MoonPoint Support Weblog

PC Tools Alternate Opeating System Scanner (AOSS) version 2.0.5

PC Tools free Alternate Operating System Scanner allows you to boot a Microsoft Windows system with an alternate operating system on a CD. You can then scan the system for viruses from the CD, though I've found the utilitity of its anti-virus scanner to be very limited.

When I tried the virus scanning feature on a Dell Dimension 4550 PC that had Windows XP Home installed on the hard drive, the scanner didn't seem to be very effective, completing the scan in only 8 seconds and checking only 738 files out of the hundreds of thousands of files that existed on the Windows partition of the hard drive I scanned.

Total malware files:	0
Total files:	738
Scan time:	8 seconds

The CD comes with a file manager that will allow you to access directories and files on your Microsoft Windows partitions on the hard drive. It also has "Disk Detonator", which will allow you to destroy partitions on the hard drive, if you wish.

You can get a shell prompt by choosing "System Shell" from the main menu, which will give you an ash shell provided via BusyBox, but the AOSS CD is lacking in standard Linux command line utilities. There is no scp nor ftp for transferring files over the network to another system. There is no links nor lynx one might use to access a web server to download or upload files. Wget and curl are also missing as are the standard network utilities such as ifconfig and netstat.

When I checked the contents of /proc/version, I saw that AOSS uses Ubuntu GNU/Linux for the operating system.

Linux version 2.6.39.4 (www-data@steve-aoss-ubuntu) (gcc version 4.4.1 (Ubuntu 4
.4.1-4ubuntu9) ) #1 SMP PREEMPT Mon Oct 31 11:26:05 EST 2011

References:

Bootable Antivirus and AntiSpyware Software AOSS | PC Tools
Free AntiVirus & AntiSpyware Software | PC Tools
PC Tools Alternative Operating System AOS Freware Virus Scanner
Date: May 27, 2010
Free Antivirus Help Blog | Your source for the latest antivirus news and antivirus reviews

[/security/antivirus/pctools] permanent link

Sat, Nov 12, 2011 1:49 pm

Avira AntiVir Rescue System 3.7.16

The antivirus vendor Avira offers a free rescue CD which allows you to boot a system that runs Microsoft Windows from a Linux rescue CD that contains Avira's antivirus software. The Avira AntiVir Rescue System can be used in cases where a system is so badly infected it won't boot into Microsoft Windows properly or when the system runs abysmally slowly due to malware present on the system.

The Avira AntiVir Rescue System v3.7.16 uses ISOLINUX to boot from the CD. It appears to be based on Debian GNU/Linux judging by the contents of /etc/proc/version.

root@RescueSystem:/# cat /proc/version
Linux version 2.6.35.1 (cgossenberger@lx-i386-gc236) (gcc version 4.1.2 20061115
 (prerelease) (Debian 4.1.1-21)) #1 SMP Thu Aug 12 13:33:53 CEST 2010

At the AntiVir Rescue System download page, you can download an iso file from which you can burn a CD, if you already have CD burning software that can write ISO files to CDs, or you can download an exe file from the Avira download page and use it to create a bootable rescue CD containing the Avira antivirus software.

When I scanned a system with an Avira AntiVir Rescue System CD today, which I had previously scanned with 5 other rescue CDs and 3 antivirus/antispyware programs within Microsoft Windows, the Avira antivirus software still found 2 remaining infected files.

Avira / Linux Version 1.9.152.0

Statistics:
Directories...........: 15710
Archives..............: 3143
Files...............: 312237
Infected...........: 2
Renamed...........: 2
Warnings............: 3
Suspicious..........: 0
Infection.............: 2

Avira puts a .vir extension on infected files it renames. So if an infected file was named badfile.avi, when it is renamed it will be badfile.avi.vir.

When the scan completed, I saved the results of the scan in rescue-system_scan.log, which I was able to transfer to another system with scp.

You can get a shell prompt by hitting Ctrl-Alt-F2 or selecting "Miscellaneous" from the GUI interface and then selecting "Command line". You can return to the GUI interface by hitting Alt-F7.

I hit Ctrl-Alt-F2 to get a shell prompt and used scp to transfer the log file to another system.

[/security/antivirus/avira] permanent link

Fri, Nov 11, 2011 10:35 pm

Wed, Sep 21, 2011 10:40 pm

F-Secure 3.11 Rescue CD Scan of Compaq SR1900NX Windows XP PC

If I need to scan someone's Microsoft Windows system for malware, I usually make a backup of the system outside of Windows, e.g., by booting the system with a Norton Ghost 2003 boot CD and backing up the system to an external USB drive. I then usually perform an initial scan of the system using a rescue CD, such as the F-Secure Rescue CD 3.11. Using a rescue CD can be especially helpful if a system won't boot into Windows or runs abysmally slow because of a malware infection.

In this instance I used the F-Secure Rescue CD 3.11 on a Compaq Presario SR1900NX system running WIndows XP to perform an initial malware scan of the system.

[ More Info ]

[/security/antivirus/f-secure] permanent link

Tue, Apr 13, 2010 8:35 pm

Online File Analysis

In performing PC support, by far the most common complaint I've had to deal with has been malware infections. For any files I download, I normally submit them to at least one and sometimes all of the following sites, which will scan a file you upload to the site with multiple antivirus programs:

Sometimes, a particular antivirus program won't yet recognize some new malware, but other such programs will recognize it. Of course, one also has to bear in mine that false positives do occur, so if only one antivirus program reports a program is infected it could be a false positive.

I also use Sunbelt Software's CWSandbox on-line malware analyzer. You can submit a file to that service and it will install the software within a sandbox on a Sunbelt system and then give you the results of the analysis of the file submitted, including files and registry entries created, network activity, and process details. For a sample of a report see the report created for the installation file for Totally Free Burner named TotallyFreeBurner.exe, which I submitted to the analysis service:

Malware Report for ID: 12057226

Note: Totally Free Burner doesn't contain malware; I just normally check all software before I install it on my system or someone else's system.

If you know the MD5 checksum for a file, which the virus scanning services I listed above provide, you can determine if there is an existing Sunbelt CWSandbox report for it by using a URL of the following form:

http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=<md5 checksum>

E.g., http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=dece7e4cbd0c3ca7d6523fc0b5ee95b1 for the 6.0 version of Totally Free Burner I downloaded from the developer's website and then uploaded to Sunbelt's CWSandbox service.

There are also a number of free tools that you can use to determine the MD5 checksum of a file. The MD5 checksum is determined by performing a mathematical calculation on the contents of a file and should be unique for a given file (there is a very slim possibility that may not be true, but for all practical purposes you can consider it unique).

FileAlyzer^© from the developer of Spybot Search & Destroy will show you the MD5 checksum for a file, in addition to providing other information, as will digestIT 2004. Both are free.

[/security/antivirus] permanent link

Sun, Nov 15, 2009 3:11 pm

ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on 2009-11-15

I scanned a laptop running Windows 7 Home Premium Edition with ClamWin Free Antivirus version 0.95.3 on 2009-11-15. ClamWin reported the following:

C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND

But, I believe all of those were false positives.

[ More Info ]

[/security/antivirus/clamav] permanent link

Sun, Aug 09, 2009 6:25 pm

Using dpkg and apt-get with BitDefender Rescue CD

The dpkg utility can be used to add additional software once you have booted a system with a BitDefender Rescue CD, but first you need to create a few directories and files.

root@Knoppix:~# mkdir /var/lib/dpkg
root@Knoppix:~# mkdir /var/lib/dpkg/info
root@Knoppix:~# mkdir /var/lib/dpkg/updates
root@Knoppix:~# touch /var/lib/dpkg/status
root@Knoppix:~# touch /var/lib/dpkg/available

Alternatively, you can use the apt-get utility to download and install the packages you wish to use - see Using apt-get with BitDefender Rescue CD

[ More Info ]

[/security/antivirus/bitdefender/rescuecd] permanent link

Sun, Aug 02, 2009 10:38 pm

BitDefender Rescue CD 2.0.0

BitDefender provides free rescue CD software that you can use to scan a Windows system. The rescue CD is based on Knoppix Linux. As of August 2, 2009, BitDefender Rescue CD 2.0.0 uses Knoppix 2.6.19. You can download an ISO file for the rescue CD from http://download.bitdefender.com/rescue_cd/.

To use the rescue CD, boot the system from the CD. You may need to configure the system's Basic Input Output System (BIOS) to attempt to boot from a CD before attempting to boot from the hard drive or hit a key that allows you to select the drive from which you want to boot. When you system starts booting from the CD, you will see an initial startup nenu.

Start knoppix in English (US) Start knoppix in French Start knoppix in console mode Memory test Boot from first hard disk

BitDefender Rescue CD based on Knoppix

You must hit Enter when the menu appears or move the cursor up or down or the system will be booted from the hard drive rather than the boot process continuing from the CD.

Click on the image to enlarge it

During the boot process, the virus definitions will be updated, if the system has an Internet connection. If the software has a problem updating the definitions it will hang for awhile at the stage where it tries to update the virus definitions and then you will see the message "Trying to update BitDefender-scanner...fail..check your network ?" When the BitDefender Rescue CD completes booting, you will have a Graphical User Interface (GUI). A BitDefender AntiVirus Scanner for Unices program will start automatically and start scanning the hard drive in the system.

By default, all partitions detected on the hard drive will be scanned. When the scan completes, you'll have to choose what actions to take on the infected file(s). You can choose one action for all files or select an action for each item.

If you right-click somewhere on the desktop, you will see a list of applications on the CD. You can get a terminal window by selecting Terminal or Terminal (as root) by selecting from the menu that appears when you right-click on the desktop. Don't pick Exit from this menu, until you are ready to shut down the system. I.e., wait until the scan has completed and you've chosen what to do with any infected files detected

[/security/antivirus/bitdefender/rescuecd] permanent link

Sun, Nov 13, 2011 10:45 am

Sat, Nov 12, 2011 1:49 pm

Fri, Nov 11, 2011 10:35 pm

Wed, Sep 21, 2011 10:40 pm

Tue, Apr 13, 2010 8:35 pm

Sun, Nov 15, 2009 3:11 pm

Sun, Aug 09, 2009 6:25 pm

Sun, Aug 02, 2009 10:38 pm

Tue, May 12, 2009 11:55 am

Sun, Apr 05, 2009 8:18 pm