virus - Host intrusion prevention system that can be installed during safemode?

07
2014-07
  • user1833028

    I have reason to believe, from prior experience, that I can use Comodo's Defense+ - that companies host intrusion prevention system - to defeat some malware on my bosses computer.

    Alas, it must be installed in safe-mode at this point. If I recall correctly, that didn't work very well. (To be specific, I'm looking to intervene or at least monitor some suspicious global hooks....)

    Therefore, does anyone know of such a utility that I can install during safemode and expect to function properly on a normal boot?

    Thank you in advance! (PS: What Live Linux utility for scanning drives would you recommend that I use?)

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    boot - Virus cleanup brainstorming
  • Questioner

    I'm in the process of cleaning up a virus from a friend's computer and so far I've managed to have the windows runtime clean. However, after a reboot the malware reappears. Another symptom is that the infected computer can't boot in safe mode.

    My suspicion so far was that it's a malware service or a driver that's causing this, the latter being the most favorable option esp. given the safe mode problem.

    However, after repartitioning, reformatting and reinstalling windows, the virus-related processes are still there. Not initially, but shortly after the first boot.

    Just to mention - it's a Win XP box, has 2 partitions and the reinstallation and formatting was done on the partition where the OS was installed. The other one has only data but as I haven't started anything from this partition, I can't think of some automatic system process that could have executed an already infected EXE file.

    Can anyone propose ideas on how/where this thing is hooking up so that it reappears after reboot and reinstall? I've checked the standard registry entries (Run* for HKLM and HKCU), all suspicious services are disabled, nothing fancy in the INI files (through MSCONFIG), etc.

    ANY ideas are welcome! This is the most irritating malware I've ever had to deal with... (I'll write some other time how I cleaned up the runtime :))


    • Related Answers
  • Posipiet

    No matter what, if the virus exec ran on your computer, there´s little chance to make sure all traces can be completely removed.

    The only way to make sure it is completely removed is:

    • Identify the virus correctly
    • If the virus is of any downloader type, forget it. You cant make 100% sure all traces, rootkits, scanners and whatnot are fully removed.
    • If it is not a downloader, make sure it isnt a virus that lives in "desktop.ini" etc. Remove the disk, plug it into a different computer that has working antivirus. Run a scan.
    • Remove the virus.

    Of course you can take it as a sport to hunt the thing, and you will learn a lot about it. Most current viruses consist of several parts that hook up differently.

    Use Process Explorer, Filemon, Regedit to hunt it down. It is fun for a few times.

  • Chris

    Jeff Atwood had a pretty good post about the steps necessary to clean a computer of spyware. You might want to take a look at that and see if it helps you any.

  • Al E.

    I have had good experiences with the folks over at bleepingcomputer.com. Follow their instructions for posting the initial diagnosis (usually involves running HijackThis) and they'll work with you to create/get the fix you need.

  • Dave M

    Be sure system restore is turned off and make sure it stays off after a reboot (every reboot) until you are sure you are clean. System restore is a favorite "hiding place" for malware and some will even turn it on after you turn it off. Lots of other great suggestions from others here as well.

  • Kavitesh Singh

    Well you can try using the online scanner of ESET or kaspersky and see if it detects any virus or malware. Another option is to download anti-malware trial version software and scan the system. If it detects the malware you may consider purchasing it. ESET online scanner can remove the malware/virus for free during the virus scan.

  • Dentrasi

    Backup the second partition onto an external HDD (don't forget to press SHIFT while connecting the drive to override autoplay).

    run Windows Setup, nuke ALL partitions and create 2 new partitions and install Windows again.

    grab A-squared command line scanner (portable and free for personal use), update it and scan the external drive (remember, SHIFT while connecting the drive and hold it until the device is installed). check the result and delete any infected files, ONLY then restore the files to the second partition.

  • fluxtendu

    It sounds like a MBR virus or a rootkit. Check MBR and alternate data stream (of all drives plugged even USB stick, and don't use suspicious CD)

    Tools I recommend: