Boot-disk to clean/scan a Windows computer

Help and discussion about non-Linux operating systems

Moderators: ChriThor, LXF moderators

Boot-disk to clean/scan a Windows computer

Postby mrtux » Fri Jan 03, 2014 10:32 pm

I've been asked by a friend of my partner's to have a look at her computer (Windows), and make sure it's as clean as Windows can be.
The friend has a feeling that her ex has put a key-logger or something similar on to her computer, as the ex has regularly gained access to and taken control of various online accounts she has. Additionally, he seems to be able to get FAR too much information about what she's doing, where she's going and who she is talking to.

I feel that there's also a moderate amount of user-education to be done, regarding good passwords and the like.

I personally would like to just blow Windows away and give her a Linux install, but I haven't got the time to hand-hold through the learning of Linux.

Instead, I would like some suggestions for good boot-disks which will allow me to scan the Windows install and remove anything which shouldn't be there.
I already have Hiren's BootCD on a USB and am quite happy with the tools that I've used on it so far. However, I have mostly used it for hardware testing and Windows password resets, not for scanning for key-loggers and root-kits.
My current USB thumbdrive is bootable, and I can drop ISO files straight on to it, hack up a boot-menu config file and boot in to the ISO file as if it were a real CD, so CD-only bootdisks are fine for suggestions as well.
Posts: 1
Joined: Sun Aug 19, 2012 3:52 am

Postby towy71 » Fri Jan 03, 2014 10:41 pm

System Rescue has featured several times on this forum for doing such things
still looking for that door into summer
Posts: 4317
Joined: Wed Apr 06, 2005 2:11 pm
Location: wild West Wales

Postby Dutch_Master » Sat Jan 04, 2014 1:04 am

+1 for SystemRescueCD :)
LXF regular
Posts: 2592
Joined: Tue Mar 27, 2007 1:49 am

Postby dhester » Sat Jan 04, 2014 1:35 am

For key logger try Absolute Key logger tool ... 47038.html

For root kit removal try ... mover.aspx

these can be added to a Hiren boot disk or added to a usb stick.
Posts: 72
Joined: Thu Feb 19, 2009 6:19 pm

Postby guy » Sat Jan 04, 2014 12:43 pm

Much of the online stalking may be due to simple knowledge of user account details. The ex may well have been covertly collecting the victim's login details for some time before the actual breakup.

Your friend should change their passwords on all their online accounts, especially social networking.

Besides fixing the PC's OS, it is also worth checking through all the user accounts, deleting/deactivationg any surprises and changing passwords on all the rest, but I would hope that has already been done.

Does your friend have a smartphone or other mobile device? These things can often also be tracked, for example if GPS (or other) geolocation is active and not made private, or of course if a covert tracking app is installed - and there are a good few of those about.

I'd just add, the "I'm sure my ex wouldn't have / couldn't have done that" is a sure sign that the ex has been misdirecting the victim, but is all too often taken the other way because that's what the victim wants to believe. In my experience, conquering that wanting to believe is more than half the battle.

And finally, the victim needs to methodically collect any and all evidence of stalking and/or harrassment, both online and offline. Keep that dossier in a safe place such as a USB stick and back it up, say create a new Cloud storage account for the purpose. If the ex ever gets out of order, that dossier can and must be handed to the police and legal action started to keep the ex at bay. It all sounds a bit draconian, but believe me, ex-es can sometimes turn very, very nasty and if your victim doesn't protect themself now they risk a truly evil few years ahead.
"We don't need no frikkin' aliens, we c'n do this ourselves!" — anon.
LXF regular
Posts: 1337
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby johnhudson » Sat Jan 04, 2014 9:57 pm

Download the very latest version of System Rescue and make sure you have a USB key. Use
Code: Select all
fsarchiver probe -v
to identify the USB key as well as the Windows partitions and when you get to step 5 with ClavAV, add
Code: Select all
>path/to/USB key
so that you have a record of the scan.

Open the scan in a texteditor and search for FOUND. Note the files and delete them. I actually found this easier to do with Partition Magic. So download that as well.
LXF regular
Posts: 893
Joined: Wed Aug 03, 2005 1:37 pm

Postby purplepenguin » Sun Jan 05, 2014 11:05 am

My brother-in-law had a similar problem too.

He recently spit with his boyfriend. He got home from work one night and was sat quietly in his flat. When he heard a computer fan spin up. He went looking for the source and found his ex's old laptop hidden away under the sofa. When he opened it to see what it was doing. (now here comes the scary part) It was streaming video footage of his bedroom. Turns out the camera had been hidden in a shoe box on top of his wardrobe.

Anyway back to your question.

If the couple have split. I assume the ex doesn't have physical access to the laptop any more. Which raises the question of how is he getting the data?

Try running the command
Code: Select all
on win or linux to see the active tcp/udp connections if the key logger is communicating you should see something suspect in the output.

As Guy points out it is important to collect evidence for a successful prosecution. I'd also suggest taking a clone of the HDD to work on so you don't destroy any evidence on the original HDD. The police may require it for data forensics if you friend does seek a prosecution.

LXF regular
Posts: 138
Joined: Wed Oct 05, 2011 2:19 pm
Location: On a different forum because I'm fed up with the swearing and other rubbish from *01UK

Postby pastychomper » Tue Jan 07, 2014 11:08 am

Even after a good malware search, I'd still be strongly inclined to nuke and pave the OS - even if that meant wading through a Windows install & update-reboot-update cycle. It's the only way to be sure. The same goes for any other programmable, network-attached device.

After reading purplepenguin's story ( :shock: ), I'd also consider sweeping the house with a current sensor.
Posts: 58
Joined: Wed Apr 07, 2010 10:54 am

Return to Other OS

Who is online

Users browsing this forum: No registered users and 2 guests