Is there a way to LIVE BOOT from XP install CD?

[casey.o]

Is there a way to LIVE BOOT from XP install CD?

Similar to the way you can do with many of the Linux distros?

I have a flash drive and a hard drive that still could be virus
infected. I'd like to check them out without corrupting an installed XP
again. If I'm booted from a CD, nothing can get infected. But I dont
see any way to do this..... I would boot from Linux, but then I cant
run the salitykiller file, since it's a .EXE made for Windows.

 

[Daave]

Is there a way to LIVE BOOT from XP install CD?

No.

Why not make a Hiren's Boot CD? Then you can live boot into Mini XP.

 

[Paul]

Is there a way to LIVE BOOT from XP install CD?

Similar to the way you can do with many of the Linux distros?

I have a flash drive and a hard drive that still could be virus
infected. I'd like to check them out without corrupting an installed XP
again. If I'm booted from a CD, nothing can get infected. But I dont
see any way to do this..... I would boot from Linux, but then I cant
run the salitykiller file, since it's a .EXE made for Windows.

A BartPE disc is an example of a pre-install environment.
It's like your OS, only with certain subsystems missing.
BartPE works with some things, via a "plugin" which is
designed to work with the program. Some backup software
for example, there are BartPE plugins offered with that
software, for people who are BartPE experts and know
how to build a BartPE CD.

The WAIK or ADK kits allow preboot environment discs to
be constructed as well. That's how Macrium Reflect makes
one if its CDs. A Windows 7 or Windows 8 DVD has pre-boot,
and can be booted to a Command Prompt window.

But the question would then be, how does SalityKiller work ?
Is it a simple minded scanner ? Or does it do more ?

The AV/Malware people have a gentlemans agreement, not
to air any laundry in public. That means not providing
detailed theory of operation about whatever tools
they might have assembled. If you thought you'd be
getting helpful hints, most any expert is going
to tell you to "use it, as prescribed". If there
are instructions on a web page, that's how you use it.

It *looks* like a simple program, but I don't know what
it is doing, what subsystems it might choose to use (like,
run an exe in a sandbox and watch what is present in memory).
Because infected files are polymorphic, I can't
see the program using a simple minded "pattern match" to some
byte pattern inside the file. That's why a lot of conventional
AV scanners are missing the thing. They can't "see it".

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99

"W32.Sality is an entry-point obscuring (EPO) polymorphic
file infector. It will infect executable files on local,
removable and remote shared drives. The virus also creates
a peer-to-peer (P2P) botnet and receives URLs of additional
files to download. It then attempts to disable security software."

And anyone who knows how SalityKiller actually works, isn't likely
to tell you.

Paul

 

[Good Guy]

Is there a way to LIVE BOOT from XP install CD?

Similar to the way you can do with many of the Linux distros?

I have a flash drive and a hard drive that still could be virus
infected. I'd like to check them out without corrupting an installed XP
again. If I'm booted from a CD, nothing can get infected. But I dont
see any way to do this..... I would boot from Linux, but then I cant
run the salitykiller file, since it's a .EXE made for Windows.

Try this:

<http://technet.microsoft.com/en-gb/library/hh825109.aspx>

 

[casey.o]

A BartPE disc is an example of a pre-install environment.
It's like your OS, only with certain subsystems missing.
BartPE works with some things, via a "plugin" which is
designed to work with the program. Some backup software
for example, there are BartPE plugins offered with that
software, for people who are BartPE experts and know
how to build a BartPE CD.

The WAIK or ADK kits allow preboot environment discs to
be constructed as well. That's how Macrium Reflect makes
one if its CDs. A Windows 7 or Windows 8 DVD has pre-boot,
and can be booted to a Command Prompt window.

But the question would then be, how does SalityKiller work ?
Is it a simple minded scanner ? Or does it do more ?

The AV/Malware people have a gentlemans agreement, not
to air any laundry in public. That means not providing
detailed theory of operation about whatever tools
they might have assembled. If you thought you'd be
getting helpful hints, most any expert is going
to tell you to "use it, as prescribed". If there
are instructions on a web page, that's how you use it.

It *looks* like a simple program, but I don't know what
it is doing, what subsystems it might choose to use (like,
run an exe in a sandbox and watch what is present in memory).
Because infected files are polymorphic, I can't
see the program using a simple minded "pattern match" to some
byte pattern inside the file. That's why a lot of conventional
AV scanners are missing the thing. They can't "see it".

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99

"W32.Sality is an entry-point obscuring (EPO) polymorphic
file infector. It will infect executable files on local,
removable and remote shared drives. The virus also creates
a peer-to-peer (P2P) botnet and receives URLs of additional
files to download. It then attempts to disable security software."

And anyone who knows how SalityKiller actually works, isn't likely
to tell you.

Paul

Thanks for the info, but none of this will work. I dont have Win 7 or
8, CDs and cant burn CDs. Especially now, when my laptop is halfway on
the fritz, and that is what I tried to burn CDs. I know there is a
linux repair CD available, and I did DL the ISO for it, but I burned it
and it would not boot or do anything. I'd buy one on that place on
distro watch, but I'd think PcLinux should be able to format disks
too.... but maybe not???? I suppose if worse comes to worse, I'll just
toss those flash drives in the trash. No sense spending a lot of money
on them, when they are cheap enough. It seems that nnothing these days
is simple with computers. I'll be real glad when I get the laptop
working and get rid of all the other stuff. This modern software is
written for someone other than me. I dont want to deal with any of this
stuff anymore.... Aniother week of this bullshit, and I will end up in
a crazy ward....

 

[Paul]

Try this:

<http://technet.microsoft.com/en-gb/library/hh825109.aspx>

WinPE would give you a Command Prompt window to work in.
But we don't know if SalityKiller works from such an
environment or not. Sure, it looks like a command line
program, but we don't know how it does the scans.

Paul

 

[J. P. Gilliver (John)]

In message <[email protected]>,

Is there a way to LIVE BOOT from XP install CD?

Similar to the way you can do with many of the Linux distros?

I have a flash drive and a hard drive that still could be virus
infected. I'd like to check them out without corrupting an installed XP
again. If I'm booted from a CD, nothing can get infected. But I dont
see any way to do this..... I would boot from Linux, but then I cant
run the salitykiller file, since it's a .EXE made for Windows.

If casey.o turns off autorun in all its forms, on the PC on which he has
the SalityKiller .exe file (I'm assuming that's a known clean PC!), will
he be in any danger - in other words, have the Sality developers
invented a way round turned-off autorun?

 

[Paul]

In message <[email protected]>,

If casey.o turns off autorun in all its forms, on the PC on which he has
the SalityKiller .exe file (I'm assuming that's a known clean PC!), will
he be in any danger - in other words, have the Sality developers
invented a way round turned-off autorun?

Obviously, you have to remove malware in a certain order.
The virulent (active) part of the thing must be inactive long
enough, to make the change. If the virulent part has code
in the startup sequence, it can put things back the way it
likes.

For people here with uninfected systems, looking at your
Autorun and AutoPlay status, is something to consider so
you don't end up like casey.o . I used the Fixit to turn
part of mine off. I think I also did something like that
to my Windows 8 installation.

Paul

 

[casey.o]

If casey.o turns off autorun in all its forms, on the PC on which he has
the SalityKiller .exe file (I'm assuming that's a known clean PC!), will
he be in any danger - in other words, have the Sality developers
invented a way round turned-off autorun?

I'm gonna find this out soon. I decided it's just too much trouble
burning CDs or doing lots of other stuff to format the two flash drives
and 2 hard drives I want to format. I can and may format the HDDs by
starting an XP install CD, but to clean up those flash drives, I am
gonna just install a barebones of Win2000 on a 2G HDD I found in my junk
box. One of those flash drives is probably clean. I used it to install
and run salitykiller on that ebay (infected) computer. I ran the
program on that HDD and used the (I think it's -k) to clean plug in
drives. The other flash drive I am almost sure has the live virus on
it. It's the one that caused the problem to spread to other computers
in the first place.

I will do that one last. I'll run salitykiller on that temp install of
Win2000, to block (disable) autorun. Then I'll see what happens. I
could even install XP, but I'm not sure if it will install on a 2G HDD.
I'd actually like to see if it CAN spread after I run disable autorun.
Since it will be on a spare computer with nothing but that 2G HDD, it
cant spread. When I am done, I'll install linux on that 2G HDD, which
formats it to some sort of linux format, so that will wipe out
everything.

But I'm not going to do this yet, because I am waiting on that Ebay
seller to get back to me, before I format the HDD in the computer I got
from him. Not only do I want the guy to know what's happening, so he
dont sell more infected computers, but I want him to send me a install
CD to match the computer. I think that is the least he can do. I dont
want to have to ship the computer back. Too much trouble and the
hardware is fine. I'll have to see what he will do.....

 

[J. P. Gilliver (John)]

J. P. Gilliver (John) wrote: []

If casey.o turns off autorun in all its forms, on the PC on which he
has the SalityKiller .exe file (I'm assuming that's a known clean
PC!), will he be in any danger - in other words, have the Sality
developers invented a way round turned-off autorun?

Obviously, you have to remove malware in a certain order.
The virulent (active) part of the thing must be inactive long
enough, to make the change. If the virulent part has code
in the startup sequence, it can put things back the way it
likes.

The startup sequence of what? That's what I was trying to ask: if he has
a known clean system, and makes sure autorun (and anything similar) is
turned off, is he in _any_ danger plugging an infected drive into that
system (such as to reformat the drive in question)?

For people here with uninfected systems, looking at your
Autorun and AutoPlay status, is something to consider so
you don't end up like casey.o . I used the Fixit to turn
part of mine off. I think I also did something like that
to my Windows 8 installation.

Paul

I've just made sure, thanks for the reminder! (Set to 0xFF in XP. Hope
that won't break anything.)

 

[J. P. Gilliver (John)]

In message <[email protected]>,

I'm gonna find this out soon. I decided it's just too much trouble
burning CDs

You need to get your burning-CDs problem sorted, regardless of all the
other things we're discussing. Once it's working, burning CDs is
absolutely trivial, unless there's a problem with your drive. There are
ooldles of softwares that do it - I've just discovered that "Express
Burn Disc Burning Software" has its ISO part turned off in the free
version, so I'm trying my SilentNight Micro Burner v. 5.0 Light (which
I'd forgotten, talks to you!) - only 1.2 MB; I found v5 (apparently v6
has gone nagware) at http://www.portablefreeware.com/?id=106, but that
page also has (in the comments) links to others (I don't know which ones
do ISOs though).

or doing lots of other stuff to format the two flash drives
and 2 hard drives I want to format. I can and may format the HDDs by
starting an XP install CD, but to clean up those flash drives, I am
gonna just install a barebones of Win2000 on a 2G HDD I found in my junk
box. One of those flash drives is probably clean. I used it to install
and run salitykiller on that ebay (infected) computer. I ran the
program on that HDD and used the (I think it's -k) to clean plug in
drives. The other flash drive I am almost sure has the live virus on
it. It's the one that caused the problem to spread to other computers
in the first place.

I will do that one last. I'll run salitykiller on that temp install of
Win2000, to block (disable) autorun. Then I'll see what happens. I
could even install XP, but I'm not sure if it will install on a 2G HDD.

Not sure about the basic version; I've recently _upgraded_ a version of
XP Pro to SP3 + all updates on a 6G drive, which was hard work but I got
there, but (with a few small other things like Firefox and IrfanView)
there's only about 1/4 of the drive free, so I suspect 2G would be
pushing it. (System works fine though!)

I'd actually like to see if it CAN spread after I run disable autorun.

Yes, please share what you find (especially if it's bad news)!

Since it will be on a spare computer with nothing but that 2G HDD, it []
But I'm not going to do this yet, because I am waiting on that Ebay
seller to get back to me, before I format the HDD in the computer I got
from him. Not only do I want the guy to know what's happening, so he
dont sell more infected computers, but I want him to send me a install
CD to match the computer. I think that is the least he can do. I dont
want to have to ship the computer back. Too much trouble and the
hardware is fine. I'll have to see what he will do.....

Good luck. From what you've previously said he's operating as a company
selling refurbished PCs, right? Or is he just an individual? I'm not
sure if the distinction is the same UK and US; which he is might
determine what rights you have. Was it sold as "working", or "sold as
seen" or some similar phrase? If you get no joy, try Ebay and (assuming
you used them) PayPal's resolution systems; I've had some success with
them. (But try the direct route first.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

The voices of Radio 4 continuity and newsreading have been keeping me right
for as long as I can remember. I can call on a million different information
sources, but it doesn't make sense unti I've heard it from Peter, Harriet,
Charlotte and the rest.- Eddie Mair in Radio Times 10-16 November 2012