Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#61
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Dang. Somehow I clicked the wrong thing and it's asking ,me



R:\>


And I don;t know DOS.
  • 0

Advertisements


#62
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Reboot" got me out, now back to the beginning. ...
  • 0

#63
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, I got it. It WAS "9", which was "next", and it was on the next screen.

Got it~!
  • 0

#64
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Nope. It doesn't look right. The menu choices are different than you suggest here. More complex. I may have just backed this up, maybe not. Don't want to mess with it. I am in over my head. I have to wait for you to come back. So close too...
  • 0

#65
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Problem is....

There should be a menu. Chose the MBR Tools.



There is no such thing. More than one close choice.

Now choose MbrFix 1.3

No such thing anywhere.

Type:

MbrFix /drive 0 savembr Backup_MBR_0.bin


No place to type anything at all, and I don't think I should just guess or mess around here.

I have to wait for you to come back.
  • 0

#66
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Just remember we are in uncharted territory here so it's entirely possible that we may kill the thing and have to start over from scratch. If you have any pictures or other data that you can't afford to lose and haven't backed up now is the time to do that!

I found some screen shots on the Hiren site. It's from a slightly older version but should be close enough.

When you boot to the CD you should see:

Posted Image

You select DOS PROGRAMS. Then you should get:

Posted Image

Tell it: 9 (for Next) and you should get:

Posted Image

Select 1 (for MBR (MASTER BOOT RECORD) Tools. You should get

Posted Image

Select 8 (for More) and you should get the rest of them. Hiren says he has MbrFix 1.3: on the disk. If it doesn't show up on either menu then we will just have to use one of the other tools. MBR Wizzard looks good:

MBR Wizzard:
To Save the current MBR:

MBRWiz /save=C:\savedMBR

(IF you have to go back: To restore to the saved MBR:

MBRWiz /Restore=C:\savedMBR
)

To look at the partitions:

MBRWiz /List

(This should show the three partitions we saw before. I assume they are numbered in the same order 0, 1, 2 - You should be able to tell by the size)


To unHide a partition use

MBRWiz /Hide=0 /Disk=0 /Part=2

(Make sure /Disk and /Part are correct for the one you want to unhide)

To Have it write an XP MBR

MBRWiz /Repair=1 /Disk=0

To Delete a Partition:

MBRWiz /Part=2 /Del

Make sure you are deleting the right one and not the big one for the C:\ drive!

As mentioned before I would run some of the Anti-virus scans from Hiren before trying to fix the MBR. This beast is really nasty and if we don't get it all it will just reinstall itself.


Ron
  • 0

#67
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Just remember we are in uncharted territory here so it's entirely possible that we may kill the thing and have to start over from scratch. If you have any pictures or other data that you can't afford to lose and haven't backed up now is the time to do that!"

Actually that was the first thing I did, but now hearing you specifically say it about this instance, I think I will dig a little deeper and really make sure. (I think I will back up my e-mail, which is not easy with Thunderbird.) Maybe back up some prefs.
  • 0

#68
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Just remember we are in uncharted territory here "

You know, I think that's quite true. As one might imagine, I looked online for info about this, and I came to quite a few threads like this one where people were getting online help with malware removal of this same critter. And it seemed to me that not ONE really got rid of this virus.

I saw many examples of people describing what I know to be zeroaccess, and the person helping them told them to post a log file- which we know would miss the hidden partition that the malware created. After lots of back and forth, *some* of the virus was removed and the person said, Gee thanks, and moved on. But I know the rootkit was still there, and sooner or later it's going to re-infect.

In short, after reading lots of those online, I was convinced that not one of them actually solved the problem. I could not find one example where it did to my satisfaction.

So yeah, we are in uncharted waters here as far as I can tell.
  • 0

#69
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
OK. Let me know what happens.

I see we are starting to get an audience. Several of the more experienced people are looking at this as I type.

Ron
  • 0

#70
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
backing up some files, then I'm going to dive in,,,
  • 0

Advertisements


#71
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Select 8 (for More) and you should get the rest of them. Hiren says he has MbrFix 1.3: on the disk. If it doesn't show up on either menu then we will just have to use one of the other tools. MBR Wizzard looks good:

MBR Wizzard:
To Save the current MBR:

MBRWiz /save=C:\savedMBR



OK, this is where you lost me. There is no verb in that, so I don't know what to do. I assume type, but I don't know where to type it or how to get there.


MBR Wizzard looks good:


Again, I am confused. I can get to MBR Wizzard, but it gives me a menu. At that point, the only choices are to choose something on the menu.



Here is where I'm at. I guessed, and this is where I wound up.

Posted Image

So what should I do? I assume something to do with "save" or "x", but I want to be clear and not take any guesses or assumptions.
  • 0

#72
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Yes I think you will need to type. Do what the screen says and press any key to see what your other options are.
I would think it would take you to a prompt where you can then type the commands.
  • 0

#73
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Got an alternative possibility just suggested to me by CompCav:

If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.


I assume this "windows" is the mini XP option on the main menu.

Ron
  • 0

#74
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Got an alternative possibility just suggested to me by CompCav:

If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.


I assume this "windows" is the mini XP option on the main menu.



I am sorry, but I have no idea whatsoever what this means. :-) ("They"? "It?")
  • 0

#75
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Do what the screen says and press any key to see what your other options are.
I would think it would take you to a prompt where you can then type the commands.



Yes, I think so. I says,,,,

__________________________________________________



All functions return 0 on success, > 0 on error.

mbrwzd.exe
Loading SmartDrv

R:\TOOLS_



____________________________________


(Where the "_" is, is a blinking cursor.)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP