Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FIXMBR doesn't fix after ROOTKITS attack


  • This topic is locked This topic is locked
104 replies to this topic

#1 mickcycle

mickcycle

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 21 November 2012 - 03:00 PM

Hi, I'm a newbie here.
I recently had a Rootkits attack. I seem to have managed to get rid of all malware components using advice on this site and others. The main anti-malware program I haven't employed is ComboFix. The only remaining part of the problem is that the MBR seems corrupted. I can still enter windows successfully and most programs seem to work OK. The main noticeable manifestation is that recently if I download a new program, it won't do anything: run, install , unzip etc.

I have an XP desktop, Vista laptop and EHD which all became infected but I am concentrating on repairing the XP desktop and obviously keeping them separate.

When I use the Windows XP recovery console and type in FIXMBR it tells me that it is an “ Invalid or non-standard” MBR and when I ask it to fix it anyway, it tells me that it has done so successsfully.
However, if I immediately type FIXMBR again I get the same “ Invalid or non-standard” MBR message. So, clearly it is not working or its work is being immedaitely undone and my windows problems remain.

My main question is
1. How can I fix the MBR?
2. Will running Combofix possibly fix this problem?

I hope you can help.

Best wishes, Mick

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:05 PM

Posted 23 November 2012 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with these scans.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 November 2012 - 11:48 AM

Hi Nasdaq,
Great that you will help.
Now, as I said, if I download anything I cannot run it.
However, I have previously downloaded and ran TDSS killer and aswMBR. So I have outputs from TDSS killer and at least two from aswMBR
I include the most recent concise TDSS Killer and the most recent aswMBR below and attach the corresponding MBR.dat zipped.

Thanks, Mick

TDSS Killer
17:27:07.0203 4048 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
17:27:07.0906 4048 ============================================================
17:27:07.0906 4048 Current date / time: 2012/11/07 17:27:07.0906
17:27:07.0906 4048 SystemInfo:
17:27:07.0906 4048
17:27:07.0906 4048 OS Version: 5.1.2600 ServicePack: 3.0
17:27:07.0906 4048 Product type: Workstation
17:27:07.0906 4048 ComputerName: COMPUTERNAME
17:27:07.0906 4048 UserName: Mick
17:27:07.0906 4048 Windows directory: C:\WINDOWS
17:27:07.0906 4048 System windows directory: C:\WINDOWS
17:27:07.0906 4048 Processor architecture: Intel x86
17:27:07.0906 4048 Number of processors: 1
17:27:07.0906 4048 Page size: 0x1000
17:27:07.0921 4048 Boot type: Normal boot
17:27:07.0921 4048 ============================================================
17:27:12.0406 4048 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:27:12.0453 4048 Drive \Device\Harddisk1\DR3 - Size: 0xFC800000 (3.95 Gb), SectorSize: 0x200, Cylinders: 0x203, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:27:12.0453 4048 ============================================================
17:27:12.0453 4048 \Device\Harddisk0\DR0:
17:27:12.0453 4048 MBR partitions:
17:27:12.0453 4048 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x116165E8
17:27:12.0468 4048 \Device\Harddisk0\DR0\Partition2: MBR, Type 0xB, StartLBA 0x11616666, BlocksNum 0x140245B
17:27:12.0468 4048 \Device\Harddisk1\DR3:
17:27:12.0468 4048 MBR partitions:
17:27:12.0468 4048 \Device\Harddisk1\DR3\Partition1: MBR, Type 0x7, StartLBA 0xC031F2EB, BlocksNum 0x19CD16CD
17:27:12.0468 4048 ============================================================
17:27:12.0562 4048 C: <-> \Device\Harddisk0\DR0\Partition1
17:27:12.0578 4048 D: <-> \Device\Harddisk0\DR0\Partition2
17:27:12.0578 4048 ============================================================
17:27:12.0578 4048 Initialize success
17:27:12.0593 4048 ============================================================
19:15:30.0312 2704 Deinitialize success


aswMBR

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-12 03:47:38
-----------------------------
03:47:38.093 OS Version: Windows 5.1.2600 Service Pack 3
03:47:38.093 Number of processors: 1 586 0x605
03:47:38.093 ComputerName: COMPUTERNAME UserName: Mick
03:47:51.343 Initialize success
03:47:51.734 AVAST engine defs: 12103100
03:48:18.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
03:48:18.500 Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152627MB BusType: 3
03:48:18.546 Disk 0 MBR read successfully
03:48:18.562 Disk 0 MBR scan
03:48:18.593 Disk 0 unknown MBR code
03:48:18.640 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 142380 MB offset 63
03:48:18.656 Disk 0 Partition - 00 0F Extended LBA 10244 MB offset 291595815
03:48:18.703 Disk 0 Partition 2 00 0B FAT32 MSDOS5.0 10244 MB offset 291595878
03:48:18.812 Disk 0 scanning sectors +312576705
03:48:18.921 Disk 0 scanning C:\WINDOWS\system32\drivers
03:48:46.375 Service scanning
03:49:32.156 Modules scanning
03:49:41.671 Disk 0 trace - called modules:
03:49:41.687 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys videX32.sys
03:49:41.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2c6030]
03:49:41.687 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000067[0x8a32b338]
03:49:41.687 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a273d98]
03:49:50.421 AVAST engine scan C:\WINDOWS
03:50:46.421 AVAST engine scan C:\WINDOWS\system32
03:59:33.125 AVAST engine scan C:\WINDOWS\system32\drivers
04:00:12.296 AVAST engine scan C:\Documents and Settings\Mick
05:42:04.000 File: C:\Documents and Settings\Mick\My Documents\Downloads\ViaBrowser\freeBasic\FBManual\fbedit\Tools\MakeApi.exe **INFECTED** Win32:MalOb-EI [Cryp]
05:45:40.984 File: C:\Documents and Settings\Mick\My Documents\freeBasic\Editors\fbedit\Tools\MakeApi.exe **INFECTED** Win32:MalOb-EI [Cryp]
07:45:59.156 AVAST engine scan C:\Documents and Settings\All Users
08:15:36.281 Scan finished successfully
10:05:15.031 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
10:05:15.062 The log file has been saved successfully to "C:\aswMBR121112.txt"

Attached Files

  • Attached File  MBR.zip   505bytes   8 downloads


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:05 PM

Posted 23 November 2012 - 02:02 PM

Your TDSSKiller log is not complete. I take it that it's not reporting an infection.

In your aswMBR log this is being reported as Infected.

05:42:04.000 File: C:\Documents and Settings\Mick\My Documents\Downloads\ViaBrowser\freeBasic\FBManual\fbedit\Tools\MakeApi.exe **INFECTED** Win32:MalOb-EI [Cryp]
05:45:40.984 File: C:\Documents and Settings\Mick\My Documents\freeBasic\Editors\fbedit\Tools\MakeApi.exe **INFECTED** Win32:MalOb-EI [Cryp]


Are these belonging to Fbedit tool, http://sourceforge.net/projects/fbedit/

Did you installed this tool recently?
Are you still using it?

===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Post the log if you can.

#5 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 24 November 2012 - 07:42 PM

Hi Nasdaq,
I downloaded Combofix OK but like every other (anti-malware) program I've downloaded recently it would not run when I double click on it, or right click and try “run as” or from the command prompt . I even booted into the windows recovery console and tried it from the C: prompt there and it would not work.

Then I decided to try an XP option called there is a “Safe Mode with Command Prompt” and when I tried that, Combofix started to work. I decided to abort it because I realised that I may also now be able to run an up-to-date TDSSkiller and aswMBR which proved true.
TDSSkiller still shows no infections.unless I ask it to “verify file digital signatures” in which case it reports numerous “UnsignedFile.Multi.Generic”. If I try to quarantine them it claims to do so but they appear in the next scan too.

With aswMBR here is the new log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-24 16:15:48
-----------------------------
16:15:48.281 OS Version: Windows 5.1.2600 Service Pack 3
16:15:48.281 Number of processors: 1 586 0x605
16:15:48.296 ComputerName: COMPUTERNAME UserName: Mick
16:15:50.453 Initialize success
16:15:58.781 AVAST engine defs: 12103100
16:16:05.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:16:05.296 Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152627MB BusType: 3
16:16:05.312 Disk 0 MBR read successfully
16:16:05.343 Disk 0 MBR scan
16:16:07.703 Disk 0 Windows XP default MBR code
16:16:07.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 142380 MB offset 63
16:16:09.750 Disk 0 Partition - 00 0F Extended LBA 10244 MB offset 291595815
16:16:09.796 Disk 0 Partition 2 00 0B FAT32 MSDOS5.0 10244 MB offset 291595878
16:16:10.359 Disk 0 scanning sectors +312576705
16:16:11.484 Disk 0 scanning C:\WINDOWS\system32\drivers
16:16:52.171 Service scanning
16:17:25.796 Modules scanning
16:17:34.640 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
16:17:35.390 Disk 0 trace - called modules:
16:17:35.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys videX32.sys
16:17:35.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a283030]
16:17:35.500 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000006d[0x8a2d09e8]
16:17:35.515 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a298940]
16:17:37.890 AVAST engine scan C:\WINDOWS
16:18:02.890 AVAST engine scan C:\WINDOWS\system32
16:27:03.671 AVAST engine scan C:\WINDOWS\system32\drivers
16:27:37.515 AVAST engine scan C:\Documents and Settings\Mick
19:09:36.140 AVAST engine scan C:\Documents and Settings\All Users
19:35:17.093 Scan finished successfully
21:01:10.734 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
21:01:10.765 The log file has been saved successfully to "C:\aswMBR121124.txt"

Note in particular the lines
16:17:25.796 Modules scanning
16:17:34.640 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**

I think this may be important because my initial Rootkits were found in these System 32 drivers and it was very persistent. Unlike every other infection I got I couldn't get rid of this one.
I downloaded a new dxgthk driver and tried that but it didn't help, aswMBR still found it suspicious.


To answer your concerns about the previously sent aswMBR
>>>>>> Are these belonging to Fbedit tool, http://sourceforge.net/projects/fbedit/

I think I did download them from that source.

>>>>>> Did you installed this tool recently?
No – I installed it about two years ago

>>>>>> Are you still using it?

No, I haven't used it in 2 years. I deleted the entire FreeBasic folder soon after I found this infection 10 days ago.

So if all that doesn't change anything, I'm preparing to go ahead with Combofix.
Two potential problems.
1 In this Safe Mode with command Prompt” I can't go on line so it won't be able to get latest definitions ( that was also true of Tdsskiller and aswMBR above)

2. IT gives me a warning that AVG and Avast are both active. I don't think they are as they don't seem to appear in the Task Manager processes list (in fact there is nothing with initial A)

Please let me know what you think.

Best wishes, Mick

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:05 PM

Posted 25 November 2012 - 09:44 AM

Run Combofix in “Safe Mode with Command Prompt”

Ignore all the remarks by ComboFix.

Post the log for my review.

Let me know if you have access to an other good computer that you can use to download programs.

#7 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 25 November 2012 - 09:50 AM

Hi nasdaq,
I'm afraid I've seriously messed up.

I went into Combofix to see whether it was still saying that the anti-virus programs were running when the task manager wasn't and then decided to get out but there was no cancel option. So I clicked the close tab at the top right of window but it seemed to continue. I assumed Combofix was starting to run so panicked and quickly switched off the machine.

Unfortunately, now Windows won't start in any mode.
Even the Windows recovery disk won't boot .


I can access the computer with Linux or Kaspersky Rescue Disks but they can't see anything on the C: boot partition. They can recognize the D: recover partition but that only seems to have factory settings and drivers on it. It may be possible to paste items onto the c drive with these.
The MS Windows Defender Offline does work but I suspect it is only scanning the Recover drive
I can also boot with a floppy but it doesn't even recognise the Boot drive only the Recover drive.

I'm looking into other options but I'm not hopeful.

Could you please suggest anything I can do.

Best wishes, Mick

#8 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 25 November 2012 - 09:58 AM

Sorry nasdaq,
I was just posting when you posted and I didn't see your reply first.
I do have another computer , a laptop which was also infected . I am tending to use Ubuntu on it but can download programs to it even into Windows Vista.

Best wishes, Mick

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:05 PM

Posted 25 November 2012 - 10:22 AM

I'm referring this problem to some computer experts.
I hope someone can help. It's no longer a malware issue.

Stay tune someone will contact you on this topic.

#10 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 25 November 2012 - 10:49 AM

Hi nasdaq,
Thanks for your help. Hopefully I'll get back to the point of being able to use ComboFix again.

Best wishes, Mick

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:05 PM

Posted 01 December 2012 - 03:36 AM

Hello, and sorry for the delay.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 December 2012 - 07:50 AM

Thanks Elise,
I did what you suggested apparently without problem and attach the results.
I'm not 100% sure the clean computer is completely malware-free although it seems to be.

Best wishes, Mick

Attached Files

  • Attached File  mbr.zip   514bytes   11 downloads


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:05 PM

Posted 01 December 2012 - 08:42 AM

That is clean. Could you please tell me exactly how far your computer boots?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 mickcycle

mickcycle
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 December 2012 - 10:04 AM

Hi Elise,
Thanks again.

If I try and enter XP safe mode by holding the F8 key
my last message is
"Verifying DMI Pool Data...."

If I don't press F8
it goes beyond this and asks
"Boot from CD"
but nothing more if there is no CD present

If the Windows Xp recovery Disc is present
It does start to boot from the CD but only gets as far as
"Setup is inspecting your computer hardware configuration" but after about a minute the CD stops spinning.

It will happily boot into any Linux CD but they can not see any files on the 149GB Boot partition/Volume (sda1 , C:), although they can see the files on the 11GB Recover partition/Volume (sda5, D:)

I also have a VISTA recovery DVD from my OTHER compuer (laptop). With this it boots to a window which asks me to "Choose OS to start"
and the only option it gives is "Windows Setup[EMS Enabled]"
but I haven't gone beyod that.

It will also boot into the MS windows Defender Offline and appears to scan all the files on both partitions.

THe only program that can see anything on the Boot partition is an old (possibly DOS based) program called "Wipe and clean" which recognizes files and allows me to see the Hexadecimal values in each.

It is a bit unexpected that you describe the MBR as clean as my initial problem was that the rootkit malware had apparently produced an “ Invalid or non-standard” MBR which fix MBR couldn't fix. However, I'm very much out of my depth with all this.

Best wishes, Mick

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:05 PM

Posted 01 December 2012 - 10:57 AM

Your computer has the standard XP MBR, indicating that fixmbr did the trick just fine. There really is no rootkit that can prevent an offline tool from rewriting an MBR (an exception are legitimate drive encryption applications, which for obvious reasons do not allow for the alteration of MBR nor any other data without providing the correct password/decryption information).

Does tapping F8 bring up the normal Advanced Boot Options menu?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users