Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#91
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"click start
click Programs
click HBCD Menu
click Browse folder
in right hand window page down to MbrFix.cmd
a black command window will open and also a MbrFix.txt window.
In the taskbar click on the c:\ in the box next to B:\Temp\HBCD...
Now the black command window should show with b:\Temp\HBCD>_
Type the command as you had in #29 with adding the location to save the file.

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
(The OP can check on the c drive to see it is in the root directory)

Then the command to fix it:

MbrFix /drive 0 fixmbr /yes


Then he can close the command window and click Start in the lower left hand corner,

click Shutdown
in the window that comes up hit the down arrow to select Restart / Eject
Then click OK

(The machine will eject the Hirens Boot CD and Start up normally.)"


Done. (Except for the part about check the C drive to see if it's in the root directory. Not sure what that means.

This leaves the E:\ partition intact so perhaps we should try and run MBR Wizard while we are here before we reboot?

Too late.

UH oh.... hold on...
  • 0

Advertisements


#92
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Houston, we have a problem.....

_______________________________________________

Windows Boot Manager has experienced a problem.

File: Boot\BCD

Status: 0xc0000098

Info: The Windows Boot Configuration Data file does not contain a valid OS entry



You can try to recover the system with the tools listed in the System Recovery Options Menu.

(You might need to start the computer manually.)

If the problem continues, please contact the systems administrator, or computer

manufacturer.


_______________________________________________
  • 0

#93
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
and then at the bottom it says, "Enter=Continue"
  • 0

#94
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Give me five minutes alone in a room with the guy who invented this virus. Five minutes.
  • 0

#95
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Did this ever have Vista on it?
  • 0

#96
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
No, never. In fact, the reason I bought it, was it was the very last Dell Vostro series that shipped with just XP.
  • 0

#97
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
would I be dreaming to think that what is going on is that we got rid of that hidden drive, and the machine still thinks it's there in the form of a Vista installation? Is that too much to hope for? Like, when I hit continue, everything is going to be peaches and cream?
  • 0

#98
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Most likely it will just reboot or do something else odd but go ahead and let's see what happens.

The error message is one normally associated with Vista or Win 7. aswMBR said you had a standard XP MBR so this should have worked unless we managed to get a Vista MBR by mistake. You might go back in and run MBR Wiz and see if when you have it repair the mbr if we get a different result.
  • 0

#99
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Might have been related to the boot disk, because I was caught in a loop until I took the disk out. Let's see what it does now...
  • 0

#100
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, it just booted up into Windows.

You might go back in and run MBR Wiz and see if when you have it repair the mbr if we get a different result.


Again, I don't understand what you are saying. Assume I am dumb, dumb, dumb.


You might go back in and run MBR Wiz and see if when you have it repair the mbr if we get a different result.

OK, I'll do whatever you say, but you have to hold my hand and take it slow, step by step.

For what it's worth, this machine is nowhere near back to normal, I can tell. For example, I still have no access to Windows firewall.

------So what's next?
  • 0

Advertisements


#101
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I don't even understand what we just did. Back up the master boot record, I guess. Or did we change it? I dunno. I just want to fix this computer so bad.

And then I am going to uninstall Adobe Reader. There's your "virus delivery machine". This virus is spread as a "drive-by". It it takes advantage of exploits in Adobe Reader. All Reader has done for me on this machine is give me rootkits when I get redirected to the wrong web page.
  • 0

#102
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
So the error was just because the CD was still in. That's a relief.

Copy the next line:

notepad \boot.ini


Start, All Programs, Accessories, Command Prompt to bring up a command window. Right click in the window and select Paste or Edit, Paste and the copied line should appear. Hit Enter. Notepad should open with the text from boot.ini. Copy and Paste it into a Reply.
  • 0

#103
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
We backed up the Master Boot Record and then if you did the:

MbrFix /drive 0 fixmbr /yes

we replaced it with a standard MBR. We haven't done anything to the mystery partition yet.
  • 0

#104
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
[boot loader]
timeout=10
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
  • 0

#105
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
So what are the odds I'm going to have this lappy up and running so I can take it with me tomorrow and get online with it out in the field?

I've always been an optimist, and maybe I am dreaming, but that has been the goal for me here all along.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP