Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hiren's BootCD


  • Please log in to reply
12 replies to this topic

#1 Bootlegger

Bootlegger

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 26 June 2011 - 10:15 AM

I am curious if anyone knows if an included download of a zip which includes comboFix.exe is possibly infected with spyware. If bleepingcomputer.com is aware of what I thought to be a proprietary exe. I am interested in cleaning computers and want to make a Live CD to help with the process. I am a computer professional and compute 40 hours a week as a tech. At some point I might enlist to fight and be formally mentored.

I downloaded Hiren's BootCD 14.0 from http://www.hiren.info/pages/bootcd

I know that you should never run combofix unless told so by a professional and I know that it should only come from the http://www.bleepingcomputer.com website.

These are some questions I have if anyone would like to comment on them.

1. The ComboFix NSIS Installer from the Hiren site has anyone looked at this to see if it is of an ethical nature? It is ver 11.6.25.5 by a company called Swearware
2. Has anyone heard of Swearware and have any history on them?
3. http://www.virusscan.jotti.org a website designed to scan questionable files used 20 different scanners and only 2 of them flagged the uploaded combo.exe Clam AV flagged it as a PUA.Packed.PECompact-1 and Dr. Web flagged it as a virus.batch
File size: 4137147 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 63012631d42b4f89a3e199fb969b3da9
SHA1: 43609c55f1da890787e3ef8e649d8e9900cc0e5a
Packer (Drweb): UPX, BINARYRES, EXEPACK, PECOMPACT
Packer (Kaspersky): UPX, PE_Patch.PECompact, PecBundle, PECompact

4. What is an overall opinion of a Live CD, I would like to multicast images across a network and other admin. tools of this nature.
5. If anyone uses a Live CD what makes it standout above any of the others? Naturally you can customize and add applications but based on ease of use and etc.
Below are a few of the chocies.
WindowsMaker
BartPe
UBCD4Win
Hiren's CD
Winternals

Thoughts and sorry if I posted in the wrong area and if I was too inquisitive.

Thanks,
Bootlegger

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:28 PM

Posted 26 June 2011 - 10:29 AM

What issues are you having that you are requiring to run a boot cd like Hirens?

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:28 PM

Posted 26 June 2011 - 10:41 AM

The ComboFix NSIS Installer from the Hiren site has anyone looked at this to see if it is of an ethical nature? It is ver 11.6.25.5 by a company called Swearware


I will pass this information on to the programs developer.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:28 PM

Posted 26 June 2011 - 10:48 AM

ComboFix is not authorized for inclusion in any sort of LiveCD environment. This is for a multitude of reasons.

Thank you for bringing this to our attention.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 Bootlegger

Bootlegger
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 26 June 2011 - 02:56 PM

All that responded thanks for the immediate attention. I felt that the inclusion of Combofix.exe was an infrigment to bleepingcomputers.com and everything that is being done for the community. I didn't want to see combofix get bad press as it would yet possibly become another questionable site to a newbie needing assistance and unsure if they could trust in the work and the site.

Again, my initial reasons for wanting a boot disk was for administrative purposes. I worked as an IT employee at a previous company and I used Symnantec Ghost Console to help me image out computers in an enterprise environment. Since I am no longer employed with that company and still have a real need to to image computers I spent countless hours getting informed. The ways that I have found so far are SelfImage, Clonezilla, and FOG which all are open source and legally available for my use.

As an admin I have many needs for a boot disk with programs available to do anything from bypassing an operating system with an anti-virus program so it can be cleaned to resetting a local admin password (I don't have the use of ERD any longer, look @ lan, keyfinder, etc. The needs for a bootdisk from time to time are endless.

WinPE isn't a solution for me so I have been forced to look at UBCD4Win, Knoppix Live CD and just get as informed as possible and only use software in a legal way that doesn't infringe on anyone and to leave things a little better than I found them.

i find a lot of my work in the past has been cleaning computers of malware, spyware, adware, etc. Recovery Genius worke good for me when I had computer in a workgroup and even in a domain with the user not having admin rights to the workstation there are many doors open with java, adobe, critical updates that might not be getting done as the box didn't get the published push from SCCM ... Anyway I am sure that this boot disk will evolve and need the iso injected with a newer engine and or dat file ....

In any event I am interested to know if you found combofix from Hiren's site with any bad code in it.

I really appreciate the site and being a member and learning from the site. I guess the best thing I can do is to get as informed as possible and make good decisions on how I compute and decisions that I make. There is only so much time in a day ... :)

BL

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 27 June 2011 - 05:37 AM

I use several Live CDs, one based on Windows (UBCD4WIN) and a couple of other based on Linux.

There are 2 reasons why I selected UBCD4WIN:

1) You have to build our own Live CD by providing your own Windows CD. So you are not infringing copyrights. I believe you do when you use Hiren's.
2) At the time, UBCD4WIN seemed to be the most adapted to create my own plugin.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Bootlegger

Bootlegger
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 27 June 2011 - 07:02 AM

Didier here is where I think the gray area exists. I believe the BartPE disk evolved because of the licensing issue of using a WinPE disk which is only available to corporate customers. I was under the assumption that if you have proper Windows licensing in place that whether you built the disk or got one that was pre-built by a Hiren or the likes you were not infringing on anybody's hard work and it is done all ethically.

I have no need for anything that is pirated and have access to all the software I want or need with my Technet subscription and actually have Microsoft access through my employer with yet another login there.

All my logic in building a bootdisk was to recover from the loss of legal use of the Winternals disk which includes locksmith and the ghost console.

I have any and all tools available for me on the enterprise level but I wanted to have an hororable, ethical, and legal way of doing my sidework.

I believe that it is the responsibility of the person who is using a 3rd party bootdisk to look through it and see if anything looks wrong and do the responsible thing by reporting it. I often look at http://craigslist.com for computer gigs to pickup additional project work a my wife is sick and we are a one income family. I have made numerous reports to piracy@microsoft.com

My intent would have been to remove any of the plugins that were inappropriate. Looking through the Hiren site and the disk I see many things that are wrong and it would be nice for bleepingcomputer to do a total download and examine the disk for any files to see if this has been a mechanism to infect computers. i am sure that all the members who are assisting others are also working and giving up a good portion of their life and already short on time.

At this point I am going to purchase a corporate disk from a reputable source with legally licensed tools and of a trusted source. http://www.livecd.com/ has an extremely reaonable price ...

Any members who want to comment on the useage of this and their thoughts would be appreciated. Free is not always better ... rootkits are no fun and sometimes you get more than you bargain for. I also am and have been a licensed tech with Microsoft since 98

BL

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:28 PM

Posted 27 June 2011 - 07:17 AM

I spoke with the creator of ComboFix and he did not authorize it's use on the Hiren's CD. He also said that since Hiren's is a PE environment, the tool wouldn't be of much use. With that said, running ComboFix without assistance has always been frowned on because of issues that can arise with its usage. At least if you follow the wishes of the developer, you would have help if something did go wrong.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Bootlegger

Bootlegger
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 27 June 2011 - 09:14 AM

I will honor that!

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 27 June 2011 - 01:38 PM

My intent would have been to remove any of the plugins that were inappropriate.


From a technical point of view, this is a sound practice. But I lack far too much legal knowledge to judge if this would also be a sound practice from a legal point of view.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:05:28 PM

Posted 29 June 2011 - 01:14 PM

@Bootlegger,
Using PE environments is not illegal for non-corporate usage. WAIK (Windows Automated Installation Kit), has an option to deploy windows by using the Windows PXE/PE environments. (but that's for deployment, not recue missions). Image for Windows, not free but great, also comes with a Bart PE plugin to help with the restoration of images for those more comfortable with Windows rather than Linux. Neither Terrabyte unlimited nor the creator of that plugin has gotten in trouble. And to all of you, how exactly does using a free boot disc infringe on somebody's copywright?

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#12 Bootlegger

Bootlegger
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 29 June 2011 - 09:51 PM

A free boot doesn't infringe on a copyright if it built properly. If the bootdisk includes a plug-in that is made available without the consent of the programmer it encroaches on their intellectual property. This post originally started over the concern of a questionable plug-in and it appears that the plug-in I was concerned with was not authorized by the developer. Commercial versus personal use can also change the conext of use.

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 30 June 2011 - 09:29 AM

And to all of you, how exactly does using a free boot disc infringe on somebody's copywright?


You do agree that Hiren's boot CD contains IP from Microsoft (e.g. Windows XP)?
And that Microsoft doesn't allow the distribution of Windows XP without a license?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users