Hi guys

Regarding sysrescue.

I have a client who's got a nasty boot virus on her laptop and a few dozen rootkits and other crappy malware. The boot virus, won't let me boot off the flash drive using sysrescue, Windows XP disk or any other bootable disk. The virus lies on the first sector of the harddisk, so I can't start a fresh installation booting installation disks. The problem is that being a laptop I have to open it, and low format the disk in my main computer as a secondary drive. I don't want that, yet.

What on earth could I use to allow me to boot off the dvd or flash drive? Nothing I tried so far worked. And when I say nothing, I really mean nothing. Vistape, WinPE, Eset's Winpe(sysrescue). Rootkits are thriving on that harddisk like is the Mardigras.

I don't have the space to tell you what bugs are on that disk. Taking out the disk from that notebook is the last thing on my agenda.

Thanks and waiting for your input.
Atolica

It sounds to me impossible as the boot process is primarily a matter of BIOS. You should be able to boot from a bootable media regardless of whether a hard disk is attached or not, functional or faulty, infected or clean.

It's not impossible. Trust me. I consider myself computer profecient, but this is the first time in my life that I see such behaviour.

I ran Sysrescue off a flash drive and off a cd I burnt on another identical notebook, both notebooks updated with the latest bios version. Sysrescue boots as it should, from flash drive and dvd-disk on the 2nd one, but hangs forever on the notebook in case at: "Press any key to boot from CD and DVD".

It's definitely a bot virus that prevents booting anything on that computer.

{QUOTE-> It sounds to me impossible as the boot process is primarily a matter of BIOS. <-QUOTE}

The boot process is taking place in the first sector of the hard-disk, where the MBR is stored (edit: for the harddisk). The BIOS just initiates that process. If that is compromised, nothing will boot. I can't repair the boot sector either for the reason I gave before.

In this case, the hdd being plugged in and no way of taking it out, the boot virus interferes with the dvd boot process. It seems that the MBR is accessed first and then the boot file off the dvd.

See this webpage!
http://en.wikipedia.org/wiki/Boot_sector

Can't you force the laptop's BIOS to boot directly from the DVD drive? Sometimes there's an option in the BIOS to do this temporarily (Something like press F2 at the BIOS screen), but failing that maybe change the boot priority in the BIOS and remove the HD from the list?

Is not that I can't change boot priority in BIOS. I can very well, but when is suppose to boot, the message: "Please press any key to boot..." hangs forever, in case I boot the dvd, or just three blinking dots in case I boot off the flash drive.

So the nasty bugs are making the boot process impossible.

I think I'm opening that computer today.

Is not the hard disk easily accessed and removable on that machine?..Can you connect the removed hard disk to another machine for clean up?

{QUOTE-> The boot process is taking place in the first sector of the hard-disk, where the MBR is stored (edit: for the harddisk). The BIOS just initiates that process. If that is compromised, nothing will boot. I can't repair the boot sector either for the reason I gave before.

In this case, the hdd being plugged in and no way of taking it out, the boot virus interferes with the dvd boot process. It seems that the MBR is accessed first and then the boot file off the dvd.

See this webpage!
http://en.wikipedia.org/wiki/Boot_sector <-QUOTE}

You can boot PC from CD/DVD also in case you do not have any HDD inside. So couldn't be that MBR of HDD is checked first. Only if you have set in BIOS HDD at first place in boot priority. So I recommend to set in BIOS CD/DVD as first in boot priority. Also you can try to unplug HDD from PC and to boot SysRescue CD. If still unsuccessful then there is something wrong with your BIOS.

The manufacturer of the Hard Drive should have a website with a tool to fix that problem.

I had much the same problem a few years ago with a Western digital drive and their downloaded program fixed it.

You can boot PC from CD/DVD also in case you do not have any HDD inside.

The boot priority in bios is the right one, cd/dvd first. I flashed the Bios with the latest version.
That's my next step, unplugging the harddisk. But that wouldn't help me much, as I have to reinstall the OS on the same drive. I have to low format it.
Do you know any low format tools I might use. I've found "Hard Disk Low Level Format Tool 2.36". Let's see how it goes.

{QUOTE-> Do you know any low format tools I might use <-QUOTE}

Maybe this (http://www.killdisk.com/)?

philby

Does anyone know how can I create a multiboot bootable dvd with two WinPE distributions on it?

I searched on technet and found some documentation, but I'm having problems in creating the Boot Configuration Data (BCD) store file "BCD"

A guy on msfn.or gave me this script he made for himself, but for some reason it doesn't work at one point.

echo *** Creating WinPE BCD (boot configuration data) File
Bcdedit /createstore "%BCDFILE%"
Bcdedit /store "%BCDFILE%" /create {ramdiskoptions} /d "Ramdisk options"
Bcdedit /store "%BCDFILE%" /set {ramdiskoptions} ramdisksdidevice boot
Bcdedit /store "%BCDFILE%" /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi

rem 32Bit
for /f "tokens=1-3" %%a in ('Bcdedit /store "%BCDFILE%" /create /d "Windows 32 Bit" /application osloader') do set guid1=%%c
Bcdedit /store "%BCDFILE%" /set %guid1% systemroot \Windows
Bcdedit /store "%BCDFILE%" /set %guid1% detecthal Yes
Bcdedit /store "%BCDFILE%" /set %guid1% winpe Yes
Bcdedit /store "%BCDFILE%" /set %guid1% description "Windows 32 Bit"
Bcdedit /store "%BCDFILE%" /set %guid1% osdevice ramdisk=[boot]\Boot\winpe_x86.wim,{ramdiskoptions}
Bcdedit /store "%BCDFILE%" /set %guid1% device ramdisk=[boot]\Boot\winpe_x86.wim,{ramdiskoptions}

rem 64Bit
for /f "tokens=1-3" %%a in ('Bcdedit /store "%BCDFILE%" /create /d "Windows 64 Bit" /application osloader') do set guid2=%%c
Bcdedit /store "%BCDFILE%" /set %guid2% systemroot \Windows
Bcdedit /store "%BCDFILE%" /set %guid2% detecthal Yes
Bcdedit /store "%BCDFILE%" /set %guid2% winpe Yes
Bcdedit /store "%BCDFILE%" /set %guid2% description "Windows 64 Bit"
Bcdedit /store "%BCDFILE%" /set %guid2% loadoptions ramdisk=[boot]\Boot\winpe_x64.wim,\"DISABLE_INTEGRITY_CHECKS"
Bcdedit /store "%BCDFILE%" /set %guid2% osdevice ramdisk=[boot]\Boot\winpe_x64.wim,{ramdiskoptions}
Bcdedit /store "%BCDFILE%" /set %guid2% device ramdisk=[boot]\Boot\winpe_x64.wim,{ramdiskoptions}

rem Setup Bootmanager
Bcdedit /store "%BCDFILE%" /create {bootmgr} /d "Windows VISTA BootManager"
Bcdedit /store "%BCDFILE%" /set {bootmgr} timeout 10
Bcdedit /store "%BCDFILE%" /set {bootmgr} displayorder %guid1% %guid2%
Bcdedit /store "%BCDFILE%" /enum all

I have two winpe bootable isos. One ErdCommander and the other one a win32 winpe. The above example is for a x86 and x64 versions.

This is the normal folder structure on each of the isos.

BOOT
EFI
SOURCES
BOOTMGR

I have to have in the end a bootable cd/dvd with both unpacked iso on it and the Boot Configuration Data (BCD) store file "BCD" inside BOOT folder modified by the help of that script.
Where do the wim files go? Do I have to copy both of them inside the boot folder? They normally reside inside the SOURCES folder as I know.

Thank you in advance

Regards
Atolica

Based on the help you're looking for I don't think this thread should be here....

In any case, why spend more time than what's needed? Just stick the hard drive in an enclosure, backup the data, wipe it clean, reinstall Windows and charge your client for the extra hours.

If you were able to get to the Recovery Console you could do....

FIXMBR \Device\HardDiskN

Sometimes...you just have to backup and reinstall Windows.

Hello,

Is the computer still bootable and able to access the network? If so, try running the ESET Online Scanner from http://www.esetonlinescanner.com/ and reporting the results of the scan back in this message thread.

Regards,

Aryeh Goretsky