42 replies to this topic

[Acenyc]

Read about runscanner here: http://www.paraglide.../runscanner.htm

Many programs, like CCleaner, SpySweeper, Ad-Aware, HiJackThis, SuperAntiSpyware, Spybot etc. can be re-directed to scan the host PC from PE via runscanner. This can be done via batch e.g.

Runscanner /t 0 /cp /sd /ac /m+ /y program.exe

I think what your saying is that I can run these Anti virus programs, from a Winbuild live XP disk and have it scan the machine that live xp is running on. Is that correct? if so, how and wheredo I add the batch file? Over the past few weeks I've been practicing malware removal I've been installing from the virus exchange section of malwaretips. Most of the malware that I've installed for testing has completly disabled the machine--- no desktop, no start menu, no nothing. So I've had no choice but to use different rescue CD's, mostly Kaspersy's RCD, and it did work and I was able to remove the malware and get basic control of the machine again to then run additional scans. So I'd like to be able to add a few antivirus programs to my winbuild, and run them from live xp to see if they work.

[amalux]

Yes, that's correct. The batch file should be in the same directory as your program.exe and runscanner.exe to keep it simple.

[Acenyc]

Yes, that's correct. The batch file should be in the same directory as your program.exe and runscanner.exe to keep it simple.

Thanks for the info. When you say, "same directory as your program.exe", you mean the root of C:? Do I have to put the batch file in a folder, or can I just put the file into the root of C:? I modified the scripts so I can add a few antivirus programs, but I haven't added it to a new build yet. I'll do over the weekend. I did get to use the last build I did on a machine at work yesterday that I think had a bootkit on it because after I did an initial scan on it, and removed what it found I just couldn't get the machine to boot. I used some of the tools from HBCD and Winbuild and I did finally get the machine working again. Using Winbuild from the PXE is just amazing because not only are the built-in tools really great, It allowed me to access utilities from my flash drive from PXE that I've put together over the past few months. I think it was Avast, Rogue Killer and checkdisk 1.2 that did the trick. Thanks.

[amalux]

The batch has to be alongside* the exe unless you modify it with cd or full paths

*alongside means you can see both together in the same location (directory); not one in a sub-folder or on a different drive.

If both are at the root of your drive that's fine but gets a little messy as you add more programs.

When I setup a portable, I have the SFX extract to %temp% (or a sub-folder I create in %temp%) and run the batch from there. This works fine because all the files are together in the same directory. The other alternative is to have the batch cd (current directory) to the folder or root containing the files it needs to run. Ex.

cd /d "C:Program Folder"

[Acenyc]

Yes, that's correct. The batch file should be in the same directory as your program.exe and runscanner.exe to keep it simple.

Thanks for the help. I'm going to try it with Malwarebytes. This is what I'm going to do. I'm going to make a folder called malwarebytes, and inside that folder I'm going to put the malwarebytes exe file, the modified ppApps .ini file, and the batch file in that folder. Then the malwarebytes folder will go inside the ppApps folder, which itself will be in the root of c:. Is that correct? One question, why do some programs need the batch file? Thanks again.

Runscanner /t 0 /cp /sd /ac /m+ /y program.exe

[amalux]

Yes, it's correct except your shortcut would need to point to the batch file in this case (or an SFX which launches the batch), not malwarebytes exe.

Fyi, not all programs need to be launched with runscanner; I don't see where malwarebytes benefits from runscanner in PE.

[Acenyc]

Yes, it's correct except your shortcut would need to point to the batch file in this case (or an SFX which launches the batch), not malwarebytes exe.

Fyi, not all programs need to be launched with runscanner; I don't see where malwarebytes benefits from runscanner in PE.

I have a few questions:
1.What is the shortcut & how do I point it to the batchfile?
2.Where is the SFX file located & can I look at it in notepad?
3.How do you know if the exe. has to be run from the runscanner?
Thanks

[amalux]

I have a few questions:
1.What is the shortcut & how do I point it to the batchfile?
2.Where is the SFX file located & can I look at it in notepad?
3.How do you know if the exe. has to be run from the runscanner?

I don't know if this is part of the new forum update but how did your questions become part of my quote? Nevermind...

1. The shortcut (a file that contains only the location of another file on the computer) points to the file you want to launch or start. e.g. a file placed on your Desktop or in your Start menu that, when dbl-clicked, actually starts the file (batch, txt, exe etc) it is pointing to. A shortcut can be pointed at many different targets and created by different methods; in this case, ppAppsGenPE is creating a shortcut to the file you specify in ppApp.ini under the CommandLine parameter. As follows:

<ppApp>
CommandLine = "Program.exe"
ShortcutName = "Program Name"
Description = "Description of program."

In the above example, Program.exe can be replaced with whatever file you want to launch, PDF, CHM, TXT, JS, VBS, CMD etc. even LNK is supported but ppAppsGenPE has some limitations; you can't select a supplied icon for the shortcut so in the case of cmd (batch file), you'll end up with an ugly icon and of course the command window open the whole time the program is running. You could point to a JS or VBS file which would hide (shell) the command window but you'd still have an ugly, generic icon for the shortcut. To create shortcuts like this with custom icons, you either need another program like xlink which allows you to choose your own icon (but isn't user friendly) Ex.

xlink "<path to create shortcut>" "<target path>" "" "<start in path>" "<description>" "" "<custom icon path>"

or you can create an SFX (self-extracting archive) with WinRAR (or similar) which packages the whole thing for you and allows selecting a custom icon for the exe package. e.g. all the files that would usually go into your program folder (except ppApp.ini), including the program files with the exe, the runscanner files plus your batch (and vbs or js if wanted), all get packaged (archived) into a single exe (SFX) which launches when dbl-clicked and has the icon of the program it's going to launch. Now the ppApp.ini just points to that single exe (SFX) and the shortcuts it creates have the custom icon as well

2. You can't look at an SFX in notepad (well, you can but I don't recommend it) but you can rt-click and extract the whole package to see how it was put together. It's really best to have WinRAR installed for this but I'm sure there are free alternatives.

3. Well, trial and error is the best way; it helps to know the program and how it works. One good rule, if the program allows you to choose the scan path(s) then you probably don't need runscanner. If the program has no option for this and just defaults to scanning the system drive then runscanner will be needed. Runscanner is no guarantee the program will work, make sure you test it 'strait' and confirm program is working well before attempting to run via runscanner.

[Acenyc]

Thanks alot bro. I do have WinRar, but I have the free version. So I make an archive file containing the batch file and the exe, and the ini file sits outside of the archive file. Then put everything inside the progam folder. Is that right? I'll do a test build with spybot & Malwarebytes running "straight" first. If I wanted to add chameleon, should I just add all the .exe files inside of the chameleon folder and put them in the malwarebytes program folder?
The thing I'm still not understanding is where is this "runscanner file"?
Thanks.

[amalux]

You can run your program with all the files loose in a folder like this:

packed into an SFX like this.

When I say 'points to', I mean the CommandLine parameter equals the .exe or .cmd or .js you want the shortcut to launch. Here, the following ppApp.ini points to Malwarebytes.exe which is my SFX.

<Title>

Malwarebytes 1.61 Portable SFX

    

<Flags>

MakeInRoot = 0

MakeStart = 1

MakeSendTo = 0

MakeDesktop = 1

MakeQuickLaunch = 0

    

<StartMenuSourcePath>

Security



<ppApp>

CommandLine = "Malwarebytes.exe"

ShortcutName = "Malwarebytes 1.61"

Description = "Antivirus program."



<End>

Test the program unpacked first and without runscanner or batch scripts to make sure the core program is working in PE as expected. There is no reason to use chameleon in PE! The whole reason you're running the program from PE is to avoid needing workarounds like chameleon which is only useful in a corrupted system.

[Acenyc]

Thanks. A few questions:
1.In your first example, what would go into the App, data and other folder?
2.Where do I get the runscanner.exe & the runscannerDLL.dll file?
3.What progam do you use to for the screen captures of the file stucture?
4.I have the free version of WINRar. Can I make compressed archives with the free version? I messed around with it yesterday and I think I was able to compress the files.
Thanks again.

[amalux]

1. Just what comes with the (portable) program.
2. http://www.paraglide...ins/plugins.htm
3. https://rapidshare.c...6/FSCapture.rar
4. Sorry, I'm not familiar with free WinRAR; try it and see.

[Acenyc]

Thanks again for all you help. I have more stupid questions for you.
1. I figured out how to use the screen capture program. I made a screen capture of what I want to show you and I have it saved. How do I add it to the post so you can see it? I tried cut & paste, but it didn't work.
2.
This is what you said in one of the posts: There is no reason to use chameleon in PE! The whole reason you're running the program from PE is to avoid needing workarounds like chameleon which is only useful in a corrupted system.
From what I understand, chameleon is similar to Rkill-- it's used to stop a malicious process so malware can be removed. What if I'm using the ppApps disk to remove some malware, and I need to stop a process so I can remove the malware. Why WOULDN'T I use chameleon to do that? There's something I'm just not understanding here.
3. What's the difference between a stand alone app & a portable app, and how do I know which one to use when?
Thanks a lot.

[Acenyc]

I'm trying to link my screenshot from picassa, but it keeps saying that the file extension isn't allowed. I tried png & jpg. What file extension do I need to use?

[amalux]

1. I figured out how to use the screen capture program. I made a screen capture of what I want to show you and I have it saved. How do I add it to the post so you can see it? I tried cut & paste, but it didn't work.

You need to upload the image(s) to some host like http://photobucket.com/ and then post the link code here.

2.This is what you said in one of the posts: There is no reason to use chameleon in PE! The whole reason you're running the program from PE is to avoid needing workarounds like chameleon which is only useful in a corrupted system.
From what I understand, chameleon is similar to Rkill-- it's used to stop a malicious process so malware can be removed. What if I'm using the ppApps disk to remove some malware, and I need to stop a process so I can remove the malware. Why WOULDN'T I use chameleon to do that? There's something I'm just not understanding here.

Both of these programs are only needed if you are trying to run MBAM on an infected system. e.g. running from the OS where the mal-ware is active. This is because the mal-ware can interfere with MBAM like it does with the operation of the OS. When you run MBAM (or any other program) from PE, you're running from a clean OS! The infected system is offline and so is the mal-ware; it can't affect the operation of a program running from PE.

3. What's the difference between a stand alone app & a portable app, and how do I know which one to use when?

No difference really, just use the one that works best for you. ppApps are a variation on portable, stand-alone applications which are designed to work well in PE or Windows whereas some portables only work in a full Windows.

[Acenyc]

I know how to post my screen shots now. Thanks.
This screen shot you added to your post, is it all one image that you made within FS capture? How did you make it? I am reading the manual.

[Acenyc]

Both of these programs are only needed if you are trying to run MBAM on an infected system. e.g. running from the OS where the mal-ware is active. This is because the mal-ware can interfere with MBAM like it does with the operation of the OS. When you run MBAM (or any other program) from PE, you're running from a clean OS! The infected system is offline and so is the mal-ware; it can't affect the operation of a program running from PE.

I'm a little confused here. Removing active malware from an infected machine is one of the things I'm using the winbuild disk for. Last week at work I used my winbuild disk on a laptop. I ran Hitman pro from the winbuild disk and it scanned the c: drive. I also ran MBAM and Avast from my USB stick through winbild. The HD was acting funny also so I ran diskcheck 1.2 from the PE disk and it fixed the problem. I was then able to install a new operating system. If it's not scanning the HD, then what is it scanning, the RAMdisk?

I wanted to ask you this from last week. I added some stuff to your screenshot. What files go into the App,Data, and other folder? When I added Hitmanpro to my build, I just put the Hitmanpro.exe and the pp
app.ini into the ppApps folder. What is the MalwarebytesPortable.ini file for?
Thanks

[amalux]

This screen shot you added to your post, is it all one image that you made within FS capture? How did you make it? I am reading the manual.

No, I use Paint for that, Edit - Paste From...

I'm a little confused here. Removing active malware from an infected machine is one of the things I'm using the winbuild disk for. Last week at work I used my winbuild disk on a laptop. I ran Hitman pro from the winbuild disk and it scanned the c: drive. I also ran MBAM and Avast from my USB stick through winbild. The HD was acting funny also so I ran diskcheck 1.2 from the PE disk and it fixed the problem. I was then able to install a new operating system. If it's not scanning the HD, then what is it scanning, the RAMdisk?

Yes, you're not understanding the difference between an online system e.g. booted to and running programs from that system and one that is offline. In the latter case, you are not running the AV program from a running system which has been compromised by mal-ware; you're running from a PE boot disk which has its own 'portable' OS which has not been compromised by any mal-ware. See the difference?

I wanted to ask you this from last week. I added some stuff to your screenshot. What files go into the App,Data, and other folder? When I added Hitmanpro to my build, I just put the Hitmanpro.exe and the pp
app.ini into the ppApps folder. What is the MalwarebytesPortable.ini file for?

Those additional folders, along with MalwarebytesPortable.ini came as part of the portable application package which, in this case, was not one of my own. All I did was take an existing portable version of MBAM and add the runscanner and ppApp.ini files. Hope that's clear