my query concerns how to use cleaning tools rather than diagnosis.
i’m on win xp - i updated my free avast to the new version and the first auto scan threw up alert for whistler virus
my pc has one internal hard drive (drive number 0) and several other external usb drives - when i ran MBRCheck.exe it showed whistler virus in the mbr of all the drives
nothing i tried would clean the mbr of the drives until i ran BTKR_RunBox.exe which successfully replaced the infected mbr on the internal drive
i have no experience of using command line, and my query is how to get BTKR_RunBox.exe to repair the mbr in the usb drives?
i have BTKR_RunBox.exe and remover.exe on my desktop - if i run the following script (by savinng it on desktop as a .cmd file and then clicking on it):
@echo off
start remover.exe fix \\.\PhysicalDrive5
exit
the result i get is:-
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
Restoring boot code at \\.\PhysicalDrive5...
ATA_Read(): DeviceIoControl() ERROR 50
ERROR: Can't read first sector of the disk.
Done;
Press any key to quit...
does anyone know how i get bootkit remover to fix the usb drives? it seems the perfect tool to deal with mbr infection
as an alterntive i tried reformatting one of the usb drive using the “format” option in windows explorer , but that didnt touch the mbr - is there a better way to reformat a usb hard drive that will re-write the mbr also?
[*]Run MBRCheck.exe
[*]Wait until you see the following line: Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[*]Please push the ‘Y’ key and then press Enter
[*]When program ask you Enter your choice: enter 2 and press the Enter key
[*]Now the program will ask you “Enter the physical disk number to fix (0-99, -1 to cancel):”
[*]Enter 5 and press the Enter key.
[*]The program will show Available MBR codes:, followed by a list of operating systems. Please enter [ 1] Windows XP, and then press Enter.
[*]The program will prompt for confirmation. Type YES and press Enter (Must type the full word, YES). You will be informed if successfully wrote a new MBR code!
[]A text file will be saved to your desktop
[]Paste that report into your next post
[*]Restart your PC.
unfortunately mbrcheck doesnt fix any of the drives - it says it has but when you run it again it shows the same infections - i’d already tried it (& i’ve just tried it again)
the only tool that worked is BTKR_RunBox - it successfully, and very easily, replaced the infected mbr on drive number0 - the problem is i don’t know how to get it to fix the other (usb)drives
i ran the kaspersky - it took for ever, because it kept stopping to ask what to do when it found something - it didnt find anything that other progs hadnt already found (i hve a few files on my pc which give false postives in all anti-virus progs)
i now only have the whistler virus in the mbr of my non-bootable, usb hdd’s - as far as i can make out, it isnt a threat there (as long as i dont boot up from them), so, since i cant find any way of re-writing those mbr’s, i’m going to ignore the presence of the virus
i thought i’d outline what i did to remove the virus from my internal, bootable hdd, just for anyone else whose avast tells them they have whistler
download and run mbrcheck to confirm its in the bootable drive(s)
2.download and run BTKR_RunBox to re-write the mbr on those drives
it was , in fact , extremely easy
unfortunately all the mbr fixing tools seem to be command line, which i know nothing at all about, but which, i think, doesnt work over usb connections - so you cant clean the mbr of usb drives, but if they’re non-bootable (no OS installed on them) then i dont think it matters (fingers crossed!)
thanks to essexboy, and everone else for all the help!
Just thinking out loud here about things I might try.
Try installing an operating system on the USB drives. Since you have already tried the format route, i assume they do not have any important files on them. This should rewrite the MBR. Then reformat to get rid of the operating system. It may leave an MBR behind, but at least it should be clean.
Microsft has a free piece of software to make an installation usb drive. By making the drives bootable installation drives, the MBR may also be overwritten. I’ve done this a couple of times on USB thumb drives and just reformatted to recycle the drive.
Disassemble the drives and install them in your system. Unplug your primary drive,boot from and OS install disc and install the OS. Do this for each drive. Then remove the drives and reconnect your original primary drive. Put the externals back together and reformat. Any MBR left behind should be clean.
These are just brainstorming ideas, but one of them may save the drives. I would be hesitant to use them for anything knowing they are dirty.
thanks for the brainstorms gentle4ug! they sound really good idea!
however, i’ve now discovered i was talking rubbish (“as usual” my wife would say…) re command line progs and usb connections - i found a prog called “testdisc” which does re-write the mbr of an external usb hdd.
i used it on 2 drives - the first i reformatted - mbrcheck still showed whistler still there- so i then rerote mbr with testdisc & mbrcheck showed “unknown mbr code”
the 2nd drive i didnt bother re-formatting, just backed up data, & used testdisc, after which mbrcheck showed “mbr code faked!” - i assune that means no whistler
