Advanced Virus/Malware/Spyware Removal

PcTek9 said:
* I thought geeksquad's policy was to format and reload. So I may be misinformed.

However, I have definitely carried computer viruses for years on a cd that had been scanned by multiple scanners with nothing found. Maybe several years passed by before the virus on that cd was found. This has not happened to any of you? I am very surprised if that is true.

I found a virus in a professional cd burning software on a factory made cd. I found a virus on a cd my friend made for my birthday, I myself scanned it many times through the years with different scanners.

While I agree it is a worst case scenario - I do not believe that it is rare, or that it is isolated to certain individuals. If anyone out there has had a situation where you found a virus on files that you know you scanned many times with various antivirus software, and then one day anti-virus technology caught up with virus technology and you discovered an infection you didnt know you had, please chime in. :)
Click to expand...
Absolutely there are undetectable threats out there, or at least ones which cannot be identified by signature-based detection because they've never been catalogued. They can even dodge the best heuristics from time to time. But the idea is that if you check every possible loading point and ensure that drivers/system files are legit, known versions with good MD5 hashes (all from offline, such as within a custom WinPE), it's practically impossible for anything to be hiding once the host OS is loaded. After traversing enough logs I very rarely miss any loading points before the initial boot. Consequently, I have most machines disinfected within an hour!
 
othersteve said:
Absolutely there are undetectable threats out there, or at least ones which cannot be identified by signature-based detection because they've never been catalogued.
Click to expand...

Yes,I quite agree with othersteve.

MBAM or SAS do well againt malware but there will be some malware they missed because they use signature-based detection.

You need take a lot of time on scanners to finish their full scan.
 
So othersteve, what are you using to check system file hashes offline and where are you getting the gases? And what about non native drivers?
 
MobileTechie said:
So othersteve, what are you using to check system file hashes offline and where are you getting the gases? And what about non native drivers?
Click to expand...
Often an offline system file repair with the MS DART corresponding to whatever version of Windows will identify a patched file. In truly nasty situations, however, it's also possible to run a script or short program to check the hashes manually, provided internet access is available. There are databases available (such as this one) which can be used to check hashes relatively quickly via DNS queries. Plus, many hashes are common between systems and can be manually whitelisted for quick verification without any need for DNS querying. Finally, when in doubt, it's always possible to check Company information and verify the file with an online service such as jotti or VirusTotal.

I find that this method is quite effective when combined with the usual manual disinfection via powerful tools such as OTL. I use these tools within a PE by loading the remote registry hives and performing analysis on the registry offline. It's a lot of setup work, but once you get used to it, almost nothing can hide.
 
othersteve said:
Often an offline system file repair with the MS DART corresponding to whatever version of Windows will identify a patched file. In truly nasty situations, however, it's also possible to run a script or short program to check the hashes manually, provided internet access is available. There are databases available (such as this one) which can be used to check hashes relatively quickly via DNS queries. Plus, many hashes are common between systems and can be manually whitelisted for quick verification without any need for DNS querying. Finally, when in doubt, it's always possible to check Company information and verify the file with an online service such as jotti or VirusTotal.

I find that this method is quite effective when combined with the usual manual disinfection via powerful tools such as OTL. I use these tools within a PE by loading the remote registry hives and performing analysis on the registry offline. It's a lot of setup work, but once you get used to it, almost nothing can hide.
Click to expand...

Funnily enough I just PMd you about this before noticing you replied.

So OTL works offline then? I didn't realise.

I'm intrigued to hear more about the details of how you go about setting up a script or app that runs in a PE that can automatically scan all the files in certain locations and check their veracity?

Finding the reg entries doesn't seem to be particularly problematic with various tools available such as autoruns on the DART/ERD cds. Offline SFC should identify changes to the files that it happens to cover. But this leaves out 3rd party drivers, and I've noticed rootkits creating a variety of drivers. So a reliable method of scanning for unsigned or misigned files offline would seem to be a great tool for finding these - like an offline sigverif
 
You must log in or register to reply here.

Similar threads

ThatPlace928
Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
Replies
4
Views
442
ThatPlace928
ThatPlace928
HCHTech
Alerts!
Replies
10
Views
821
Sky-Knight
Sky-Knight
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
300
callthatgirl
callthatgirl
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
990
Sky-Knight
Sky-Knight
D
Anti-Virus and Anti-Malware for MSP
2
Replies
23
Views
3K
gadgetfixup
gadgetfixup
Back
Top