This HOWTO is being written because the documentation we found was incomplete, misleading or wrong. This is an additional source of information. We make no representation that what we say here is true or that it will work for you. If it breaks, you get to keep the pieces.
Bart PE creates a bootable CD which is normally used to fix a broken Windows XP installation. "PE" means Preinstallation Environment and bartPE boots to the X: drive so that your C: drive, although accessible, has no files open or in use. There is also a RAMdisk which is B: drive. Booting into a Preinstallation Environment allows maintenance that is not otherwise possible.
You must create your own bootable CD. Although we were able to run the PE program on a Windows 2000 server, the recommended installation environment is a known clean Windows XP Service Pack 2 computer.
Begin by copying a Windows XP installation CD onto the hard drive of the computer that will build the bartPE CD. We created C:\WinXPProSP2-CD and copied the entire content of the installation CD to it.
Next download the main program from http://www.nu2.nu/pebuilder/download/ and install it. We strongly recommend that you install using all the defaults, one of which is that the directory the installer creates will include the pebuilder version.
Download xpe-VERSION.cab from http://oss.netfarm.it/winpe/. You want the most current cab file. In the plugin directory of your pebuilder directory, create a directory named xpe-VERSION. As with pebuilder, the version of the xpe plugin is important. Most other plugins used here rarely change, so versioning is usually not needed for them.
When installing from a cab file, you must always create a subdirectory under plugin and then extract the cabinet into the new subdirectory.
You can either use PE to install the cab file contents or you can extract the cab manually with something like WinRAR, but no matter which method you use, be sure to check for zip files within the cab and extract any you find such that they affect the currently selected directory.
Download the Nu2XPE Shortcuts Converter from http://winpe.sourceforge.net/.
You want the most current cab file and you create a directory named Nu2XPE-VERSION in the plugin directory; this is the destination for your cab extraction.
At the time of this writing, the Nu2XPE cabinet contains a zip file that must be extracted into your plugin subdirectory plugin\Nu2XPE-VERSION in such a way that encodings and xml become subdirectories of Nu2XPE-VERSION.
In order to allow the Ad-Aware and HiJackThis scanners to access the registry files of the broken computer's C: drive, download and install RunScanner from the PEBUILDER PLUGINS link at http://www.paraglidernc.com/.
Install this into plugin\RunScanner.
Do read the Usage documentation.
You can run either the free or the commercial version of Ad-Aware by downloading the Adaware.cab from the same Paraglider PE Plugins page as you got RunScanner from. Read the Usage documentation for the Ad-Aware plugin also. NOTE that there is already a plugin subdirectory adawarese but that you want to create a directory named adaware and extract the cab into it instead. Later on, you will enable adaware and disable adawarese.
Download either the Personal or the Professional version of Ad-Aware from http://www.lavasoft.de/. Install it, run it, update it and install any plugins available for it now, while you still have an internet connection. Close Ad-Aware and then copy all the files and folders from the Ad-Aware SE Plus (installation) directory into the files subdirectory of plugin\adaware. If you wish, you may now uninstall Ad-Aware.Download and install the HiJackThis plugin from http://www.irongeek.com/i.php?page=security/pebuilder. Thankfully, HiJackThis is a zip file that will create the necessary directory in plugin when you extract it correctly.
From the same page, download the MSConfig plugin. As with HiJackThis, the zip file will create the necessary subdirectory when you extract into plugin.Download the Avast!.cab plugin from http://www.bootcd.us/BartPE_Plugins_Complete.php where Avast is currently entry 300. Create an Avast! subdirectory in plugin and extract the cabinet into it. Be sure to execute plugin\Avast!\Avast.htm so that you download the most recent Virus Cleaner Tool from Avast. The aswclnr.exe you get from Avast goes into plugin\Avast!\ (not plugin\Avast!\files).
If you cannot access the internet from within the bartPE environment, you may want to find a second virus scanner. Otherwise, use the Symantec scan as your alternate.
Copy plugin\xpe-VERSION\z_xpe-custom.inf.sample to z_xpe-custom.inf (so that both are in the same directory) and then edit z_xpe-custom.inf.
OPTIONAL: Find the "Fonts settings for some locales" section and comment out the Central European lines, then uncomment the US-ascii lines.
Insert the following on its own (single) line immediately below "; XPEinit startup menu & desktop":
0x2,"Sherpya\XPEinit\Programs","Anti-Spyware\Run Adaware on C","%SystemDrive%\programs\adaware\Ad-AwareScan.cmd||%SystemDrive%\Programs\adaware\Ad-Aware.exe,0"
OPTIONAL: Change the taskbar setting from top to bottom.
OPTIONAL but recommended: Change wordpad to notepad in the "Send to" string because notepad is less likely to insert crap into files you edit than wordpad. The Send To text will still say "'WordPad" but notepad will execute.
We think that it is vital that an internet connection be available while booted from the CD because then you can update any stale software from within bartPE. We struggled to get our Intel Pro/100 VE network card to work, but this zip file works for our Intel Pro/1000 MT. Extract it into your pebuilderVERSION\drivers\Net directory to try it.
If, while you are building the CD with PE, you see the START button replaced with GO, use the Task Manager to terminate process nu2menu.
Run PE from the desktop icon. Fill in the path to the WinXPProSP2-CD directory in the Source line. Select the "Create ISO image" radio button. Click the PLUGINS button (be patient, it can take a while to start) and make sure the following are enabled (set everything else disabled for now. Once you have a working boot CD you can play...).
When you have the correct plugin setup, click the CLOSE button and then click the BUILD button. When the BUILD completes, verify that there are no errors and if all is well, burn pebuilder.iso to a rewritable CD.
You can run PE from within the bartPE environment to alter any plugin settings or to create a new pebuilder.iso file. In fact, you can run just about anything so long as the hardware is detected and you have the patience that running from a CD requires.
You should become familiar with the tools you have installed before you need to use them.
These are suggestions, not instructions. Before booting the CD, turn off System Restore so that when you reboot, Windows does not put back what you just removed. Purge all internet caches. Empty the Recycle Bin.
It is better to be cautious than sorry, so remember that you can repeat the cleansing process, being more agressive the second (and third, if necessary) time. We like to create a Quarrantine directory on the C: drive and use rar m -rr C:\Quarrantine\path_to_filename_ext.rar filename.ext. Note that the syntax of RAR places the destination file before the source file so the above command compresses filename.ext, saves as a rar file to the Quarrantine destination, adds a recovery record to the rar file and then deletes the original filename.ext. With RAR, the m means MOVE, "path_to" tells us where it came from, and "filename_ext.rar" effectively prevents even the smartest Bad Boy from doing anything nasty. But everything is still readily available should a restore be required. You can also backup any file you think should be deleted. Think "MOVE" or "CUT and PASTE". You might consider renaming suspect files rather than deleting them.
Boot the bartPE CD and remove all files in C:\Documents and Settings\LOGINNAME\Cookies except index.dat. In that same LOGINNAME path, delete all files from Local Settings\Temp as well as everything underneath Local Settings\Temporary Internet Files\Content.IE5. If there are other locations for internet cache files, get rid of the files there also because we find that infected files remain after purging the cache via the browser. We always delete everything underneath the Local Settings\History folder as well. Delete everything in LOGINNAME\Recent.
Repeat for each LOGINNAME.
In the WINDOWS directory, delete everything from the Downloaded Program Files directory and from the Temp directory.
Run the Avast scan. If a file cannot be cleaned, rar it into Quarrantine.
If an internet connection is available, and if you can get IE to allow installation of the ActiveX components, run the virus scan at http://security.symantec.com/ and if it finds anything, write down the file name(s) then check to see if there is an available removal tool. Anything missed by Avast but picked up by Symantec needs to be handled thoughtfully, but in general we recommend raring into Quarrantine where no removal tool is available or if the recommended action fails to work.
Run Ad-Aware and say YES to the REMOTE REGISTRY prompt. Select real login names only, do not use the Automatically Load All Remaining Users? check box. Normally the default scan setup is sufficient, but if you have to repeat the cleansing process, we recommend setting Scan Mode to Perform full system scan for the second run. Use the plugins and, if you have an internet connection, the online help. We recommend a strongarm approach; no matter how small Ad-Aware thinks the risk is, if there is any risk at all then remove.
Run HiJackThis and say YES to the REMOTE REGISTRY prompt. As with Ad-Aware, select real login names only; do not use the Automatically Load All Remaining Users? check box. Ignore the temporary folder warning and select the Do a system scan only button. If a second run is required, that is the time to consider using the Do a system scan and save a log file button or perhaps the Open online HiJackThis QuickStart button. Fix whatever you are certain is bad but do not touch anything else. HiJackThis is extremely good at finding problems, but this is the place to exercise caution and to be familiar with the tool because it reports innocuous things as well as problems. There is lots of help available for HiJackThis, so use it. We recommend the online QuickStart.
Disconnect any link to the internet and then reboot the computer, removing the bartPE CD during the reboot. If you have access to a firewall that logs, enable it and block everything. Before you allow an internet connection, examine the firewall log to see what is attempting access and where it is trying to go. Unless it is immediately apparent that a problem remains, exercise the computer for several minutes. Some problems take a bit of time to reappear.
When fixed, remove the Quarantine directory, empty the Recycle Bin and turn System Restore back on.
BART PE is the creation of Bart Lagerweij.