• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

Stealth mode malware and BartPE

2 posts in this topic

The "Stealth Mode Malware" article is right-on. Already it's far more convenient to kill viruses and malware from an independent OS than from the native OS; soon it'll be required.


I just thought I'd give a few pointers for those who want to learn more, and perhaps use, the BartPE system mentioned in the articles. First, the forums at The CD Forum are the place for getting plugins and help and tips and tricks; there's a Yahho! group and I think there's an MSDN forum too, but they are not as active.


HijackThis! works fine in BartPE. A good HijackThis! plugin is at ironGeek: Security and Hacking Plugins for Bart's PE Builder. HJTHotkey also works well; I use my own plugin for this:



; PE Builder v3 plug-in INF file
; For HijackThis Hotkey http://hometown.aol.co.uk/jrmc137/HJTHotkey/

Signature= "$Windows NT$"

Name="HijackThis Hotkey"



; Add to start menu
0x2,"Sherpya\XPEinit\Programs","Anti-Spyware\HijackThis Hotkey","%ProgramFiles%\HJTHotKey\HJTHotkey.exe"
0x2,"Sherpya\XPEinit\Desktop","HijackThis Hotkey","%ProgramFiles%\HJTHotKey\HJTHotkey.exe"

nu2menu.xml, HJTHotKey_nu2menu.xml



<!-- Nu2Menu entry -->
<MENU ID="Anti-Spyware">      
<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\HJTHotKey\HJTHotKey.exe))" CMD="RUN" FUNC="@GetProgramDrive()\Programs\HJTHotKey\HJTHotKey">HiJackThis Hotkey</MITEM>


with all the HJTHotkey files put in a "Files" subdirectory of the plugin directory. Note that, since version 3.053, HJTHotkey has supported the /update commend-line switch which causes it to update all databases in the directory in which it was started and exit, making keeping your plugin up-to-date much easier.


Spybot S&D 1.4 (and, presumably, higher versions) is "BartPE aware". If it is running in BartPE it automatically detects and loads the host system registry and scans that. Alas, the programmers decided to always popup a proxy server inquiry when starting in BartPE; essentially always the right thing to do is to press "cancel" in this dialog box. Safer-networking has a BartPE plugin here; it isn't all that great. Of course, I think my Spybot plugin is the best, but DigiWiz's version is also good. Be aware that Spybot 1.4 supports the /autoupdate /autoclose switches, which downloads all updates relative to the directory in which it was started and exits.


Ad-Aware is not BartPE aware, but it works very well if run inside a wrapper which loads the host system registry. The wrapper is Runscanner from Paraglider's plugins, where you will also find a very nice Ad-Aware SE plugin.


Microsoft Antispyware can be made to run in BartPE, but only if it is also installed on the host system, and doesn't seem to be worth it. Xoftspy works, see this topic. Spyware Doctor also works, see this topic. There are some others which work but I forget the links.


Sysinternals Root Kit Revealer works, but you have to run it under the infected OS and under BartPE. See this thread for a plugin. There's also EZPCFix, which includes a rootkit killing function based on RootKitty.


If you want to use BartPE on a variety of machines with different hard disks and/or network adapters, you need the driver pack from UBCD Downloads, installed as discussed at Adding drivers. You may need Paraglider's InfCacheBuild, but I'm not going to go inte how to use it here. Search the CD Forums.


If you are serious about BartPE you need Sherpya's XPE plugin from Sherpya WinPe Stuff, which gives you the familiar Explorer-based desktop and interface. There are lots of tricks for speeding up XPE which are too detailed to discuss here. If you use Joshua's Preshell (from PE Builder Plug-ins from Joshua and discussed at Joshuas PreShell, conf settings before launching the shell) to set up a swap file and/or RAMdisk and/or RAMFile you can even boot using XPE on a machine with only 32 MB.


Alas, if the host system is Win9x, you are sc***d. The Win9x registry is incompatible with the NT/XP registry, and nobody has a tool that allows you to boot BartPE or any equivalent and fix a Win9x registry. You can, of course, scan the hard drive with Ad-aware and kill the files.

Share this post

Link to post
Share on other sites

Just wondering how folks with pre-XP/Win2003 systems can deal with root kits ... or is it expected that root kits will not target such systems?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0