Bart's PE Builder Question

[Dan Rather]

Hello:

I have a friend who has WindowsXP and a virus. He is running Norton
Antivirus and it is updated and just sitting in the systray. I have
not had the pleasure of WindowsXP or the NTFS file system yet. I would
like to use Bart's PE Builder to create a boot-disk and boot of off it
and run a virus scan. Is this possible? Also, Bart's PE Builder claims
to be able to make a boot-disk that gives the ability to read or work
with the NTFS file system. Any advice would be appreciated.

Thanks!

 

[Bjorn Simonsen]

I have a friend who has WindowsXP and a virus. He is running Norton
Antivirus and it is updated and just sitting in the systray. I have
not had the pleasure of WindowsXP or the NTFS file system yet. I would
like to use Bart's PE Builder to create a boot-disk and boot of off it
and run a virus scan. Is this possible? Also, Bart's PE Builder claims
to be able to make a boot-disk that gives the ability to read or work
with the NTFS file system. Any advice would be appreciated.

If your friends XP is the only XP you have access to, then AFAIK you
can not use Bart's PE builder - assuming your friends system is
infected. The reason for this is the PE Builder needs (to use) some of
XP (or Win20003) system file when building disk, and you would not
want to use an infected system for that.

A suggestions, if you are online, is to download a ready to go
bootable Aniti-Virus CD, or alternatively floppy disk set, that can
also access NTFS partitions. For the CD you'll need a CD burner to
make a boot CD out of a iso image.

For example, Vexira Antivirus Rescue CD:

For complete details first read:
<http://www.centralcommand.com/rescue_disk1003a7.html>

Here are the download links you need in *addition*
to the ones you find on the above page:

for step A) in above, rescue CD
<http://www.centralcommand.com/ts/rescue/rescuedisk.iso>

for step B) in above floppy disk set (alternative to CD)
<http://www.centralcommand.com/ts/rescue/rescuedisk.exe>

Then follow the steps on above page for how to get updated
signature files, and how to use when booting from the CD
(or booting the floppy disk set if that is what you
ended up making instead of CD)

Last time I downloaded the above rescue CD the ISO image
download was 11,4 MB, and there was 2 signature files 1 MB and
606KB (will probably be different size now, but just to give an idea
bout the size of the download).

All the best,
Bjorn Simonsen

 

[Bob Adkins]

Hello:

I have a friend who has WindowsXP and a virus. He is running Norton
Antivirus and it is updated and just sitting in the systray. I have
not had the pleasure of WindowsXP or the NTFS file system yet. I would
like to use Bart's PE Builder to create a boot-disk and boot of off it
and run a virus scan. Is this possible? Also, Bart's PE Builder claims
to be able to make a boot-disk that gives the ability to read or work
with the NTFS file system. Any advice would be appreciated.

Your idea would work perfectly, but you need to create the Bart's PE disk
from an XP machine.

If you have access to one, build the disk and include a few small AV
scanners from Symantec and the McAfee AVERT Stinger. They run great from
BPE.

Bob

Remove "kins" from address to reply.

 

[Bob Adkins]

for step A) in above, rescue CD
<http://www.centralcommand.com/ts/rescue/rescuedisk.iso>

Now that's a handy file! For rescue from a virus, it sure beats my solution!

Bob

Remove "kins" from address to reply.

 

[Sascha Wostmann]

Bjorn Simonsen :

If your friends XP is the only XP you have access to, then AFAIK you
can not use Bart's PE builder - assuming your friends system is
infected. The reason for this is the PE Builder needs (to use) some of
XP (or Win20003) system file when building disk, and you would not
want to use an infected system for that.

you can create the boot-CD on a win2000 system when you have the XP
Install CD available. BTDT.




Viele Grüße,
Sascha

 

[Dan Rather]

Thank you:

I downloaded the Vexira Rescue Disk System and the 4 rescue floppy
disks. Before I burn the iso file to a disk and try to use it, I have
one question. The one question I have is if this Vexira program allows
one to clean a system or just tell if it is infected? I read in the
info file that the program can (read only) a NTFS partition. I thought
that the program needed the ability to write to a NTFS partion to
clean it of the infection. Could someone please tell me if my
thinking is incorrect?

Thanks again,

Peter

 

[Bjorn Simonsen]

I downloaded the Vexira Rescue Disk System and the 4 rescue floppy
disks. Before I burn the iso file to a disk and try to use it, I have
one question. The one question I have is if this Vexira program allows
one to clean a system or just tell if it is infected? I read in the
info file that the program can (read only) a NTFS partition. I thought
that the program needed the ability to write to a NTFS partion to
clean it of the infection. Could someone please tell me if my
thinking is incorrect?

Your thinking is not incorrect, on the contrary! As I am sure you have
seen the Vexira rescue CD web page lists NTFS under supported file
systems, but it says nothing about only supporting read only.
The readme on the CD/ISO other hand, tells a different story:
"Microsoft NTFS (read only)". (The readme also notes the Vexira
CD can only scan but not repair boot records and boot sectors.) So you
can not use this CD to clean your friends NFTS system if it is
effected, you can only use it as a "diagnostic" to tell if infected.

My bad for not remembering this. You see I actually made a note about
this restriction back in september last year, when I made the same
observation you just did. Problem was I forgot to put that note where
it belong - so I did not see or remember it when browsing my files for
info before posting. Would probably have been easier to remember if I
had experienced the Vexira CD failing to clean an infected NTFS
system. But I never have, as it never found any infections on my
system.

I noticed another poster mention that you can use Win2000 to build a
bootable CD with Bart's PE builder, as long as you have access to a XP
install CD. This is correct. Se <http://www.nu2.nu/pebuilder/> under
"Requirements to build". There is a distinction between what
plattform you can *run* the PE builder on, and what install CD-Rom
(files) is required to *build* from. You need either Win2000, WinXP
or Win2003 system to run the PE builder, it then needs (files from) a
WinXP install CD-Rom (slipstreamed w/SP1), or a Win2003 Server install
CD-Rom.

PS: I have not used Bart's PE builder my self, I wish I could - but I
do not have access to a XP or Win2003 install CD.

All the best,
Bjorn Simonsen

 

[Bjorn Simonsen]

ability to write to a NTFS partion to clean it of the infection

Just found this via a link Wayne D. posted today,
not tried my self:

LinuxDefender Live! CD launched at LinuxConf 2003
<http://www.bitdefender.com/bd/site/presscenter.php?menu_id=25&n_id=58>

<quote>
This distribution contains two world premieres: the world's first ever
SAMBA 3 compatible commercial antivirus and FULL NTFS write support -
available using the captive NTFS write project. You can use it to
access Windows partitions. LinuxDefender Live! integrates the latest
BitDefender for Linux security solution into the GNU/Linux Knoppix
Live CD distribution.
</quote>

All the best,
Bjorn Simonsen

 

[Dan Rather]

Thank you very much. I would like to upgrade to WindowsXP and the NTFS
file system. The one thing that bothers me comes from the word
(functionality). I don't like the idea of being limited with the NTFS
file system. I like the options or 3rd party programs that can be used
with the FAT32 file system. The only option I came across was a
program called NTFS for Linux at around $70.00. If this LinuxDefender
works that will be incredible. Thanks again Bjorn!

 

[Bjorn Simonsen]

The only option I came across was a
program called NTFS for Linux at around $70.00.

For some other and less expensive alternativesa and
som eother tips, see my messages from a previous thread:
URL: <http://makeashorterlink.com/?H67A223A7>
(link takes you to archived thread at Google)

Nice collection of links here: <http://lists.gpick.com/>
Check for links to info and tools, like about multibooting, OS
info/installation, boot-managers, disk partitioning etc.

If this LinuxDefender works that will be incredible.
Thanks again Bjorn!

YW, hope it works. Would be nice if you can let us know if
it does. Always good to know about free alternatives, even better
if we know they work too

All the best,
Bjorn Simonsen

 

[Dan Rather]

I burned the .iso image onto a cd and booted off it. I have never seen
a Linux screen before. It really is not that bad. I ran the
LinuxDefender virus scan program and it works very well. It easily
loaded the NTFS drivers for reading and writing to the drive. The only
problem I am having is I cannot figure out how to update the program
with a new virus signature file. If the program is on a cd, how can
one overwrite the current virus definitions. Unless they are loaded
into memory. But I cannot find the bd7/shared file supposedly were the
update is. It does not exist. Is there some website or forum were I
can get more information? Thanks again Bjorn!

 

[Dan Rather]

Sorry, I found it. Will give it a try.
www.bitdefender.com/knowledgebase/script_view_document.php?id=42&language=en

 

[Bjorn Simonsen]

Sorry, I found it. Will give it a try.
www.bitdefender.com/knowledgebase/script_view_document.php?id=42&language=en

Thanks for the link, browsed <www.bitdefender.com> earlier,
but did not find my way to their knowledgebase when so doing.

About the LinuxDefener CD, you might want to browse more recent
thread here w/ subject: Alternatives for Knoppix lovers
fx message by Rob there
<and my follow-up of today.
<
Turns out I can not use the LinuxDefender CD my self, as it
needs (files from) XP.

All the best,
Bjorn Simonsen

 

[Mark R. Blain]

I have never seen a Linux screen before.
It really is not that bad...

I understand what you meant, but read as an attempted endorsement,
that was pretty funny. Thanks for making my day.

 

[Dan Rather]

I just found the Linux based Trinity Rescue CD. If you extract the
files from the .iso image you can update the virus definitions. Then
burn the files onto a disc and your up to date. The CD has F-Prot
antivirus on it. Just thought I would post this information if anyone
wants it.

 

[Bjorn Simonsen]

I just found the Linux based Trinity Rescue CD. If you extract the
files from the .iso image you can update the virus definitions. Then
burn the files onto a disc and your up to date. The CD has F-Prot
antivirus on it. Just thought I would post this information if anyone
wants it.

Thanks for the tip. URL <http://trinityhome.org/trk/>.

Not for use on NTFS partitions though it seems;

<quote from http://trinityhome.org/trk/usage.shtml>
"Be carefull with what you 're doing on ntfs drives, this is an
ntfs driver that isn 't developed any longer and which had never
stable writing capabilities."
</quote>

It seems the only current Linux alternatives to be trusted with
NTFS *write* accesses are the ones based on CAPTIVE technology - which
uses WinXP files for full NTFS access (ntoskrnl.exe/ntfs.sys), thus
not any of the "native" Linux NFTS drivers.

About CAPTIVE, see
Captive: The first free NTFS read/write filesystem for GNU/Linux
<http://www.jankratochvil.net/project/captive/>,
and:
Microsoft Windows Versions Compatibility

<http://www.jankratochvil.net/project/captive/doc/About.html.pl#versions>.

All the best,
Bjorn Simonsen

 

[Jörg Volkmann]

Hello:

I have a friend who has WindowsXP and a virus. He is running Norton
Antivirus and it is updated and just sitting in the systray. I have
not had the pleasure of WindowsXP or the NTFS file system yet. I would
like to use Bart's PE Builder to create a boot-disk and boot of off it
and run a virus scan. Is this possible? Also, Bart's PE Builder claims
to be able to make a boot-disk that gives the ability to read or work
with the NTFS file system. Any advice would be appreciated.

Thanks!

Maybe this is also what you need
The SystemrescueCd its a recovery-Linux-CD with full ntfs read and
write access. Partitioning, saving tools and a antivirus SW (clam)
from which you can update the virusdefinition file if you had access
to the internet. The version 02.12_pre1 is available.
www.systemrescuecd.org
For more details read the manual.
Jörg


JV

 

[Jörg Volkmann]

I just found the Linux based Trinity Rescue CD. If you extract the
files from the .iso image you can update the virus definitions.

This I think wouldn`t work, because if you change a file in an
existinmg ISO-Image, it must be eqal in size. If the new definition
file is bigger, you had probs if you burn the new iso, it will not
work. An ISO is not a couple of files, but is an image of HDD, CD or
DVD or a partition.
So you had to build up a whole new LIVE CD and made a new ISO from
it.

Jörg

Then burn the files onto a disc and your up to date. The CD has F-Prot
antivirus on it. Just thought I would post this information if anyone
wants it.

JV

 

[Jörg Volkmann]

Thanks for the tip. URL <http://trinityhome.org/trk/>.

Not for use on NTFS partitions though it seems;

Not quite right, you have read and write access but you can only
owerwrite files with files not bigger than the original ones. F-Prot
can`t desinect files from an nfts partition, but it can tell you which
on is infescted. But the limitation of nfts 1.1.21 module will be
fixed an the newer version of the nfts, I hope so.
Jörg

<quote from http://trinityhome.org/trk/usage.shtml>
"Be carefull with what you 're doing on ntfs drives, this is an
ntfs driver that isn 't developed any longer and which had never
stable writing capabilities."
</quote>

It seems the only current Linux alternatives to be trusted with
NTFS *write* accesses are the ones based on CAPTIVE technology - which
uses WinXP files for full NTFS access (ntoskrnl.exe/ntfs.sys), thus
not any of the "native" Linux NFTS drivers.

About CAPTIVE, see
Captive: The first free NTFS read/write filesystem for GNU/Linux
<http://www.jankratochvil.net/project/captive/>,
and:
Microsoft Windows Versions Compatibility

<http://www.jankratochvil.net/project/captive/doc/About.html.pl#versions>.

All the best,
Bjorn Simonsen

JV