[RKinner]

Ice Sword is not showing anything bad. Looks pretty clean.

I suppose the only thing left is to attack the mbr. Always scares me since if it fails we need to be able to boot from a CD to fix it.

There is a very nice CD you can download and burn. Let's do that so we can be sure that we can fix it if it won't boot after the mbr fix:

Hiren's BootCD (Pictures show 10.2 but 11.1 is the newest version)

• *** Please print these instructions ***
  
  • Download Hiren's BootCD 11.1 Zip to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
    • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
  • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
• When the CD boots choose "DOS BootCD".

At the Hiren's BootCD main menu, select Next and hit Enter.



At the second menu select 1 MBR (Master Boot Record)Tools



In the list of MBR Tools select 5 MBR Save/Restore

Then do what the menu says to Save the MBR to a safe place where you can find it again.

Once you have done that I'll feel better about replacing the mbr.

We have several choices.

We can use Option 1 of the MBR menu and install a Standard MBR

as follows:
In the list of MBR Tools select 1 MBR Work 1.08



This screen will show the hard drive configuration.



Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine


We can boot into the Recovery Console and do: fixmbr

This is the easiest way to get into the Recovery Console:

Start, Settings, Control Panel, System, Advanced, Startup and Recovery -Settings, and change the Time to Display the List of Operating Systems from two to 10 seconds. OK

Now when you reboot you will see a black screen which offers you two options, The Recovery Console and your usually Windows XP. Use the up or down arrow to select the Recovery Console and then hit Enter. You will eventually get to a black screen with a prompt. Type:

fixmbr

and hit Enter then

exit and Enter.

It should reboot.



We run MBRCheck and let it install a standard XP mbr

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Hit Y and Enter

2

choose the appropriate number for your operating system.



We can try mbr -f:

download:

http://www2.gmer.net/mbr/mbr.exe

and save it to your desktop.

Now copy the text between the lines of stars by highlighting and Ctrl + c

****************************************

"%userprofile%\Desktop\MBR.EXE" -f

***********************************************

Start, Run, cmd, OK or Start, All Programs, Accessories, Command Prompt to open a Command Window.

Right click and select Paste. Then hit Enter. When it finishes close the Command Window.

On your desktop should be a file mbr.txt or mbr.log (I forget which). Please open it by double clicking or right click and Open with Notepad and copy the text and paste it into a reply.


If it doesn't boot after the fix we can go back in with Hiren's and choose the restore option.

[Advertisements]

Hi Ron,

As this is not my computer I must first ask my friend if it is ok to proceed with this!
And i need is to back up all the files first..(any quick ways of doing so?)
I am very nervous about doing this. If the logs have appeared clean are we sure we need to do that?!
And because the mbr or gmer scans are not working does that mean that if there is an infection that it's hidden very well in the computer.

In your opinion what is the best course of action.(I know that it is always possible for something to go wrong!)

Regards

[brodigan]

Hi Ron,

As this is not my computer I must first ask my friend if it is ok to proceed with this!
And i need is to back up all the files first..(any quick ways of doing so?)
I am very nervous about doing this. If the logs have appeared clean are we sure we need to do that?!
And because the mbr or gmer scans are not working does that mean that if there is an infection that it's hidden very well in the computer.

In your opinion what is the best course of action.(I know that it is always possible for something to go wrong!)

Regards

[RKinner]

I'm not really sure what to do. I hate messing with mbr but gmer really should run on a clean system and mbr.exe and mbrcheck both think it's dirty but if it's a root kit it's a very good one. There's no sign of it with any of our other tools.

Have we tried running GMER in Safe Mode?

Ron

[brodigan]

No we haven't tried it in safe mode.
If you could walk me through that it would be great.

[RKinner]

Reboot, when you see the maker's log, hear a beep or it mentions F8, start tapping the F8 key slowly. Keep tapping until you see the Safe Mode menu. Choose the top option. Log on with your usual login. Then run GMER.

[brodigan]

OK, I have logged on in Safe Mode(as administrator. This option has not been available to me on normal start up. Is this correct?) now so is it fine to go again and download Gmer as it does not appear in screen?

[RKinner]

If you chose the top option then you can't download because there is no networking. Gmer is on your desktop - not that of Administrator so you should have logged in as your usual login. You can reboot and try again and choose Safe Mode with Networking (option 3 I think) or login in Safe Mode with your usual login or you can move it from the good PC to the bad.

[brodigan]

Hi Ron,

I have completed a normal Gmer scan (about an hour)and it tells me that there has been no system modification.
However, in safe mode everything on screen is bigger and I am unable to scroll down in Gmer. I can only see enough of the Scan button to press it and the OK and Cancel buttons. It is working fine, I just can't scroll down to hit the Save button.

Is there any place else that I can get the gmer scan file?

Regards,

[RKinner]

OK something is running in normal mode that is preventing GMER from running. Start, Run, mconfig, OK then select Diagnostic Boot and reboot. Cancel msconfig if it comes up then try running GMER again.

(I have written the gmer guy to tell him about the Safe Mode can't Save problem. No idea if he will respond tho.)

Ron

[brodigan]

Hi Ron,

I think it may be possible to save the gmer scan. It's just that the graphics on safe mode are too big and it doesn't allow me to scroll down to the save button. Gmer seems to be running normally though...
Is there any way in safe mode that I can see the whole of the Gmer window? Like make the resolution higher or something?
The save button is there, I just cannot get down to it because the bottom section of the gmer box is hidden beneath?

[brodigan]

Ron,

One more thing..
When I am completing;

Start, Run, mconfig, OK then select Diagnostic Boot and reboot. Cancel msconfig if it comes up then try running GMER again.

Is it in Safe mode or Normal mode that I do this?

Regards

[RKinner]

Doesn't matter which when you run msconfig but the idea is to get gmer to run in regular mode so reboot after you run msconfig and then try gmer again.

Ron

[brodigan]

Hi Ron,

I have just completed a gmer scan in diagnostic boot mode.
The ark.txt document that I have saved is blank and gmer tells me that no system modifications have been found.

Please advise on next step.

[RKinner]

We could just declare it clean and let it go at that. It would be interesting to know what was causing GMER to choke but it would take a while.

First step would be to go back into msconfig, check normal boot then under Startup, uncheck everything and then under Services, check Hide Microsoft Services then uncheck everything and OK and reboot. If GMER will run then you would go back in and turn a bunch on say all the services and try it again. Eventually you would find that turning one or maybe two services or startup items is/are the cause.

I just wish I knew why the mbr output looks so bad. Can you find mbr.log - should be on your desktop and copy the text and paste it into a reply.

Ron

[brodigan]

Hi,

How do I get back to my normal format instead of diagnostic so that I can use the internet?
msconfig again and then normal and reboot?