Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#46
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
I've asked about this beast in our internal forum. Don't be surprised if you may get some requests for scans or instructions from some of our more experienced folk. No promises. Depends on who is on line today.
  • 0

Advertisements


#47
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I did that, and the results are interesting. There is a mystery drive, Drive E. Hold on, I'll post it in detail....
  • 0

#48
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
This is like when you get in an accident, and when you bring the car to the body shop and the guy calls into the garage- "Holy Cow! Hey Guys- come check out this guy's car. Wow!"

__________


But I understand. I've been reading about this virus online too. And it's interesting.

Here is a photo of what happens when I type"map" in recovery console. (After telling it which version of Windows that is supposedly installed on my machine to use)


Posted Image


As you can see, There's:

? FAT16 102MB \Device\Harddisk0\Partition1
C: NTFS 111803MB \Device\Harddisk0\Partition2
E: Fat32 2558MB \Device\Harddisk0\Partition3
D: \Device\CDRom0
  • 0

#49
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, so what do I do now?

I have a sneaky, hidden partition on my hard drive that the computer itself doesn't know about- containing..... who knows what?

Shall I continue to run tests, scans, or fixes on the other partition?

What's the game plan?
  • 0

#50
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Can you create the Hiren boot disk and back up your mbr as in post 29?

I think if we fix the MBR then we can remove the funny partition but I don't want to do it unless I can back it up first.

Ron
  • 0

#51
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Yes. But let me ask you this- could I do it with the BartsPE boot disk I have already? Or should I take the time to make the one you suggest?
  • 0

#52
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
And how about that photo I posted? Isn't that amazing?
  • 0

#53
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Actually, this Hirams looks pretty good. A great thing to have. It's downloading, but will take over an hour and a half for me.
  • 0

#54
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Hiren".
  • 0

#55
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

I usually use freeisoburner
http://www.freeisoburner.com/
to make the bootable CD.


Actually, the download had CD burning software in it that worked just fine.




Or boot from it directly.

I booted the infected machine with it. It's running now. (Geez, this disk is awesome. Why wouldn't everyone with a Windows machine want one of these hanging around? It's been one of the few bright spots in this ordeal actually.)

There should be a menu. Chose the MBR Tools.



OK, here goes...
  • 0

Advertisements


#56
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

There should be a menu.


There is.

Chose the MBR Tools.


I don't see that.


Closest thing I see is "Boot HDD 1 MBR".

There is a "custom menu", but it's not there either.


Not sure what to do?
  • 0

#57
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Appears this bug eats your antivirus and replaces it with itself. If you still have Symantec, make sure you kill all of its processes and drivers.

I'm going to have to go to bed now. Missed my nap today because of the party.

Once you back up the mbr, I'd run some fo the anti-virus scans that come with Hiren's then I'd try replacing the mbr with the standard XP MPR. Then boot into Recovery Console and delete the E:\ partition.

Good luck.
  • 0

#58
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Choose Dos Programs then 9 then I think you will see the MBR
  • 0

#59
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Appears this bug eats your antivirus and replaces it with itself. If you still have Symantec, make sure you kill all of its processes and drivers.


never had it. that's just the freebee that came with the machine you see. Never used it.

I'm going to have to go to bed now. Missed my nap today because of the party.

Understand. Clearly, like me, you keep weird hours.

Once you back up the mbr, I'd try replacing it with the standard XP MPR. Then boot into Recovery Console and delete the E:\ partition.

_______________ > I just can't find this "MBR Tools". <_______________


Beyond that, I think I'll be OK.

Thank you.
  • 0

#60
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Choose Dos Programs then 9 then I think you will see the MBR "

No, but it gives me another menu with 9 other choices. "9" is "back"
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP