+Warwagon MVC Posted June 3, 2005 MVC Share Posted June 3, 2005 (edited) I take no responsibility for the person that tries to follows this and turns their computer into a done turkey in the process A few days ago I was sitting here bored actually. I was trying to think of something to do, and for some reason I thought of this. Try to put nod32 on a bartsPE cd so could scan my computer outside of windows if I got ever really god infected, or just to see if it could be done. First I new I had to find out which files Nod32 used and where nod32 installs them. So I booted up a test version of windows I have on Vmware (works great for this sort of stuff) then I installed a trial version (but you could probably use any software of this type) of ?ashampoo uninstaller? what that does is takes a snap shot of your system before the install and after the install. One nice thing about that one is you can go to the log file it creates afterwards and actually save all the files that nod32 installed and where it installed them to. So when you get done you?ll have a backup folder which includes a folder called C and then inside that you?ll have Program files and Windows go into program files and all you?ll have is an eset folder, well you get the idea. But what is really cool is that you can also export a copy of what things where added to the registry into a simple reg file. So what I tried to do is open a copy of my bartPE.iso and started creating directories and moving files to them in the places they were to go. Once again Vmware makes it really easy to test the cd out without burning it and then booting off the cd. With vmware I just booted straight off the ISO image and it booted in a matter of 30 seconds. Nod32 would run, atlease the nod32.exe would run which is enough to perform a virus scan so I was happy. So once I found out it would scan I went to my test machine and infected it with a bunch of spyware. This time I actually made a cd and booted from it on my test machine. Once again it found nothing, So I installed nod32 on my test machine and ran it and it picked up a whole bunch of stuff, so I thought, that sucks. So I went back to the ISO image and this time I went to the registry section (i386/system32/config) and copied the SOFTWARE file to my desktop. I then opened the registry editor and clicked on ?Hkey_Local_Machine? and then clicked on file / and load hive (what this does it opens the barts PE registry into the registry editor so I can added entries to it) it wanted a name so I called it ?winpe? *note* for some reason on vmware and on my test machine once the ?software? file was loaded I couldn?t access the Winpe registry section, no clue why, but it worked fine on my main machine *note*. *Note in this next section I can?t really recall the exact reg paths so you?ll have to look at the file as ya do it* So now we have the registry file in regedit but there is a small problem the reg file that the uninstaller made for me wants to put everything in hkey_local_machine/software but the winpe section starts right off in the software directory. So I had to edit the reg file and tell it now we are going to hkey_local_machine/winpe. The easiest way I found to do that is to open the reg file in word and do a find replace find the listing you want to replace and then replace it with the one you need. It then edits every entry in a matter of seconds. The other thing you have to look at is the path the files its referring to. It wants to look for the files in c:\program files\ but of course this is on the cd and not the hard drive. So I replaced any reference to c:\ with *systemroot* and that worked out nicely. Once I was sure everything would line up I clicked on Hkey_Local_machine and then file /import and imported the reg file and presto everything fit. So I unloaded the hive from the file menu and opened the bartspe iso and copyed the new reg file into it. I then reburned the cd and booted off it on my test machine and ran a scan, and it found and removed EVERY infected file that the scan ran from windows found ( yes after I ran the windows scan the first time, I closed nod32 and reinstalled the spyware ). I realize this really isn?t step by setup. I?m not very good at explaining stuff. But you can just read the story and hopefully get a general idea on how to do this. Enjoy! Edited June 10, 2005 by warwagon Link to comment Share on other sites More sharing options...
Neuroticia Posted June 10, 2005 Share Posted June 10, 2005 hehe :) not step to step, but pretty good details on how to do it. Step-by-step takes all the fun out of it anyway. And people's systems vary like mad- especially on neowin. Thanks for posting that- gives me a quick place to start. Link to comment Share on other sites More sharing options...
oddcrap Posted June 10, 2005 Share Posted June 10, 2005 You spelled responsibility wrong :) Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 10, 2005 Author MVC Share Posted June 10, 2005 You spelled responsibility wrong :) 586046286[/snapback] huh, where? Link to comment Share on other sites More sharing options...
.thumb.jpg.958469f789995895cc0de1fb3c106d00.jpg)
Recommended Posts