Using VMware as an Anti-Virus configuration?

The problem with the single OS and retore methods like BartPE is that, after infection, you would have to be able to run the EXE that restores the last state.  The viruses that I've been catching are like "System Security" and other fake AntiVirus products - and they lock the system down horribly:

      Will not let me run any EXEs
      Will not let me use Ctrl-Alt-Del
      Will not let me use Regedit
      Will not let me run "CMD"
      Will not let me see hard drives other than C:
      Will not let me boot into safe mode
      Will not let me boot to "last known good config"
      Will not let me browse to download any cleanup utilities
      (I even reinstalled the OS twice, once as repair & once as dual boot & both were immediately reinfected.)
      
In these suggested VM scenarios (LInux host, Win Gues, and Win Host, Win Guest) when I "reset to the previous state".  How do I keep my legitimate changes to the OS (install an app, apply windows updates, save a word DOC, etc)?

I like the idea of Sandboxie, but is it REALLY going to be effective agaist the types of viruses I am getting??
Wont the virus just get "beneath" the sandbox like it is already doing to the OS, AV, and Spyware apps?

Thanks

On a side note, 100% of all my infections seem to come from browsing the web (as opposed to email, software installs, hacking, etc).  Is there a safer browser for XP?  Something that can run flash, etc but NOT put malware on your PC?   I had my IE 7 locked down fairly well (or so I thought) and that does not seem to help....

You seem to be missing the idea behind my "Win host - Win guest" suggestion.
The idea is not that you use the VM as a regular OS; you use it exclusively for online stuff and browsing. Which means you keep it rudimentary: you do not install productivity software or tools on it, you do not create or edit Office documents, you do not even install Windows updates (it is a waste of time unless a serious issue requires you to - which I cannot imagine; I have installed one single little hotfix manually in the past 7 months on my XP3 box, and it's running better than those with automatic updates enabled).

All you do is this:
- install XP SP3 on your VM software of choice
- install the VM extensions/additions and configure internet acces, graphics and sound
- customize XP to your liking
- install a non-MS browser (Opera or Firefox), maybe some good browser extensions like Adblock or Noscript, maybe an email client, and a good free Anti-Virus (I suggest avast!) which may be used to check your downloaded stuff before transferring to the host
- create a restore point (in Vbox: snapshot) of your current VM state
- (if you want to make it even faster, create a copy of your virtual disk with a backup extension inside the original folder)
- enjoy

When you boot into Windows, start up the VM and whenever you have to look anything up on the internet, do it inside the VM window. (A nice feature would be to use a tool that creates virtual desktops on your host: then the VM could be running fullscreen on the second desktop and wouldn't interfere with your productive work).
For exchange of data between both systems use a shared folder or USB pendrive. If you choose Opera, you don't even have to backup your bookmarks, you can use its online synchronization.
Whenever you realize that something odd or suspicious is going on, simply restore the snapshot or change the name of the backup disk, and continue browsing with a fresh and clean system.

As to your question about browsers: it is in general a good rule of thumb to try and avoid as many Microsoft applications as possible; I have never used IE, Outlook/Express, MSN Messenger, Windows Addressbook, Windows Media Player etc., I prefer Openoffice over MS Office, and I cannot recall a single grave malware issue in 15 years.

OK, I see your point about WIn/WIN using the guest OS as just a browser, similar to the linux guests.  I started this post assuming that I'd want my whole OS as a guest so that if anything happened, I could restore the whole thing.  (Hence the original concept of a linux host OS).

Maybe I use another product for that - like Ghost or BartPE.  And then also keep my browser sandboxed or VM'ed.  But I'd also want a USB boot devices with the ghost restore app.

I've use OpenOffice and it is good... but not quite as good as Word & Excel.  And unfortunately OO does not have a clone of MS Access wich I use extensively - as I also do with MS Visual Studio 2008.

If you intend to virtualize your complete OS in order to be able to "restore the whole thing", then I don't see what you will gain from it.
The problems that you are going to run into are exactly the same as on a normal OS:
- how often will you have to make a backup to preserve the most recent changes to the virtual OS?
- how much time are you willing to invest into repairing a damaged virtual OS because you don't have a recent backup?
- etc.

These are the same questions you have to answer on a normal XP which is set up in a smart way, i.e. with a small ~20 GB OS partition, that you keep mirrored/imaged/ghosted regularly, whereas the rest of your programmes, data and backups go to other partitions.
Just restoring the OS partition will, in 95% of all cases, restore your complete OS to a stable state - much better, than System Restore can do.

So, if all this is easily possible, why have it all virtualized, and on top of that, hosted by an operating system that you don't know?

Please don't get me wrong: I don't wish to discourage you from using Linux, I just wish to point out that you haven't yet made clear that you actually need to use it.

Yes, I was originally thinking that a LImux Host OS would be "uninfectable" and would guarantee a goot boot up so that I could re-launch a VM gues OS - rather than having to boot off CD or USB to restore a Ghost image.

But you are correct about the maintenance of the image either way.  I tend to be a "utility junkie" always D/L and instlaling free new useful tools.  But my core applications don't often change.  I would not be too botherd if I lost my utils.  I can always get them again.

After pondering this all morning, I am thinking about just going with a basic XP install, and using Sandboxie for my TCPIP apps.  I already backup data online.  Then maybe I'll do a one time backup image to speed up basic restoration in the future...

* Sorry, I meant Linux.  THat prolly not the only mispelling! lol

I like free...  :)

Using Windows SteadyState, can I lock have one profile that is locked down and one that is not?  IE:  An administrator account that I use to install updated and new software, and a user account that is totally wiped and restored at reboot?

On a side note, I cant seem to clean off this stinkin virus.  Formatted drive & installed AV, AS, FW, sandbox and other securities, then did updates and install ed other apps.  Now virus is back.  So I disco'ed the network,  Cleaned it with Spybot, MalwareBytes, Rootkitrevealer, AVG antivirus, etc - SEVERAL times.  Reboot, and it's infected again.  I think I've got a rootkit on there that I cant get rid of.  :(

Did you try ComboFix?
Download it from here to your desktop and - just to make sure - rename it slightly before issuing the download command:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then study the instructions carefully, as this is no easy tool to handle:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Run ComboFix from your desktop, disable all antivirus applications as well as file/folder shields and guards that may be running in the background. Remember to not click the CF window while it is running, as this will cause it to freeze.
ComboFix may reboot your machine, it will also temporarily deactivate your internet connection.

Combofix uses the Gmer rootkit detector (ww.gmer.net) and should be able to handle most known kits.

On the other hand: if you formatted and reinstalled, I don't see how a rootkit could have survived. If you think the malware may have infected the complete network, disable the network (simply unplug), and use CF on all machines.

There is no network. I had only one PC connected to the SOHO router wirelessly.  Then I pulled out the USB wireless adapter and after several reboots and disinfecting I am still getting reinfected.

The only explanation for this would be a bootsector virus.

How did you format? With Windows fdisk during installation?
And are you sure there aren't any other (hidden) partitions that might host your unwelcome guest? Most standard vendor PCs have a recovery and a utility partition that is hidden - but only to Windows.

You might want to do the following:
-- Boot your system off the Parted Magic boot CD: www.partedmagic.com
-- Run the Partition Editor (GParted) and delete *all* partitions that are found on the disk
-- In a terminal, type the follwing command:
# dd if=/dev/zero of=/dev/sda count=10k
-- Rerun GParted and create your Ntfs partition
-- Reinstall XP

During this process, the infected bootsector should be wiped along with the partition table and all rootkits hiding there. For Windows, this will be a raw new disk.

(Note: The above assumes you only have 1 HDD in that system. If there are more, post back and I'll help you check out how to change that 'dd' command in order to be effective.)

Yes, there is another small recovery partition (It is a HP PC with OEM default recovery partition).  But I never booted off of it.  There is only one HD.

Can the second partition re-infect hte first if it was never booted??

YES, Steady State allows the AQdministrator unfettered access to change hte machine, although there are some additional dialog prompts (are you REALLY" sure you want to save your changes) at shutdown / reboot.

No administrator changes are permanet until a reboot  / and accept (as above) sequence, so even the admin account is protected from disk saves, but not limited in its ability to use / change the machine.

Other accounts can be configured in varying degrees of locked-down-ness as needed for what you.

================
Given what you have run, not certain its a virus you are looking for.

Download combofix and burn it to a CD, as certain things may prevent a download from the affected computer.

Follow the instructions at:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

you can also download from that page.

Dont download this from just anywhere, get it from the source ..... have been problems from certain sites offering this or info as a download.

The Hp and Dell Recover partions are pretty immune to stuff - they are nonstandard and resist many commands on partiton tools too, becuase of non standard sector start / stop on clyinders etc.

That said, If I learned enough to describe this, perhaps someone might take the time to specifically target one of these brands but its pretty unlikely.  

You dont mention the brand of AV, etc you installed, and I hesitate to add another because I beleive COMBOFIX will do the job for you, but If you are concerned aobut rootkits and want to make sure D/L DrWeb Live CD http://www.freedrweb.com/livecd/ , burn to a CDROM on a safe machine andboot from that - will cure any bootsector or rootkit.

But it really sounds like you have an Internet refreshed Malware, and Combofix is king at cleaning those - its what you use when Malware bytes comes up short.

Trust me.  Try the fix insstead of blowing your machine away.

dnilson,

I already suggested Combofix and gave detailed instructions for it above.

Yes torimar, I saw that,and I'm sure the author did too.

My caution to him was to TAKE that advice and avoid blowing away the partition which was  your susequent suggestion, and one, IMHO, which was unwarranted at this point, so I pointed him back to Combofix.

In any event the fix for his problem is not the question orginally posted which was how to configure so it doesnt happen again.

I only suggested to reformat the partition because okacs already did it. Quote:
"Formatted drive & installed AV, AS, FW, sandbox and other securities, then did updates and install ed other apps.  Now virus is back."

I had to assume then that this was a fresh install with nothing of value to safeguard. Hence I suggested to do it again, and this time to do it properly.

It's not my custom to tell people to wipe their hard drives clean, unless they themselves think to have already done so ;)

And yes, I agree. We are beginning to digress from the original problem here. If after having run Combofix the issue should persist, it is advisable to deal with it in a separate thread in the anti-virus/malware sections.

At this point, I am convinced that I have been fighting several different viruses over the last few days.  I actually ended up infecting another PC and had to wipe it also.  Sheesh!  All data is backed up, so it is no loss, just pain.  Good news is that I'm rebuilding them more securely...

Combofix detected the virus (the real, or at least current one - VIRUT - and not just its subsequent payloads) but was not able to remove it.  Dr Web Live CD was able to remove it ... but did so by deleting all the EXEs on my drive.  So I put the WinXP install CD in and ran a repair on the windows installation.  I rebooted and now when I go to login as any of the users, it says loading your profile... then saving your profile... and immediately logs me out.  I never even get as far as seeing the desktop.  This happens in safe mode also.

I have more to post, but it would be off topic at this point.  The original question was regarding forward going security measures to isolate infections using VM.  You guys have bee a ton of help.  Thanks.

PS - I really love SandboxIE.  Wont leave home without it anymore!

Ok.  I hope the points split was fair.  I will open another question about the remaining issues as time allows.  Thanks.