Offline Antivirus Tool

So has this happened to you?  You get a computer from a friend/client that is seriously infected with malware or a virus and it’s actually running up to date antivirus and antimalware tools….and the tools find squat?!  Well it happened to me yesterday. Signs of the virus were internet connection issues and “weird” behavior.  After poking around a bit I remembered a tool I had seen from AVG for offline scanning a computer that was booted from a USB based Linux distro with antivirus tools. So I downloaded it and tried it out. 

I downloaded the zip file for USB creation, popped in a USB drive and took off. After extracting the contents to the freshly FAT32 formatted drive I ran the makeboot tool to make the USB drive bootable.  I rebooted the PC from the USB drive and did a quite Internet update to updated the program and virus definitions. Then I kicked of a scan and walked away for a few hours.

The USB bootable drive found 12 virus infected files including one loaded as isaphp.sys which was loading as a system driver.  When I removed it the box wouldn’t boot because it needed that driver. I went to a known good machine copied the driver onto the rescue USB drive, booted from it and used Midnight Commander which was baked into the rescue distro from the utilities menu to put it in the drivers folder on the box.  Very cool and I didn’t need the Microsoft XP restore disk which is what is usually required.  It also found some infections deep inside some Java Jar class files that the others couldn’t see.  Good stuff to add to the toolbox…