R:\>
And I don;t know DOS.
Challenging Rootkit
Started by
rootkits-r-evil
, Aug 20 2011 04:03 PM
#61
Posted 21 August 2011 - 11:54 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
R:\>
And I don;t know DOS.
#62
Posted 21 August 2011 - 11:56 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
"Reboot" got me out, now back to the beginning. ...
#63
Posted 21 August 2011 - 11:58 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
OK, I got it. It WAS "9", which was "next", and it was on the next screen.
Got it~!
Got it~!
#64
Posted 22 August 2011 - 12:18 AM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
Nope. It doesn't look right. The menu choices are different than you suggest here. More complex. I may have just backed this up, maybe not. Don't want to mess with it. I am in over my head. I have to wait for you to come back. So close too...
#65
Posted 22 August 2011 - 12:30 AM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
Problem is....
There should be a menu. Chose the MBR Tools.
There is no such thing. More than one close choice.
Now choose MbrFix 1.3
No such thing anywhere.
Type:
MbrFix /drive 0 savembr Backup_MBR_0.bin
No place to type anything at all, and I don't think I should just guess or mess around here.
I have to wait for you to come back.
There should be a menu. Chose the MBR Tools.
There is no such thing. More than one close choice.
Now choose MbrFix 1.3
No such thing anywhere.
Type:
MbrFix /drive 0 savembr Backup_MBR_0.bin
No place to type anything at all, and I don't think I should just guess or mess around here.
I have to wait for you to come back.
#66
Posted 22 August 2011 - 09:14 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Just remember we are in uncharted territory here so it's entirely possible that we may kill the thing and have to start over from scratch. If you have any pictures or other data that you can't afford to lose and haven't backed up now is the time to do that!
I found some screen shots on the Hiren site. It's from a slightly older version but should be close enough.
When you boot to the CD you should see:
You select DOS PROGRAMS. Then you should get:
Tell it: 9 (for Next) and you should get:
Select 1 (for MBR (MASTER BOOT RECORD) Tools. You should get
Select 8 (for More) and you should get the rest of them. Hiren says he has MbrFix 1.3: on the disk. If it doesn't show up on either menu then we will just have to use one of the other tools. MBR Wizzard looks good:
MBR Wizzard:
To Save the current MBR:
MBRWiz /save=C:\savedMBR
(IF you have to go back: To restore to the saved MBR:
MBRWiz /Restore=C:\savedMBR
)
To look at the partitions:
MBRWiz /List
(This should show the three partitions we saw before. I assume they are numbered in the same order 0, 1, 2 - You should be able to tell by the size)
To unHide a partition use
MBRWiz /Hide=0 /Disk=0 /Part=2
(Make sure /Disk and /Part are correct for the one you want to unhide)
To Have it write an XP MBR
MBRWiz /Repair=1 /Disk=0
To Delete a Partition:
MBRWiz /Part=2 /Del
Make sure you are deleting the right one and not the big one for the C:\ drive!
As mentioned before I would run some of the Anti-virus scans from Hiren before trying to fix the MBR. This beast is really nasty and if we don't get it all it will just reinstall itself.
Ron
I found some screen shots on the Hiren site. It's from a slightly older version but should be close enough.
When you boot to the CD you should see:
You select DOS PROGRAMS. Then you should get:
Tell it: 9 (for Next) and you should get:
Select 1 (for MBR (MASTER BOOT RECORD) Tools. You should get
Select 8 (for More) and you should get the rest of them. Hiren says he has MbrFix 1.3: on the disk. If it doesn't show up on either menu then we will just have to use one of the other tools. MBR Wizzard looks good:
MBR Wizzard:
To Save the current MBR:
MBRWiz /save=C:\savedMBR
(IF you have to go back: To restore to the saved MBR:
MBRWiz /Restore=C:\savedMBR
)
To look at the partitions:
MBRWiz /List
(This should show the three partitions we saw before. I assume they are numbered in the same order 0, 1, 2 - You should be able to tell by the size)
To unHide a partition use
MBRWiz /Hide=0 /Disk=0 /Part=2
(Make sure /Disk and /Part are correct for the one you want to unhide)
To Have it write an XP MBR
MBRWiz /Repair=1 /Disk=0
To Delete a Partition:
MBRWiz /Part=2 /Del
Make sure you are deleting the right one and not the big one for the C:\ drive!
As mentioned before I would run some of the Anti-virus scans from Hiren before trying to fix the MBR. This beast is really nasty and if we don't get it all it will just reinstall itself.
Ron
#67
Posted 22 August 2011 - 10:40 AM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
"Just remember we are in uncharted territory here so it's entirely possible that we may kill the thing and have to start over from scratch. If you have any pictures or other data that you can't afford to lose and haven't backed up now is the time to do that!"
Actually that was the first thing I did, but now hearing you specifically say it about this instance, I think I will dig a little deeper and really make sure. (I think I will back up my e-mail, which is not easy with Thunderbird.) Maybe back up some prefs.
Actually that was the first thing I did, but now hearing you specifically say it about this instance, I think I will dig a little deeper and really make sure. (I think I will back up my e-mail, which is not easy with Thunderbird.) Maybe back up some prefs.
#68
Posted 22 August 2011 - 11:22 AM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
"Just remember we are in uncharted territory here "
You know, I think that's quite true. As one might imagine, I looked online for info about this, and I came to quite a few threads like this one where people were getting online help with malware removal of this same critter. And it seemed to me that not ONE really got rid of this virus.
I saw many examples of people describing what I know to be zeroaccess, and the person helping them told them to post a log file- which we know would miss the hidden partition that the malware created. After lots of back and forth, *some* of the virus was removed and the person said, Gee thanks, and moved on. But I know the rootkit was still there, and sooner or later it's going to re-infect.
In short, after reading lots of those online, I was convinced that not one of them actually solved the problem. I could not find one example where it did to my satisfaction.
So yeah, we are in uncharted waters here as far as I can tell.
You know, I think that's quite true. As one might imagine, I looked online for info about this, and I came to quite a few threads like this one where people were getting online help with malware removal of this same critter. And it seemed to me that not ONE really got rid of this virus.
I saw many examples of people describing what I know to be zeroaccess, and the person helping them told them to post a log file- which we know would miss the hidden partition that the malware created. After lots of back and forth, *some* of the virus was removed and the person said, Gee thanks, and moved on. But I know the rootkit was still there, and sooner or later it's going to re-infect.
In short, after reading lots of those online, I was convinced that not one of them actually solved the problem. I could not find one example where it did to my satisfaction.
So yeah, we are in uncharted waters here as far as I can tell.
#69
Posted 22 August 2011 - 11:57 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
OK. Let me know what happens.
I see we are starting to get an audience. Several of the more experienced people are looking at this as I type.
Ron
I see we are starting to get an audience. Several of the more experienced people are looking at this as I type.
Ron
#70
Posted 22 August 2011 - 12:00 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
backing up some files, then I'm going to dive in,,,
#71
Posted 22 August 2011 - 12:37 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
Select 8 (for More) and you should get the rest of them. Hiren says he has MbrFix 1.3: on the disk. If it doesn't show up on either menu then we will just have to use one of the other tools. MBR Wizzard looks good:
MBR Wizzard:
To Save the current MBR:
MBRWiz /save=C:\savedMBR
OK, this is where you lost me. There is no verb in that, so I don't know what to do. I assume type, but I don't know where to type it or how to get there.
MBR Wizzard looks good:
Again, I am confused. I can get to MBR Wizzard, but it gives me a menu. At that point, the only choices are to choose something on the menu.
Here is where I'm at. I guessed, and this is where I wound up.
So what should I do? I assume something to do with "save" or "x", but I want to be clear and not take any guesses or assumptions.
MBR Wizzard:
To Save the current MBR:
MBRWiz /save=C:\savedMBR
OK, this is where you lost me. There is no verb in that, so I don't know what to do. I assume type, but I don't know where to type it or how to get there.
MBR Wizzard looks good:
Again, I am confused. I can get to MBR Wizzard, but it gives me a menu. At that point, the only choices are to choose something on the menu.
Here is where I'm at. I guessed, and this is where I wound up.
So what should I do? I assume something to do with "save" or "x", but I want to be clear and not take any guesses or assumptions.
#72
Posted 22 August 2011 - 12:57 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Yes I think you will need to type. Do what the screen says and press any key to see what your other options are.
I would think it would take you to a prompt where you can then type the commands.
I would think it would take you to a prompt where you can then type the commands.
#73
Posted 22 August 2011 - 01:00 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Got an alternative possibility just suggested to me by CompCav:
If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.
I assume this "windows" is the mini XP option on the main menu.
Ron
If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.
I assume this "windows" is the mini XP option on the main menu.
Ron
#74
Posted 22 August 2011 - 01:05 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
Got an alternative possibility just suggested to me by CompCav:
If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.
I assume this "windows" is the mini XP option on the main menu.
I am sorry, but I have no idea whatsoever what this means. :-) ("They"? "It?")
If they boot into windows on the disk and go to programs there is a list of .cmd files and it is there, double clicking on it then opens a command window with the program.
I assume this "windows" is the mini XP option on the main menu.
I am sorry, but I have no idea whatsoever what this means. :-) ("They"? "It?")
#75
Posted 22 August 2011 - 01:12 PM
rootkits-r-evil
- Topic Starter
-
- Member
-
- 168 posts
Member
Do what the screen says and press any key to see what your other options are.
I would think it would take you to a prompt where you can then type the commands.
Yes, I think so. I says,,,,
__________________________________________________
All functions return 0 on success, > 0 on error.
mbrwzd.exe
Loading SmartDrv
R:\TOOLS_
____________________________________
(Where the "_" is, is a blinking cursor.)
I would think it would take you to a prompt where you can then type the commands.
Yes, I think so. I says,,,,
__________________________________________________
All functions return 0 on success, > 0 on error.
mbrwzd.exe
Loading SmartDrv
R:\TOOLS_
____________________________________
(Where the "_" is, is a blinking cursor.)
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
