Help - Search - Members - Calendar
Full Version: failure to load plugins
The CD Forum > Bart's PE Builder > Plugins
semaphore
Aug 25 2009, 09:36 AM
I am having a terrible problem locating an infection that started with PCAntispyware2010. I was able to remove PCAV2010, but it left me with something that inhibits all my installed anti-malware; HJT, SpybotSD, AVG... After much frustration looking for the rascal responsible I finally downloaded PEBuilder and was successful in making a BartPE disk from my clean XP SP3 laptop. However, when I try to load a SpybotSD plugin the pebuilder does not load the plugin; the SpybotSD folder on the burnt disk is empty. I also cannot get pebuilder to load a single additional .dll in the correct place either. When I enter "C:\ Program Files\BartPE\pebuilder3110a\BartPE\I386\system32" as the output, it puts the .dll up front in BartPE.

How do I get pebuilder to load the plugin?

Ed_P
Aug 25 2009, 10:47 AM
For starters move PEBuilder to a path without spaces. C:/PEBuilder would be a good start.

PEBuilder has always struggled with paths containing spaces or blanks.
semaphore
Aug 25 2009, 08:40 PM
I tried installing pebuilder in "C:\pebuilder31101a" and the specifying the "output" for the .dll as "C:\pebuilder3110a\BartPE\I386\system32" and it still loads the .dll up front with the autorun.inf. It also still fails to load the SpybotSD plugin, even though it creates a SpybotSD folder.
Ed_P
Aug 25 2009, 10:21 PM
Exactly what plugin command are you using to load the .dll file? And have you reviewed the PEBuilder help files, in particular the ones for creating plugins?
semaphore
Aug 26 2009, 01:00 PM
When I boot pebuilder v3.1.10a on my laptop it opens a window with boxes to specify the Path to Windows: (C:\windows\), Custom: (include files and folders from this directory) (C:\Documents and Settings\Administrator\My Documents\000dll, and Output: (C:\pebuilder3110a\BartPE\I386\system32) I checked "Burn to CD/DVD" using Starburn. I loaded the SpybotSD plugin into the Spybot folder in the plugin folder.

My system is a Sony PCV-RX690G, 2.2GHz, 2MB RAM, XP Pro SP3.

FYI: DrWeb found Backdoor.Zapinit.122 in C:/windows/system32/user32.dll and reported it cured. However, when I rebooted the machine it still displays the same behavior, even after I reinstalled MBAM.
paraglider
Aug 26 2009, 05:47 PM
You don't point pebuilder at your windows directory. You point it at either the windowx xp install cd or a copy of the install cd on your hard drive. This is usually not at c:\windows.

The output directory should be: C:\pebuilder3110a\BartPE

You will need to post the plugin inf file that is not working as its impossible to debug a plugin when we have no idea what it contains.
semaphore
Aug 26 2009, 08:21 PM
No matter what I enter as "Output" pebuilder will not put the .dll into \system32. Not BartPE, not BartPE\pebuilder3110a\, not pebuilder3110a\BartPE, not anything...

I have managed to install a RunAlyzer plugin.

The .inf file for the SpybotSD plugin is as follows:
CODE
; SpybotSD.inf
; PE Builder v3 plug-in INF file for SpybotSD
; oscar 25/oct/2008

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="SpybotSD"
Enable=1

[WinntDirectories]
a="Programs\SpybotSD",2

[SourceDisksFolders]
files=a

[Append]
;nu2menu.xml, SpybotSD_nu2menu.xml

[Software.AddReg]
;<<<<<<<<<<<<
0x2,"Sherpya\XPEinit\desktop","Spybot" ,"%SystemDrive%\Programs\spybotsd\SpybotSD_SFX.exe"
0x2,"Sherpya\XPEinit\programs","Malware\Spybot" ,"%SystemDrive%\Programs\spybotsd\SpybotSD_SFX.exe"




It is a moot point now that I have acquired a Ultimate Boot CD 4 Windows with SpybotSD, SuperAntispyware & etc...
Spybot did not detect anything.
SuperAntispyware did not detect anything.

Now we are thinking we might have to write a .bat to rewrite some register and services entries that appear to be compromised, that is to say they have become inaccessible and therefore suspect.
paraglider
Aug 27 2009, 06:16 AM
[WinntDirectories]
a="Programs\SpybotSD",2

[SourceDisksFolders]
files=a


There is nothing in your plugin to copy files to system32. The:

a="Programs\SpybotSD",2

creates a directory Programs\SpybotSD in the root of the CD i.e C:\pebuilder3110a\BartPE\Programs\SpybotSD.

The:

files=a

copies all files from the files subdirectory of your spybot plugin directory i.e from C:\pebuilder3110a\plugin\SpybotSD\files to C:\pebuilder3110a\BartPE\Programs\SpybotSD

You should be able to see the file copies happening in the pebuilder.log log file.

All this is documented in the pebuilder help files at:

C:\pebuilder3110a\help\english\pluginformat.htm
semaphore
Aug 31 2009, 03:58 PM
I am really tired of screwing around with this POS problem.

I found the OEM system restore disks so I plan on transferring my essential files to a external HD, install a new HD, re-install my programs and get back to work. I will then give the corrupted HD to someone for a forensic examination of what went/is wrong. When I have something further to report back I will.


My takeaway from this exercise is twofold: You can't have enough anti-malware and BartPE plugins are not as PNP as some forum contributors, from both this and other forums, seem to think they are.

Thanks for the help though. I'm glad I found Bart PE, it is a very useful tool.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.