tinyapps.org / blog

Live CD-based antimalware #

• Avira AntiVir Rescue System: must download a Windows-based installer which burns rescue CD directly to disc; reportedly "updated several times a day so that the most recent security updates are always available", but definitions were almost a month old; froze computer completely when Configuration and Updates options were clicked.
• BitDefender Rescue CD: standard ISO image; online update worked flawlessly; confusing interface for selecting scan target (volumes do not seem to automount); detected infections could not be cleaned or removed (this may be due to NTFS mounting issues)
• Dr.Web LiveCD: standard ISO image updated regularly; failed to find anything on a heavily infected system.
• F-Secure Rescue CD (updated version): zipped archive includes ISO image, release notes, and PDF manual; files containing malware are renamed (this behavior cannot be modified); online update appeared to have worked, but reported database version was 2008-11-07_10 (more than 7 months old).
• Kaspersky Rescue Disk: standard ISO image; online update worked flawlessly; drop-dead simple scanning, cleaning, and log viewing. UPDATE 1: This tool seemed to work perfectly, removing all detected infections. However, during reboot, it gave a warning about being unable to unmount a volume, and ended up ERASING THE ENTIRE HARD DRIVE. As always, use this and all tools at your own risk (and joy). Backup. Backup. Backup. UPDATE 2: It appears others have suffered the same fate. Tags: Kaspersky Rescue Disk, NTLDR is missing

See also SOS - Anti-virus Rescue Disks to the rescue and Bootable rescue CDs can fix your damaged Windows. Note that these reviews are from last year; the products seem to have changed rather markedly since then.

Microsoft's Diagnostics and Recovery Toolset, also known as DaRT (and which is built on Winternals Administrator's Pak / ERD Commander 2005), is a bootable CD which includes "Standalone System Sweeper". Definition updates can be found here or downloaded from within the program. It has been the most effective bootable antimalware tool I've found. Microsoft TechNet subscribers can download DaRT as part of the Microsoft Desktop Optimization Pack (MDOP).

UPDATE 1: Standalone System Sweeper's definition updates (whether from the network or local storage) no longer seem to work on Windows XP systems. The AVG Rescue CD has worked well for me, though it failed to uncover an MBR infection which was causing a BSOD (0xBA4C7524,0xC000034,0x00000000,0x00000000). Running fixmbr from the Recovery Console did the trick. Also had to manually remove evil DNS servers (93.188.164.33 and 93.188.160.103) from network adapters.

UPDATE 2: Standalone System Sweeper now available free to all on a pre-built WinPE image!

/windows | Jun 24, 2009

Subscribe or visit the archives.