Never used Knoppix, but it has been recommended to me as it may help me fix a windows NTFS based system.

I have a machine infected by some kind of Trojan that creates two exe files each boot up. These files are hidden so I am unable to delete them whatever I try, safe mode or booting with a Bart's PE CD whatever.
My research tells me I have to mount the NTFS volumes to enable write properties, however following the instruction I have does not work.
I open a command window and enter these commands as per the instructions:

su -
# mkdir /mnt/captive-win
#mount -t captive-ntfs /dev/hda8 /mnt/captive-win

Here is the error msg recieved when attempting to mount a volume:
imagepath not readable /devhda8 at /sbin/mount captive-ntfs line 43.

The HDD in this machine is configured as follows
C: Primary
D: logical
E: logical
F: logical
G: logical [this is hda8]
H: USB pen drive
R: CD-R
W: CD-RW

Is anyone able to get me up and running here, basicaly I want to be able to mount the c: partition and navigate to the C:\windows\system32 folder to delete the infected files.

rgds
Li'l Roberto

Knoppix can not safely write to or delete files from an NTFS partition. Your best bet might be to boot Knoppix, use Knoppix to recover any files that you need to save (to floppies, usb flash drives, external drives (with FAT partitions), CD/DVD drives, install an extra drive with FAT partitions, storage space on the Internet, or across a network to another computer) and then reinstall a clean version of windows. And if you don't have a hardware firewall (DSL/Cable router), you might not want to even bother. There are plenty of horror stories that people can't get XP on the Internet long enough to load the "security updates" before they are infected with something (not that these updates are very effective, either), including this story of a typical Windows system going down after 4 minutes of DSL access. (http://sfgate.com/cgi-bin/article.cgi?file=/gate/archive/2005/02/04/notes020405.DTL)

You may want to look at the "other" Forums that exist on Knoppix.net ... ( Like maybe the MS Windows Forum, because, two topics have been started in that Forum, of which, have NTFS as the "root" of there topic... )

( it should also be noted, that Harry has also had responses in these two topics, as well... )

For the "non-searching" person using Knoppix.net...

here are the two topics, rather recent, running in the MS Windows Forum...
Captive NTFS on Knoppix 3.6 and WInXP / NTFS hard drive (http://www.knoppix.net/forum/viewtopic.php?t=16792)
and
Mounting HD with Write permission using LIVE CD (http://www.knoppix.net/forum/viewtopic.php?t=16779)

You can always use captive ntfs when using Search Knoppix.net and see what other threads / topics are related to this subject -=- I for one, have never used NTFS ( unless you count WAY back when I was running WinNT ), and have NEVER used Linux with a NTFS drive... ( I kinda feel the same way towards NTFS and Linux being used in the same sentence, as Harry points out ( it can be dangerous ) )

Harry,

Even though this is an "additional" post response, I just HAD to...

I had to respond to the linked article that you posted in your response. The author is "very" MAC oriented, but, was happy to see a "mention" of Linux as a proposed "answer" to all the infections of PC's running under M$ Supremecy...

I guess, if I was going to "summarize" the authors article, I'd say: He recommends everyone own a MAC, but, at least, if you HAVE TO own a PC, the best you can do, is, run Linux :) ( I cant agree more )

Even though this is an "additional" post response, I just HAD to...
Hi Cuddles. Yea, the author is very Mac biased, but the reported problems of fresh Xp installs not being able to stay on-line long enough to get the service pack or other updates before someone hacks into them is something I've seen very frequent reports of (this was just a recent one I had come across and still had the URL handy for). And I can see it in my firewall logs, as well as on servers I've run (I think I had an FTP server up for about three minutes before some hacker found it and started poking around to see if anything was misconfigured or if he could otherwise abuse it, and the number of people who find a "private" FTP server on the Internet in a single day is truly staggering). Hardware routers are so cheap now I can't understand why everyone with a high speed connection doesn't use them, even Linux users.

Where, and how, would I go about locating these "logs" ? I'm using GuardDog, and havent been able to figure out just "where" stuff is getting stored...

My guess is, if I have a firewall "guarding" the entrance, and properly configured to "block" things coming in, then, it should be logs for the firewall, that I should be looking in, right? ( i'm not even sure I have it logging anything )

As for your response; I completely agree - Windows doesnt come "standard" with a firewall, or even anti-virus protection - so, someone just installing the OS, must go online "completely naked" from protection, until they can locate, and download, any protection. Hopefully, they "purchased" a firewall program, or viri program, from the store they bought the OS from, cause they dont want to go online without some form of protection, it appears.

As for "any" attacks, I can be thankful that I run a "non-Windows" OS, and that my email program has HTML and spam assassin running to protect those nasty email attacks. Just having an email client running that doesnt allow HTML to be displayed, and only text, can be some help

Where, and how, would I go about locating these "logs" ? .....
I was talking about logs in the hardware firewall. Different routers have different logging features. Some have none or next to none. The Linksys I first used had minimal internal logs but a really slick feature that would let you send the log information to a computer on the network where you could collect it (unfortunately, they didn't include the logging program on the CD and made it very hard to find on the website. On the other hand, some really nice thrid party software was written to take advantage of this feature.) I really likled the logs I saw on several friend's D-link routers and picked up a D-link 514 last November. However, while some other Dlink routers do keep good logs, the 514 is awful. The web interface log is OK, but what it e-mails to you when the buffer fills is useless. Because of this and several other serious problems, I can't recommend the Dlink 514.

I don't know about Guarddog logs. I use older versions of TPF or Kerio on my local systems. I could set these up to keep pretty extensive logs, but I would hopefully never see the traffic I'm talking about on them anyway, as it doesn't get past a properly configured hardware firewall. And I would not consider running without my hardware (router) firewall, even with my software firewalls.

/var/log is a good place to start looking for firewall logs.

Thanks OErjan,

Did look in there - appears the firewall, GuardDog, uses the standard 'syslog' for output...

A nicely crafted CLI, helped a lot:

cat /var/log/syslog | grep ppp0

or for my LAN: ( using eth0 in place of the ppp0 )

I had looked in the help for the app, and then in its logs settings, and it actually stated it uses syslog...

Sorry to have "hijacked" this thread :(

I don't know about Guarddog logs. I use older versions of TPF or Kerio on my local systems. I could set these up to keep pretty extensive logs, but I would hopefully never see the traffic I'm talking about on them anyway, as it doesn't get past a properly configured hardware firewall. And I would not consider running without my hardware (router) firewall, even with my software firewalls.

i love tpf it a amazing firewall and i havent found anything on linux that is anywere near as good :(.

i use a hardware firewall plus extra software . when im in linux i run a few programs ethereal snort firestarter and ether ape, netstat when i need to. when i run windows i normaly use ethereal and tpf. i dont normaly get any hacking attemps other then idiots trying to brute force the admins account on the ftp server (these is no admin account) or 2 or 3 year old iis worms trying to attack my apache server mainly because the way my hardware firewall blocks alot of scans. i would advise chkrootkit as well incase your machine does get compramised. but just because you run linux doesnt automaticly make you more secure the default install is secure by default but odd configurations can change that. if anyone does actuly manage to get in your machine the chances are there goner be 10 times smarter then the average script kiddy and will be able to hide them selfs much more. by default linux is much better at security. a default windows installation will last a day untill it has a trojan or virus. linux can run for 3 months and up to 9 months with out getting a succesfull hacking attempt.


as for deleting the trojans in your computer i would in normal mode or even save mode with networking download the newest version of avg install it if already in safemode if not already in safe mode i would boot in safe mode and then try to install it. scan the computer once over to see if it finds it (make sure the definitions are upto date) if there is no way to remove it with avg i would search for a definition of the worm/trojan on google and then see if they have a automatic cleaning tool on symtech (? thats not right) or nortons site or any other viruses related website.
if this does not work for you then i suggest (if you 100% know its a trojan) use fport or TPF (tiny personel firewall) to see what program is listerning on the trojans port. i would try to use dos to delete it using del c:\windows\system32\trojansname try killing it in the task manager before removing it. make sure both processes are killed if there are 2. if that doesnt work then try to find what reg keys it uses to stop you doing some of the things that you cant do. in safe mode the process should not be allowed to run at all so it can only be kept hidden by seting its file mode as hidden which you can get around in explorer in the folder options.

I can sympathize with your Trojan dilema. AVG is very good with v. 7.

Also, to protect yourself from Trojans, change to a "secure" logon which requires pressing Ctl+Alt+Del before you can even log in with a password.

This disables any trojans that may be wanting to activate when you boot up.

sakiZ

Each time to access ntfs from knoppix running from cd, I run simple script without using any other programs. If your settings are saved on hd, you need to run this script once, and only mount ntfs next.

Detailed and updated instruction how to write to ntfs posted here:

http://www.knoppix.net/forum/viewtopic.php?t=17024

>>>>>>>>>>>>>>>>

Not to try to get you to NOT use Knoppix, but have you exhausted the de-worming possibilities?
Check your temp folders and delete ALL contents, (not the folders). Sort by date and see if there is anything suspicious that showed up when you started having the problems. I had a nasty bout with scumware, it resided in some harmless looking tmp2.tmp file (which I could not delete in normal mode) and which allowed the dang thing to keep re-installing itself on bootup. And it was clever enough to rotate amoung three different names for the folder and registry keys that it installed!
Try spybot, adaware, and hijackthis (if need be also CWshredder and stinger) and then if you are unsuccessful you can try Knoppix. I have had no luck with Knoppix and am searching for version 3.4 which is supposed to work better if you are trying to get NTFS write access.
GOOD LUCK!!

I can really sympathize with your problem. At work, where we use Windoze, my own computer, which is heavily protected got infected with a program call Golden Retriever which steals money from ecommerce sites.

I had to use a program call RegSeeker, which is good for uninstalling programs and deleting registry items that might not otherwise be removed.

I was just reading some article today describing how Windows XP has to be one of the worst security disasters of all time for any OS. Unsafe at Any Speed.

Good Luck!

sakiZ