Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#76
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
OK. Type:

MBRWiz /save=C:\savedMBR


see what happens
  • 0

Advertisements


#77
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Bad command or file name".
  • 0

#78
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
MBRWiz /save=C:\savedMBR


Is there supposed to be a space after the "Z"? (I typed one because there is one in what you typed.)
  • 0

#79
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I assume you had a space after mbrwiz?

Type:
dir

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again

Ron
  • 0

#80
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I assume you had a space after mbrwiz?

Yes.

Type:
dir


I did.

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again



You lost me again. I don't understand. I don't know DOS, I don't understand how to interpret what I am looking at here. I see lots of white letters and numbers on a black screen- beyond that, I do not know how to interpret them.

Here is a photo. (Please keep in mind that to someone like me, this might as well be Swahili or the writings of ancient Druids. I'm sorry, but I just don't understand it.)

Posted Image
  • 0

#81
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
What should I do?
  • 0

#82
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Or how about this...?

This is what is on my screen right now.

Isn't this what we want? Won't one of the first two choices here back up the MBR so we can get to it again if need be?

Posted Image
  • 0

#83
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
CompCav says I gave you the wrong command. Should be

mbrwizd /save=C:\savedMBR

But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it.

Ron
  • 0

#84
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK. Hold on, will boot into that...
  • 0

#85
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it."

OK, am booted up on MiniXp from the Hirem disk.

I can click on the "Start" menu- so what's "the one we want"?
  • 0

Advertisements


#86
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
No wait! You don't mean, "Start", ---> "all programs". You mean from the Start Menu, HBCD Programs.


That gives me a Windows Explorer type window, and I see, "MBRFix.cmd"


THAT'S what we want, right?
  • 0

#87
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
This is WAY better. I can handle this. Typing DOS commands blindly was painful. That would give a headache to a bottle of Advil.
  • 0

#88
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, so I see "MBRFix.cmd". Assuming that's "what we want", what do I do next?
  • 0

#89
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
You still need to type in a DOS like prompt:

From CompCav:

"click start
click Programs
click HBCD Menu
click Browse folder
in right hand window page down to MbrFix.cmd
a black command window will open and also a MbrFix.txt window.
In the taskbar click on the c:\ in the box next to B:\Temp\HBCD...
Now the black command window should show with b:\Temp\HBCD>_
Type the command as you had in #29 with adding the location to save the file.

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
(The OP can check on the c drive to see it is in the root directory)

Then the command to fix it:

MbrFix /drive 0 fixmbr /yes


Then he can close the command window and click Start in the lower left hand corner,

click Shutdown
in the window that comes up hit the down arrow to select Restart / Eject
Then click OK

(The machine will eject the Hirens Boot CD and Start up normally.)"

This leaves the E:\ partition intact so perhaps we should try and run MBR Wizard while we are here before we reboot?

It's not clear to me from the write up how exactly it gets to the E:\ partition but the writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.
http://resources.inf...tealth-rootkit/

Ron
  • 0

#90
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.


I knew it! I was thinking I couldn't even just re-install the OS for that reason. And I;'ve seen threads, as I said, where people said that is what they were going to do and the thread was closed. I just knew they were wrong in thinking they were all set.

This virus just $ucks.

OK, here I go...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP