Pre-Boot Scanning

Discussion in 'NOD32 version 2 Forum' started by Jagur, Sep 6, 2004.

Thread Status:
Not open for further replies.
  1. Jagur

    Jagur Registered Member

    Joined:
    Aug 18, 2004
    Posts:
    5
    I recently worked on a system infected with the Qoologic.B trojan downloader on it, and either due to the virus itself or some other problem with the system it was impossible to edit the registry and actually get NOD to load at startup. Once manually loaded, NOD detected it at every moment, but couldn't do anything about it because the file was locked. No matter what was done, nothing could force the resident protection to load before everything else. I would very much like to know if there are any plans to make a NOD pre-OS loader/boot disk/boot CD or ANYTHING that can reference the latest definition files and clean an infection BEFORE the OS loads and the virus becomes completely invincible because it's resident in memory. Hell, even Ad-Aware lets you do this before the OS loads... I heartily agree that NOD detects everything, but if it can't do anything about it, what has been accomplished?

    Btw, if anybody knows a reliable way to getting rid of the aforementioned virus, please let me know. I suspect it's the reason nothing can be done to the start sequence. Even attempting to manually edit CurrentConfig/Run is a complete waste of time. In fact, if you add any entry to it, it immediately becomes impossible to edit or delete, which is about the most infuriating thing I've ever been cursed to deal with.

    The Wrath of Kahn
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you try booting into Safe Mode and running a scan with Nod32?

    The best way we have found is to "Slave" the infected drive off a clean system protected by Nod32.

    Or you can do the following:


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 3. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.


    Step 4. Turn OFF System Restore, this process depends on your operating system:


    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.


    Step 5. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 6. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up.


    Step 7. Start a scan with Nod32 while in SAFE MODE by doing the following: Start> All Programs> Eset> Nod32.


    CHECK THE FOLLOWING BEFORE YOU START YOUR SCAN:

    “Actions” TAB
    Make sure Quarantine is ticked, both for “If a virus is found” and “Uncleanable viruses”.

    “Setup” TAB
    Objects to diagnose – place a tick in all boxes.
    Diagnostic methods – place a tick in all boxes.
    Heuristic sensitivity – place a tick in “Deep”.
    Extensions – place a tick in “Scan all files”.

    “Scanning targets” TAB
    Double click on ALL of your Hard Drives so there is a RED tick shown
    Click “Clean”


    Make SURE Quarantine is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found. If you are not sure whether it is safe to delete an infected file, quarantine allows restoration of a file at a later time/date.


    If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

    1. Place a tick in the Quarantine check-box
    2. Select Delete
    3. Send the quarantined file to Eset: samples@nod32.com this file can be found here: C> Program files> Eset> Infected


    Step 8. Run a scan with “Stinger” the program you downloaded above.


    Step 9. Reboot your system into normal mode.


    Step 10. Run a further online scan found here: http://housecall.trendmicro.com/


    Step 11. Install update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 12. Install update and run Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 13. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 14. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

    WEEKLY – check this is “Up to Date”.



    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



    Now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    and here for more:

    https://www.wilderssecurity.com/showthread.php?t=43117


    Hope this helps…

    Cheers :D
     
    Last edited: Sep 6, 2004
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  5. Jagur

    Jagur Registered Member

    Joined:
    Aug 18, 2004
    Posts:
    5
    Well, thanks for the extremely detailed explanation... I inadvertantly found out one issue when I matched one of the settings on my own system that I knew I had enabled on my client's system. When Ad-Aware SE is installed, if you set Ad-Watch to "automatic" mode, guess what?!? ALL ATTEMPTS TO EDIT YOUR START CONFIG WILL FAIL! Do they give you a nice, friendly warning when you first enable that *wonderful* option? No. Do you have any indication that it blocked your attempt to legitimately edit anything into the registry? Hell no.

    Suffice to say I'm mighty peeved at Lavasoft now, and will tread carefully in the future when using it, or anything similar. Once I get back to my client's system I'll disable that and see if it lets me load NOD at startup like it should. Glad to see there are plenty of alternatives to work with, I know I'll be referring back to this often.

    The Wrath of Kahn
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Glad I could be of assistance, the 2 links that I provided regarding security are worth a look at, they should be able to steer you in the right direction for securing a PC from minimal to very tight:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    and here for more:

    https://www.wilderssecurity.com/showthread.php?t=43117

    Hope this helps...

    Let us know how you go with your clients PC...

    Cheers :D
     
Thread Status:
Not open for further replies.