Looking for rootkits on Windows with Puppy ?

For discussions about security.
Post Reply
Message
Author
User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

Looking for rootkits on Windows with Puppy ?

#1 Post by Barkin »

Is there a rootkit detector program I can run on Puppy (on USB) which will check for rookits on my Windows OS (which is on hard drive) ?

I believe some Windows rookits can blind antimalware running on the same Windows OS as to their presence,
so I’d like an independent second opinion about my Windows OS being rookit-free via Puppy, (or maybe via another live CD thingy).

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#2 Post by cthisbear »

Probably better off with Hiren's and the Falcon boot cds.

Don't get me wrong...I use Puppy to clean it as well.

The trouble is week by week the nasties change.

""""""""

Hitman Pro....in Windows... is a goodie.

http://www.majorgeeks.com/files/details/hitman_pro.html

>> gives you a one off chance to fix any infections.
It scans over the internet, but is pretty fast.
Uninstall it from Control Panel immediately afterwards.

Free License

HitmanPro offers home users a free one-time license,
valid for thirty days, to remove the malicious software that was found
on the computer.

This one-time free license can be deployed from the License tab
under Settings:

http://www.surfright.nl/en/support/

http://www.surfright.nl/en/home/press/h ... scores-100

http://www.surfright.nl/en

""""""""""

http://www.surfright.nl/en/shop/

And....Yes you have to buy that feature >>>$25.00 ???

" Users simply create their own bootable HitmanPro.Kickstart
USB flash drive / memory stick from within the HitmanPro application.

Mark Loman continues: "HitmanPro.Kickstart will start the ransomed computer in their own familiar Microsoft Windows environment,
bypassing the ransomware, and will then guide the user through
the removal process.

No complicated manual tasks are required.
It is so easy, even your Granny is now able to free your computer
from ransomware, fake antiviruses and other persistent malware."

Chris.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#3 Post by Barkin »

cthisbear wrote:Probably better off with Hiren's and the Falcon boot cds.
Thanks Chris,

I'd heard of Hiren's compilation boot CD ... http://www.hiren.info/pages/bootcd but given the large number of author's and cracking tools on it I'm concerned it might include something nasty.

Hiren's boot CD appears to include a cracked copy of XP ... "Mini Windows Xp" which presumably the antimalware , (like GMER), runs on.
I'm not happy about running anything which has been cracked, it could contain hidden nastiness, but I'll give it a go just after I backup my Windows system.
Last edited by Barkin on Sat 06 Jul 2013, 03:12, edited 1 time in total.

dancytron
Posts: 1519
Joined: Wed 18 Jul 2012, 19:20

#4 Post by dancytron »

Kaspersky rescue disk is one I used once and it worked for me.
http://support.kaspersky.com/us/viruses/rescuedisk

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#5 Post by Barkin »

dancytron wrote:Kaspersky rescue disk is one I used once and it worked for me.
http://support.kaspersky.com/us/viruses/rescuedisk
Yesss : "Kaspersky rescue disk" does look for rootkits ...
kaspersky.com wrote:Main application features:
Scanning Windows startup objects for malware and further disinfection.
Clearing the Windows registry of links to removed malicious programs.
Automatic disinfection of computers regardless of infection type and severity, including the following options:
scanning the computer for malware using signature databases;
heuristic analyzer;
scanning the computer for rootkits and neutralizing them.
Anti-virus database update option.
Recording the application on a CD/DVD or on a USB data medium.
Kaspersky Rescue Disk 10 is a free application.
http://support.kaspersky.com/us/faq/?qid=208282145

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#6 Post by 01micko »

http://www.comodo.com/business-security ... e-disk.php

Comodo rescue disk fixed what hitman-pro, malware-bytes and other stuff couldn't for me on Win7 (Still clean after about 7 weeks). It's based on Slitaz.
Puppy Linux Blog - contact me for access

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#7 Post by Barkin »

Thanks for that Comodo link. I was slightly concerned when the word "rescue" first appeared it was misspelled, but everything looks OK , (the four "Threat(s) Found" are false-alarms due to a peculiar Dell partition ).
Attachments
comodo scan, 100 percent in 3 hours.jpg
comodo rescue screengrab
(27.41 KiB) Downloaded 764 times

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#8 Post by cthisbear »

01micko:

Is there a USB booting code for that??

Or do we need Uncle nooby?

Here is a piece I pulled from it.

And a piece of Slacko...because I multiboot.

Comodo text

DEFAULT vesamenu.c32
PROMPT 0
NOESCAPE 1
ALLOWOPTIONS 0
TIMEOUT 100
MENU TITLE COMODO Resuce Disk(2.0.261647.1)
MENU BACKGROUND /boot/comodo_boot_background.jpg
MENU COLOR BORDER 37;40 #00000000 #00000000 none
MENU COLOR TITLE 37;40 #ffff5555 #00000000 std
MENU ROWS 4
MENU NOTABMSG

LABEL Enter the Graphic Mode
kernel /boot/bzImage
append initrd=/boot/rootfs.gz rw root=/dev/null vga=normal

LABEL Enter the Text Mode
kernel /boot/bzImage
append initrd=/boot/rootfs.gz rw root=/dev/null vga=normal screen=text


;;;;;


title Slacko Puppy (sdc1/slacko)
find --set-root --ignore-floppies /slacko/initrd.gz
kernel /slacko/vmlinuz pmedia=usbflash psubdir=slacko pfix=fsck
initrd /slacko/initrd.gz



"""""""""""

Love this.

Microsoft offloads heap of critical fixes in 'ugly' Patch Tuesday

" "This is one of the uglier releases we’ve seen from Microsoft this year," notes Paul Henry, security and forensic analyst at security tools firm Lumension.

"To say that all Microsoft products are affected and everything is
affected critically is not an understatement.

It’s difficult to prioritize one or two because all the bulletins are
significant this Patch Tuesday."

http://www.theregister.co.uk/2013/07/05 ... _prealert/

Chris.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#9 Post by Barkin »

dancytron wrote:Kaspersky rescue disk is one I used once and it worked for me.
http://support.kaspersky.com/us/viruses/rescuedisk
kaspersky rescue disk seemed to work OK , but now Windows won't boot :¬(
[ I had to use "Last Known Good Configuration" then "System Restore"]
Attachments
kaspersky rescue disc.jpg
(37.84 KiB) Downloaded 748 times
Last edited by Barkin on Mon 08 Jul 2013, 07:14, edited 3 times in total.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#10 Post by 01micko »

cthisbear wrote:01micko:

Is there a USB booting code for that??

Or do we need Uncle nooby?

Here is a piece I pulled from it.

And a piece of Slacko...because I multiboot.

[snip].
Dunno Chris, but you could probably download the free comodo linux version and install it in any puppy, it's ~25MB (iirc).
Puppy Linux Blog - contact me for access

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#11 Post by jpeps »

Barkin wrote: kaspersky rescue disk seemed to work OK , but now Windows won't boot
I didn't realize Kaspersky was that intelligent

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#12 Post by cthisbear »

" I didn't realize Kaspersky was that intelligent "

Themz Ruskies.

Chris.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#13 Post by Barkin »

cthisbear wrote:" I didn't realize Kaspersky was that intelligent "

Themz Ruskies.

Chris.
The Ruskies offer a USB option , (the boot problem may have been my fault), see ... "Kaspersky USB Rescue Disk Maker" expand (+) item #2.

They do say not to have any other OS on the USB stick as it may cause booting problems, [btw "Kaspersky Rescue Disk" is Gentoo linux in disguise].

An alternative method for "Kaspersky Rescue Disk" on USB ... http://www.megaleecher.net/Bootable_Kaspersky_Rescue_Disk
Last edited by Barkin on Mon 08 Jul 2013, 21:07, edited 3 times in total.

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

Careful with that Comodo rescue disk

#14 Post by Wognath »

I tried the Comodo rescue disk and told it to automatically fix viruses. Then I noticed it was scanning my Linux partition... It fixed my grub resulting in "missing operating system" next time I booted. :shock:

Repaired using grub to setup the partition as recommended by rcrsn51 here, but that was after quite a bit of learning experience trying a lot of things that didn't help :oops:

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#15 Post by Barkin »

Just tried the Avast pet running on Puppy ... http://bkhome.org/blog/?viewDetailed=02494
It spotted the EICAR test-virus, see below , (but I don't know if this free version of Avast looks for root-kits ).
BTW the Avast virus "signature" database is now 87Mb, (quoted as "44MB" in Barry's 2011 blog).
Attachments
Avast on Puppy spots EICAR test-virus.png
(39.04 KiB) Downloaded 620 times

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Looking for rootkits on Windows with Puppy ?

#16 Post by Monsie »

Barkin,

I understand your point about wanting to use a Linux based program to check for rootkit(s) on Windows. Unfortunately, some apps such as Rootkit Hunter
are not being kept up to date...

While doing a search, I found this Windows app. It appears to be under active development, fairly up to date, and is supposed to use a random name for its exe file so that rootkits cannot easily detect it...

Hope this helps,
Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

Re: Looking for rootkits on Windows with Puppy ?

#17 Post by Barkin »

Thanks Monsie,
I've used that app, GMER, on windows, but my objective was to find a root-kit finder which was not running on the system being scanned, just in case it was being blinded by sophisticated malware also running on the windows OS.

Would GMER work if it ran on Linux via WINE ?, or would it just search WINE for rookits , rather than the real windows OS ?

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Looking for rootkits on Windows with Puppy ?

#18 Post by Monsie »

Barkin, I think it would be useful to test whether gmer would work under Wine or not, then report the findings... 8)

While I have not used gmer, it seems to me that the gui should have a provision to select the hard drive and/or partition to scan... --otherwise its functionality is rather limited. Even if the average user does not work with partitions, many computers manufactured today come with two hard drives.

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

Post Reply