulator would make a difference as far as potential infection goes... So, if anyone can make sense of this I'd appreciate your input. Thanks. mcaren


Register to Remove

#2 Doug


    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 15 October 2007 - 08:15 PM

Hi Mcaren,

You have another interesting project here.
It is not necessary to inject any additional complications into the process.
Actually, it's best to keep it as simple and direct as possible.

What I wouldn't do...
-- I would not burn the files to CD
-- I would not transfer them via burnt CD to another machine for analysis.
-- I would not create a virtual machine to complete analysis and repair on a physical machine or even selected files.
-- I would not attempt to remove the files from their album host, nor to display them using another utility.
-- I would not be using the infected machine for internet or other application work until it is disinfected.

My reasons:
Even viruses require a "trigger" to activate.
Laying there in possibly infected files or attached to a possibly infected host application, they are inactive until "touched".
Any movement, copying, burning, transferring, saving, and or communicating to the infected files, constitutes the "touch" that is referred to above. (except as specifically instructed by a Malware Team Member)
The machine is most likely infected or at risk of infection in its system, or you would not have noticed a problem.
The machine's status needs to be evaluated and treated as it presently exists, as a whole.

What I would do....
-- I would follow the instructions, here: http://forums.whatth...ers_t34502.html
-- I would post a HJT Log for Malware Team assistance, here: http://forums.whatth...emoval_f27.html
-- I would follow through with the Malware Team's instructions until I received an "all clean" message from the Experts.

Please be patient with the Malware Team Expert volunteers.
They will respond to your post in the order in which it is received and as a Team Member becomes available to give it attention.

Best Regards

Edited by Doug, 15 October 2007 - 08:31 PM.

The help you receive here is free.
If you wish, you may Donate to help keep us online.

#3 mcaren


    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 15 October 2007 - 08:53 PM

Thanks Doug -- actually, I've already posted a HijackThis log for the machine in question and received advice from Blade81.


I was advised to reformat the drive -- which is why I was going to save the photo files to CD (these photos are wedding photos, baby photos, etc. -- and I don't think they've backed up this data).

I'd like to save the files -- but am not sure of a "safe" way to do this..

[on the positive side, the couple have not made any online purchases and didn't seem to think they had much if any private info to be compromised; on the negative -- they've got another computer that's been equally "protected" (by some yahoo that apparently didn't take the time to explain that anti-virus programs need updating, etc.... I'll probably be taking a look at that one after resolving this one...]
Thanks for your time -- mcaren

#4 Doug


    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 15 October 2007 - 11:49 PM

OK, so now you've narrowed the scope a bit.

If you can get those photos burned as images to CD, then a scan from a good AntiSpyware and a good AntiVirus should find any bad-guys.

I like
Sophos SAV32CLI, and MWAV free versions,
AVG AntiSpyware, and AVG AntiVirus free versions.
the trial version of SpySweeper and the trial version of F-secure.

Those should find most anything on a CD, now that we're not looking at an infected system to deal with.

But where to find the original images?
Hopefully someone with experience with Kodak will come along.

When the "slide show" was produced, there had to have been original image files (BMP TIFF PNG PSD JPEG JPG GIF images)
Kodak would have converted the format to suit their display, but would have stashed the originals somewhere as backup, unless the owners specifically selected to not save them.
Happily, it looks like Kodak uses compatibility with most common image file formats.

Run a Search for
or * dot (any of the following: BMP TIFF PNG PSD JPEG JPG GIF )

Maybe you'll get lucky and find the folder containing the originals.
You can then burn only that folder, and treat it with the scans per above...
Without loading them onto another system.
Just pop the disk into a machine with updated protection and run a targeted scan on the CD.

I wouldn't try to salvage the screensaver/slide show application.

The "slide show" they have used may be:SnapScreen for EasyShare to Version 5.x 1.4
found here -- http://snapscreen-fo...d.qarchive.org/
Free to try, and only $9.99 to keep.

Let us know how things work out.

Best Regards
The help you receive here is free.
If you wish, you may Donate to help keep us online.

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users