Support in other languages: 
Showing results for 
Search instead for 
Do you mean 
Reply
andyP
Posts: 9,295
Topics: 161
Kudos: 712
Solutions: 636
Registered: ‎11-27-2007
Location: Bonnie Scotland
0
Accepted Solution

Bootable Media Malware Removal Tools, Preferable?

Quite often a system can be rendered useless by malware, a recent example of this in Germany being the Bundeskriminalamt virus

 

Those who were unlucky enough to get hit were informed that their computer had been traced as being used for illegal purposes and they should transfer €100 to pay the fine and the message would go away and they would be able to resume to normal usage of their computer. This was of course not the case and the system remained unusable as it is not possible to close the window and it always remains on "top".

 

In such situations I often turn to bootable malware removal tools offered by most of the anti-malware companies and find them to be very effective removing malware and bringing a system back to a state in which further diagnosis / repairs can be carried out.

 

If I suspect a system to be infected, which may also boot normally, is a bootable media scan preferable to a scan carried out from within the OS?  Are there any drawbacks / disadvantages in using such tools?

 

 

Andy  

______________________________________


Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points

Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos

Please add your type, model number and OS to your signature, it helps to help you.

Forum Search Option

T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more.

FYI Unsolicited Personal Messages will be ignored.

de.gif  Deutsche Community   es.gif  Comunidad en Español  uk.gif  English Community ru.gif Русскоязычное Сообщество

PepperonI blog 

Lenovo Technology Partner
PCBruiser
Posts: 12
Registered: ‎11-27-2011
Location: Pennsylvania, US

Re: Bootable Media Malware Removal Tools, Preferable?

[ Edited ]

Hi,

 

IMHO, whatever works, use it, as long as you completely understand how the tools work, their limitations, what they can do to the infested system and can provide clear instructions for the tool's use.  I regularly use installed tools, tools which do not require installation, online scans, bootable media tools and Linux Live distros.  I generally work with the easiest first, and then go to more powerful methods as needed.  The more complex the method used, the more difficult it is for the owner of the infected system, and the greater the likelihood that a mistake may be made.  So, care is needed as well as being very aware of the technical capability of the victim.

 

It is worth mentioning that most of the bootable media tools are Linux based due to copyright restrictions that could easily arise from using bootable media based on Windows.  There are such tools, but they are always AFAIK paid tools, where part of the cost pays a license fee to Microsoft for using their copyright files for the bootable media.

 

 

 

 

Don't Read? Can't Learn!
Administrator, SpywareHammer.com
Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
0

Re: Bootable Media Malware Removal Tools, Preferable?

"It is worth mentioning that most of the bootable media tools are Linux based due to copyright restrictions that could easily arise from using bootable media based on Windows.  There are such tools, but they are always AFAIK paid tools, where part of the cost pays a license fee to Microsoft for using their copyright files for the bootable media."

 

I guess we need to get you out of the malware removal logs and reading my blog more often.  :smileyvery-happy: 

 

I'm teasing, PCBruiser.  That worked as an easy segway to my tutorial on setting up Microsoft's Standalone System Sweeper Beta (with almost 11,700 views to date!) and the accompanying article which addresses common error codes and suggested trouble-shooting steps. 

 

The Standalone System Sweeper is designed to help start an infected PC and perform an offline scan to identify and remove rootkits and other advanced malware. 

 

My Tutorials: 

 

Note:  Although the Standalone System Sweeper is still labeled Beta and caution is necessary as with all beta programs, the tool has long been a part of the Microsoft Diagnostics and Recovery Toolset (DaRT) for Microsoft Enterprise customers.  Nonetheless, caution is always recommended when using Beta software.

 

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Lenovo Technology Partner
RoseG
Posts: 7
Registered: ‎11-29-2011
Location: Philippines
0

Re: Bootable Media Malware Removal Tools, Preferable?

hi andyP,

 

an advantage i see in running bootable av is it won't be interfered by a running process of a virus

a big disadvantage is if it doesn't let your system boot anymore >.<

 

so as PCBruiser mentioned, you have to understand how it works, what it does to infected files and to add, see if it has revert options

 

cheers!


I am a Trend Micro employee.  My comments and advice come from my personal knowledge and experience.  I’m happy to volunteer what I can to help others have a great Trend Micro experience. Find me in Trend Community
Punch Card
rpggamergal
Posts: 6
Registered: ‎11-14-2011
Location: Australia
0

Re: Bootable Media Malware Removal Tools, Preferable?

Bootable Media removal tools are good when the PC can no longer boot, but if the system can still boot I would use the removal tools to scan the system within Windows as many scanners these days are optimized to be run while malware processes are active.

Most bootable media removal tools don't have current virus definitions so might miss some new viruses. 

When removing malware while they are not active their loading points is likely to be missed by the scanner and when windows boots it may shoot out some errors caused by the leftover registry loading points still calling for the bad files to launch.
And since Windows File Protection(WPF) is not being used when scanning this way, if any patched/infected system files e.g. userinit.exe, winlogon.exe etc is removed by the scanner these will not be replaced rendering the system unbootable or the user unable to login.

 

In this example below, if the scanner removes the bad dll and leaving the value in the registry intact, this will definitely render the system unbootable.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
"Windows"="basekwgb32.dll"

 

 

 

---------------------------------------------------------------------------
Microsoft MVP - Consumer Security
Zone Advisor at Experts-Exchange.com



Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
0

Re: Bootable Media Malware Removal Tools, Preferable?

"Bootable Media removal tools are good when the PC can no longer boot, but if the system can still boot I would use the removal tools to scan the system within Windows as many scanners these days are optimized to be run while malware processes are active."

 

I agree!  Years ago, when malware was not as complex as it is now, it was the opposite -- boot to Safe Mode in order to remove the malware while the process wasn't active.   Today, it is as you indicated -- the programs are optimized to be run while the processes are active.

 

"Most bootable media removal tools don't have current virus definitions so might miss some new viruses."

 

You may not be aware that the Microsoft Standalone System Sweeper definitions can be updated.  Even if the infected computer does not have Internet access, the updates can be manually transported to the infected machine.  The definitions are the same for Standalone System Sweeper as used with Microsoft Security Essentials and Microsoft Forefront.

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Lenovo Technology Partner
bamajim
Posts: 2
Registered: ‎10-14-2011
Location: Tuscaloosa, AL
0

Re: Bootable Media Malware Removal Tools, Preferable?

There are going to be times when a PC cannot be rescued from infection no matter what you do. However malware writers gain nothing by destroying a PC. They infect the PC to either use to their advantage (bot nets), to hold your PC hostage and demand a monetary ransom, or to steal your personal information. So they will leave the PC usable. By doing so they leave the user the opportunity to rescue the PC.

My weapon of choice is a USB stick. It can not only give you access to removal tools, it can also give you a back door to windows explorer for manual removal of certain files.

"The world is what you make of it."
Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
0

Re: Bootable Media Malware Removal Tools, Preferable?

"My weapon of choice is a USB stick. It can not only give you access to removal tools, it can also give you a back door to windows explorer for manual removal of certain files."

 

I know bamajim knows this, but for the benefit of readers who do not, be sure Autorun is disabled.  See this Microsoft Knowledge Base article:  How to disable the Autorun functionality in Windows

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
andyP
Posts: 9,295
Topics: 161
Kudos: 712
Solutions: 636
Registered: ‎11-27-2007
Location: Bonnie Scotland
0

Re: Bootable Media Malware Removal Tools, Preferable?

Thanks to all for sharing their wisdom and thoughts on this, I've found all the information and opinions offered very enlightening.

 

I'll now confess to using a Kaspersky Rescue disk on occasions when I feel that the OS has been seriously comprimised to remove that what it can, nothing is 100%. Yes it is Linux based, which I don't see a a negative and can, as Corrine mention about the MS System Sweeper, be updated with current definitions.

 

Thank you all again for entlightening me  and literally opening the tin of worms :smileywink:

 

P.S. To add a bit of banter and reality to this great event, please don't forget to visit this thread.

Andy  

______________________________________


Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points

Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos

Please add your type, model number and OS to your signature, it helps to help you.

Forum Search Option

T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more.

FYI Unsolicited Personal Messages will be ignored.

de.gif  Deutsche Community   es.gif  Comunidad en Español  uk.gif  English Community ru.gif Русскоязычное Сообщество

PepperonI blog 

goretsky
Posts: 2,062
Topics: 19
Kudos: 370
Solutions: 144
Registered: ‎12-01-2007
Location: California, USA

Re: Bootable Media Malware Removal Tools, Preferable?

Hello,

 

Many antimalware companies offer some sort of bootable version of their software which can be written to a USB flash drive, CD, DVD and the like and used to scan a computer from outside the infected operating environment on the computer's internal drives in order to detect and remove malware that might otherwise block such attempts had it been running, such as rootkits.

 

The only issues I can think of off the top of my head with such an approach is if the bootable media did not have the right device drivers to access the the computer (wrong or missing device drivers for the hard disk controllers) or had signatures that were out of date.  Some bootable AV programs allow the user to download signatures if using a USB flash drive or to a RAM disk if using a CD or DVD, but that requires the bootable media recognize the computer's network adapter and, of course, have access to a working network connection.  Typically, it is just easier to download the bootable disc image from the anti-malware vendor or make the bootable media on a clean computer just before cleaning the infected PC to ensure that the latest signatures are available.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
S230u (3347-4HU)X220 (4286-CTO)W510 (4318-CTO)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)T61p (6459-CTO)T43p (2678-H7U)T42 (2378-R4U)T23 (2648-LU7)
de.gif  Deutsche Community es.gif  Comunidad en Español ru.gif Русскоязычное Сообщество