Solved

Using bartPE for Virus Removal

Posted on 2009-03-31
5
2,044 Views
Last Modified: 2013-11-22
I am thinking about learning how to use bartPE for virus removals of customers' machines. I could jump right in and start learning but I wanted to understand the concepts a little better and save some learning curve time.

1) Do I create the bartPE disk based on the OS that I will be working on... iow, if a customer's machine is XP-Home, will I eventually have a different bartPE CD for it and one for XP-Pro?

2) Plugins  I'm a little confused about these. Are these needed for my favorite version of a virus scanner... or are these mainly hardware related?

3) What are the "must have" plugins that you almost always include?

4) concept, concept, concept... the more you can tell me about the concept of using bartPE (especially in a virus/spyware removal environment) will be most helpful.

Thanks, in Advance!
0
Comment
Question by:AnselAdams
5 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
Comment Utility
1. No you can use any version of XP. It will boot to the PE environment which is independent of the users machine.
2. Plugins can be any amount of different programs that do not come natively on the CD.
http://www.bootcd.us/BartPE_Plugins_Repository.php
3. I mainly use BartPE for manually deleting files that are locked by viruses when windows is running. For my use i maiinly just use the explorer and delete the file.
4. As I said above I will usually run my default virus scan software either under regular windows or safe mode. Whatever isnt caught or able to be removed there I then fire up bartPE and manually delete. This is very good for DLL's or EXE's that have some sort of protection on them. Since BARTPE only reads the disk there is nothing that can lock the files.
0
 

Author Comment

by:AnselAdams
Comment Utility
Wow... thanks for the fast reply!

I'm still a little puzzled about the plugins. I see there is one for Avast. So I take it that I need to install the plugin to run advast, right? It doesn't specify any particular version but I've seen one for AVG that targets an older AVG version.

I the real question that I have at this time is:

Does this work any better than pulling the hard drive and scanning it with another computer? I can see the advantage of not pulling the hard drive, but almost always I pull off the case to blow out the dust and it's not much of a step to pull the hard drive.

My first focus is pulling the hard drive, backing it up, then working from there. I use Acronis as my backup tool. I've had problems installing it with highly infected computers so I typically pull the hard drive during the dust cleaning and use my work computer to backup and do the initial scanning.
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
the only real benefit I can see to using the boot CD rather than doing it your way is the time saved while pulling and attaching to another machine. If you are used to doing it and dont mind then I would stick with what works for you. That said I usually keep a copy of the CD in my laptop bag because you never know when your gonna need it and you might not have another machine to slave into.

I think as far as the scanning/cleaning both methods should work almost identically. In both situations the drive is only being read, there is no OS or EXE attempting to lock certain files.

Pulling an image with acronis is a good idea just incase the disinfection causes some unintended system failure. That said there are plugins for BARTPE that utilize the DriveimageXML program. This could be useful in the situations like you mention where Acronis wont install correctly.

I cant really give you a definite answer as to which is the better option for you as they both have their benefits. I would suggest setting yourself up a BARTPE disk just to have it as another option in your cleaning efforts.
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Good general overview with detail and links here:  http://en.wikipedia.org/wiki/Bartpe
Asta
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
Outdated antvirus wont be effective.

FREE COMPUTER REPAIR
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: a Kiwi in Tokyo: I troubleshoot: both, English OS & Japanese OS)

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now