Using Linux to remove spyware from Windows partitions.

**fairchdr** · 10-20-2004, 02:30 PM

Has anybody seen any software that would run under the Linux/Knoppix system that could search within a Windows partition for spyware/adware and other malware. I would like it to be able to resolve Windows registry entries as well as the executable files and directories.
I am also looking for alternatives to virus detection other than ClamAV to remove viruses in a like fashion.
On a slightly different note, I would also like to remaster Knoppix Insert distro to include the above programs, but have never done a remaster before, can anyone point me towards a good tutorial to do this?

Thanks,
Don.

**aay** · 10-20-2004, 03:28 PM

You'll probably have a hard time getting advice from most Linux users on this topic simply because spyware isn't a problem under Linux. If you can't use regular Windows spyware removal tools (like Adaware and Spybot) because your Windows machine won't boot, you "might" be able to get these tools to run using Wine. This might be a totally worthless suggestion however. It's the only thing I can think of.

**fairchdr** · 10-21-2004, 08:42 PM

I thought it would be a good thing to use Linux to fix a Windows system. The Windows systems are getting so mucked up they cant even run a remover program anymore.
Ergo, good PR for the general public about Linux.

**firebyrd10** · 10-22-2004, 12:10 AM

Really? I have great success with ad-aware. If I can't delete it normally, i'll boot into safe mode and that fixes it.

*On topic*
I'll have to agree with above, the best thing you can try is running them with wine. I would think that they would work.

**Cuddles** · 10-22-2004, 03:09 PM

Before "getting out" of Windows, I found some excellent "free-ware" for windows, they work great, and either they are "free completely", or you can get a "free version" that wants you to buy the "buy" version, but still doesnt lock up after a "trial" period...

Spy-Ware -=- Spybot Search and Destroy - free-ware...

Anti-Virus -=- AVast -=- "Home" version is free-ware, but always tells you that "if you bought the real version, you'd get xxxxxxxx features...". It doesnt lock up or anything, it just advertises for its "paid" version....

Spybot is excellent, it has "ripped out" tons of junk that gets "added" into IE all the time... Nice thing is, both run "native" in Windows...

**fairchdr** · 10-22-2004, 04:18 PM

Well thanks for the tips, I have been using Ad-aware, Spybot-SD, AVG, F-Prot, Symantec and on and on..

. I do this for a living and all of the spyware, viruses, backdoors, trojans etc have rendered many Windows systems to nothing more than very expensive paper weights. So I have been trying to find new and better ways to clean and fix those windows partitions.

I have had some luck with the following; Running taget machine with Knoppix 3.6 and Captive-NTFS and Samba. This allows me to network to the target system and run AVG and Ad-Aware on it. But the captive-ntfs stuff is giving me fits about allowing the drive to be Read/Write. (yep I have heard about the writing to ntfs disk problems too)

Running F-prot right on the target system is kinda nice, but it doesn't fix any virus damage done to the Registry.. (Wine is limited here so far).
Anyhow, back to it, but it sure is giving me a headache!

Don

**triso** · 11-03-2004, 08:57 PM

Hi,

As usual, I am probably too late to comment but here's my two cents:

The best way I have found to get rid of a mess of spyware is not with knoppix (sorry!) but with BartPE. This is a version of Windows that boots from a CD (surprise!). You can then scan your windows drives for viruses, spyware and anything else you put on your CD. See <http://www.nu2.nu/pebuilder/> for details.

**Cuddles** · 11-05-2004, 07:02 PM

triso,

Good suggestion, best thing you can do is to not load the "junk" and have something trying to remove it while it is already loaded...

A few "bad things" got stuffed into my IE, registry, auto-load, Windows install, and even SpyBot had a time getting rid of them, it required three reboots and SpyBot scans to finally rid the system of them -=- Spybot initially found them, cleaned what it could, required a reboot, then continued where it could further, then required a reboot, then continued cleaning some more, required a final reboot, and then completely rid the system on a last scan of "success"....

The whole process would have been a single step, if I had been able to boot to a "clean" starting point, and let it go after the "infestation" without it being loaded each time... Good Suggestion

**firebyrd10** · 11-06-2004, 12:53 AM

With one really nasty spyware infection, CWS, I had to boot into safemode (with networking) run ad-aware, run hijack this! and then run a virus scanner (housecall)

adware found 50 things, about 20 I had to remove with hijack this! and housecall found 20 trojans. All from this one thing of spyware.