Nasty Boot Virus won't let me boot SysRescue or any DVD

Discussion in 'ESET NOD32 Antivirus' started by atolica, Mar 31, 2009.

Thread Status:
Not open for further replies.
  1. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    Hi guys

    Regarding sysrescue.

    I have a client who's got a nasty boot virus on her laptop and a few dozen rootkits and other crappy malware. The boot virus, won't let me boot off the flash drive using sysrescue, Windows XP disk or any other bootable disk. The virus lies on the first sector of the harddisk, so I can't start a fresh installation booting installation disks. The problem is that being a laptop I have to open it, and low format the disk in my main computer as a secondary drive. I don't want that, yet.

    What on earth could I use to allow me to boot off the dvd or flash drive? Nothing I tried so far worked. And when I say nothing, I really mean nothing. Vistape, WinPE, Eset's Winpe(sysrescue). Rootkits are thriving on that harddisk like is the Mardigras.

    I don't have the space to tell you what bugs are on that disk. Taking out the disk from that notebook is the last thing on my agenda.

    Thanks and waiting for your input.
    Atolica
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It sounds to me impossible as the boot process is primarily a matter of BIOS. You should be able to boot from a bootable media regardless of whether a hard disk is attached or not, functional or faulty, infected or clean.
     
  3. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    It's not impossible. Trust me. I consider myself computer profecient, but this is the first time in my life that I see such behaviour.

    I ran Sysrescue off a flash drive and off a cd I burnt on another identical notebook, both notebooks updated with the latest bios version. Sysrescue boots as it should, from flash drive and dvd-disk on the 2nd one, but hangs forever on the notebook in case at: "Press any key to boot from CD and DVD".

    It's definitely a bot virus that prevents booting anything on that computer.
     
  4. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    The boot process is taking place in the first sector of the hard-disk, where the MBR is stored (edit: for the harddisk). The BIOS just initiates that process. If that is compromised, nothing will boot. I can't repair the boot sector either for the reason I gave before.

    In this case, the hdd being plugged in and no way of taking it out, the boot virus interferes with the dvd boot process. It seems that the MBR is accessed first and then the boot file off the dvd.

    See this webpage!
    http://en.wikipedia.org/wiki/Boot_sector
     
    Last edited: Mar 31, 2009
  5. pondlife152

    pondlife152 Registered Member

    Joined:
    Apr 23, 2008
    Posts:
    105
    Location:
    UK
    Can't you force the laptop's BIOS to boot directly from the DVD drive? Sometimes there's an option in the BIOS to do this temporarily (Something like press F2 at the BIOS screen), but failing that maybe change the boot priority in the BIOS and remove the HD from the list?
     
  6. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    Is not that I can't change boot priority in BIOS. I can very well, but when is suppose to boot, the message: "Please press any key to boot..." hangs forever, in case I boot the dvd, or just three blinking dots in case I boot off the flash drive.

    So the nasty bugs are making the boot process impossible.

    I think I'm opening that computer today.
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Is not the hard disk easily accessed and removable on that machine?..Can you connect the removed hard disk to another machine for clean up?
     
  8. trencan

    trencan Eset Staff

    Joined:
    Nov 21, 2008
    Posts:
    120
    You can boot PC from CD/DVD also in case you do not have any HDD inside. So couldn't be that MBR of HDD is checked first. Only if you have set in BIOS HDD at first place in boot priority. So I recommend to set in BIOS CD/DVD as first in boot priority. Also you can try to unplug HDD from PC and to boot SysRescue CD. If still unsuccessful then there is something wrong with your BIOS.
     
  9. The Nodder

    The Nodder Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    296
    Location:
    UK
    The manufacturer of the Hard Drive should have a website with a tool to fix that problem.

    I had much the same problem a few years ago with a Western digital drive and their downloaded program fixed it.
     
  10. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    Code:
    You can boot PC from CD/DVD also in case you do not have any HDD inside.
    The boot priority in bios is the right one, cd/dvd first. I flashed the Bios with the latest version.
    That's my next step, unplugging the harddisk. But that wouldn't help me much, as I have to reinstall the OS on the same drive. I have to low format it.
    Do you know any low format tools I might use. I've found "Hard Disk Low Level Format Tool 2.36". Let's see how it goes.
     
  11. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Maybe this?

    philby
     
  12. atolica

    atolica Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    19
    Does anyone know how can I create a multiboot bootable dvd with two WinPE distributions on it?

    I searched on technet and found some documentation, but I'm having problems in creating the Boot Configuration Data (BCD) store file "BCD"

    A guy on msfn.or gave me this script he made for himself, but for some reason it doesn't work at one point.

    Code:
    echo ***   Creating WinPE BCD (boot configuration data) File
    Bcdedit /createstore "%BCDFILE%"
    Bcdedit /store "%BCDFILE%" /create {ramdiskoptions} /d "Ramdisk options"
    Bcdedit /store "%BCDFILE%" /set {ramdiskoptions} ramdisksdidevice boot
    Bcdedit /store "%BCDFILE%" /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
    
    rem 32Bit
    for /f "tokens=1-3" %%a in ('Bcdedit /store "%BCDFILE%" /create /d "Windows 32 Bit" /application osloader') do set guid1=%%c
    Bcdedit /store "%BCDFILE%" /set %guid1% systemroot \Windows
    Bcdedit /store "%BCDFILE%" /set %guid1% detecthal Yes
    Bcdedit /store "%BCDFILE%" /set %guid1% winpe Yes
    Bcdedit /store "%BCDFILE%" /set %guid1% description "Windows 32 Bit"
    Bcdedit /store "%BCDFILE%" /set %guid1% osdevice ramdisk=[boot]\Boot\winpe_x86.wim,{ramdiskoptions}
    Bcdedit /store "%BCDFILE%" /set %guid1% device ramdisk=[boot]\Boot\winpe_x86.wim,{ramdiskoptions}
    
    rem 64Bit
    for /f "tokens=1-3" %%a in ('Bcdedit /store "%BCDFILE%" /create /d "Windows 64 Bit" /application osloader') do set guid2=%%c
    Bcdedit /store "%BCDFILE%" /set %guid2% systemroot \Windows
    Bcdedit /store "%BCDFILE%" /set %guid2% detecthal Yes
    Bcdedit /store "%BCDFILE%" /set %guid2% winpe Yes
    Bcdedit /store "%BCDFILE%" /set %guid2% description "Windows 64 Bit"
    Bcdedit /store "%BCDFILE%" /set %guid2% loadoptions ramdisk=[boot]\Boot\winpe_x64.wim,\"DISABLE_INTEGRITY_CHECKS"
    Bcdedit /store "%BCDFILE%" /set %guid2% osdevice ramdisk=[boot]\Boot\winpe_x64.wim,{ramdiskoptions}
    Bcdedit /store "%BCDFILE%" /set %guid2% device ramdisk=[boot]\Boot\winpe_x64.wim,{ramdiskoptions}
    
    rem Setup Bootmanager
    Bcdedit /store "%BCDFILE%" /create {bootmgr} /d "Windows VISTA BootManager"
    Bcdedit /store "%BCDFILE%" /set {bootmgr} timeout 10
    Bcdedit /store "%BCDFILE%" /set {bootmgr} displayorder %guid1% %guid2%
    Bcdedit /store "%BCDFILE%" /enum all
    I have two winpe bootable isos. One ErdCommander and the other one a win32 winpe. The above example is for a x86 and x64 versions.

    This is the normal folder structure on each of the isos.

    BOOT
    EFI
    SOURCES
    BOOTMGR

    I have to have in the end a bootable cd/dvd with both unpacked iso on it and the Boot Configuration Data (BCD) store file "BCD" inside BOOT folder modified by the help of that script.
    Where do the wim files go? Do I have to copy both of them inside the boot folder? They normally reside inside the SOURCES folder as I know.

    Thank you in advance

    Regards
    Atolica
     
  13. pain4gain

    pain4gain Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    54
    Based on the help you're looking for I don't think this thread should be here....

    In any case, why spend more time than what's needed? Just stick the hard drive in an enclosure, backup the data, wipe it clean, reinstall Windows and charge your client for the extra hours.

    If you were able to get to the Recovery Console you could do....

    FIXMBR \Device\HardDiskN

    Sometimes...you just have to backup and reinstall Windows.
     
  14. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Is the computer still bootable and able to access the network? If so, try running the ESET Online Scanner from http://www.esetonlinescanner.com/ and reporting the results of the scan back in this message thread.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.