(1,063 Views)

Bootable Media Malware Removal Tools - are they preferable?

Question

Quite often a system can be rendered useless by malware and a recent example of this in Germany is the Bundeskriminalamt virus

 

Those who were unlucky enough to get hit were informed that their computer had been traced as being used for illegal purposes and they should transfer €100 to pay the fine and the message would go away and they would be able to resume to normal usage of their computer. This was of course not the case and the system remained unusable as it is not possible to close the window and it always remains on "top".

 

In such situations I often turn to bootable malware removal tools offered by most of the anti-malware companies and find them to be very effective removing malware and bringing a system back to a state in which further diagnosis / repairs can be carried out.

 

If I suspect a system to be infected, which may also boot normally, is a bootable media scan preferable to a scan carried out from within the OS?  Are there any drawbacks / disadvantages in using such tools?

Answer

Many antimalware companies offer some sort of bootable version of their software which can be written to a USB flash drive, CD, DVD and the like and used to scan a computer from outside the infected operating environment on the computer's internal drives in order to detect and remove malware that might otherwise block such attempts had it been running, such as rootkits.

 

If you use, for instance, a USB flash drive, be sure Autorun is disabled.  See this Microsoft Knowledge Base article:  How to disable the Autorun functionality in Windows

 

Such an approach may not work if the bootable media do not have the right device drivers to access the computer (wrong or missing device drivers for the hard disk controllers) or have signatures that were out of date.  Some bootable AV programs allow the user to download signatures if using a USB flash drive or to a RAM disk if using a CD or DVD, but that requires the bootable media recognize the computer's network adapter and, of course, have access to a working network connection.  Typically, it is just easier to download the bootable disc image from the anti-malware vendor or make the bootable media on a clean computer just before cleaning the infected PC to ensure that the latest signatures are available.

 

You can this as long as you completely understand how the tools work, their limitations, what they can do to the infected system and can provide clear instructions for the tool's use.  The more complex the method used, the more difficult it is for the owner of the infected system, and the greater the likelihood that a mistake may be made.  So, care is needed as well as being very aware of your own technical capability.

 

You may refer to this tutorial on setting up Microsoft's Standalone System Sweeper Beta  and the accompanying article which addresses common error codes and suggested trouble-shooting steps. 

The Standalone System Sweeper is designed to help start an infected PC and perform an offline scan to identify and remove rootkits and other advanced malware. 

 

Corrine Chorney’s tutorial: 

 

Note:  Although the Standalone System Sweeper is still labeled Beta and caution is necessary as with all beta programs, the tool has long been a part of the Microsoft Diagnostics and Recovery Toolset (DaRT) for Microsoft Enterprise customers.  Nonetheless, caution is always recommended when using Beta software. The Microsoft Standalone System Sweeper definitions can be updated.  Even if the infected computer does not have Internet access, the updates can be manually transported to the infected machine.  The definitions are the same for Standalone System Sweeper as used with Microsoft Security Essentials and Microsoft Forefront.

 

There are going to be times when a PC cannot be rescued from infection no matter what you do. However malware writers gain nothing by destroying a PC. They infect the PC to either use to their advantage (bot nets), to hold your PC hostage and demand a monetary ransom, or to steal your personal information. So they will leave the PC usable. By doing so they leave the user the opportunity to rescue the PC.