anti rootkit/bootkit that works on nomore bootable disk

Discussion in 'other anti-virus software' started by tehit, Mar 12, 2008.

Thread Status:
Not open for further replies.
  1. tehit

    tehit Registered Member

    Joined:
    Nov 17, 2004
    Posts:
    14
    ie how can you clean the sick disk from dos floppy/cd or in a clean 98/xp pc?
     
  2. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Depends on why exactly it's unbootable, I guess.
    You can mount registry from the other OS, remove driver entries, fix stuff... but if the filesystem is corrupted, for example, you're probably out of luck.
     
  3. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    dont quite understand the question,

    do you mean a livecd, that will scan your system before boot from a CD?

    Drweb have a beta of their LiveCD here
     
  4. tehit

    tehit Registered Member

    Joined:
    Nov 17, 2004
    Posts:
    14
    well tried anti rootkits : Regrun, EZpcfix, Blackight and they all run in win/safe mode
    and check only the disk booted from/installed on, and not a sick inserted disk that is not bootable (actually cannot be accesed at all although recognized by bios) any more due to the virus (I'll try fix its bootsector/mbr to make it accessible but any writting on it surely multiplies the virus)
    So is there a win or command line antiboot/rootkit that can clean a disk other than the one it was launched from (or at least registry checker but more user firendly than EZpcfix) ?
    ALso as a side question is it possible there is a virus hidden in BIOS but bios cheksum reported in a bios checking tool is ok?
     
  5. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Many anti-rootkit programs work by checking the system in a special low level mode, then by usual Windows API and then comparing the results - to see if anything is hidden to normal applications. Or, they may look for special hooks, patches or other unusual things in system structures.
    In any case, the rootkit needs to be active to discover it that way. So, if you boot from a clean OS, the rootkits won't be found because they're not hidden anymore.

    So, I guess you either would have to know what file in particular is causing the troubles (and remove it manually), or run an ordinary antivirus program on the attached disk.
     
  6. tehit

    tehit Registered Member

    Joined:
    Nov 17, 2004
    Posts:
    14
    well to make the short story long -tried from a supposedly clean 98/XP PC with attached infected disk: comd.line mcafee, nod32, avg, addaware,avast with no sucess 'cause either they get stuck in the infinitely deep recursive subfolders virus makes in windows folder and elsewher or the AVs could not open/check bunch of files.
    Comm.line Sophos did find, but only on usb flash, MAL/AUTOINF-A but did not clean it in full mode.
    Personally I saw (also on USB) an autorun and MSOCACHE/90000.../kb915865.exe however its killer?VirusCleaner form e-nil site (nor avg,avast) did not find anything on hdd from which usb was infected.
    Anyway aside from recursive folders on infected win98 HDD, problem is there are 2 types of infected files and virus refuses to get zipped
    -if you try in win/dos to zip or copy the first kind
    of files-the falsely too big ones(example pkunzip.pif
    129MB), the virus is not included-i.e. you get a clean
    file-with normal size(changing attributes does not help)
    - the other type of files are the ones whose names are
    malformed with including \ or | so you cant even rename
    so none of the two you can submit to an antivirus site
    (havent tried ftp though)
    In addition virus (or viruses) hide in boot sector cause the mentioned win98 infected hdd will not boot any more and also when reformated another infected disk, to prepare a clean win98 PC it would get stuck in installation until the disk was zeroed first!
    Also when you stick flash in infected PC(while it still worked) the usb diode just kept flashing and PC bluescreened reporting usspdrr.vxd error
    Anone came across this evil or can suggest antivirus that has definitions for rootkits or registry checker that can load registry hives from an attached disk as EasyPCFix can? (maybe it is not a root/bootkit after all cause they rarely hit w98 but sure acts superhidden)
     
Loading...
Thread Status:
Not open for further replies.