Originally it began with simply booting into an offline PE, then poking through the registry offline and removing suspicious objects(random filenames, etc) from the Run and RunOnce entries for the accounts and the system. Now I use D7's offline Malware Scanner utility instead, which gives me full access to BHOs, start entries, recent files, services, and many more. Once the infection has been disabled, I typically go into the system, run Tweaking.com's All-in-One Windows Repair tool and ComboFix to fix any settings changed by the virus.
Unfortunately, around the time I switched a lot more of these driver infecting viruses were released, so I also started adding an online TDSS Killer scan with RKill before or after. While this has been semi-effective, TDSS Killer just doesn't seem to effectively remove all of the possible driver-based viruses. So my question is, does anyone know of a way to check through the drivers offline and manually pick off infected ones?
If you have any experience with D7, I think it may be the tool for the job, since it DOES give access to drivers offline, and what I've done in the past is literally go through and delete any driver that did not have a manufacturer listed, however, I think this is only effective because of how completely insane it is(I end up fixing like 5 drivers after I ever do this), so is there a better way of using D7 to stop malicious drivers?
EDIT: Are there any good offline rootkit scanners that I could put to use? Am I right in thinking that's the sort of tool I'm looking for?
Does the latest Runscanner work offline? And is there a standalone version of the PE one that doesn't need to be integrated into my builds?
Edited by Falkoner, 25 January 2012 - 07:17 AM.