Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#106
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
We might get lucky but if you want to be sure then I would wipe it and reinstall XP. Do you have the CD?
  • 0

Advertisements


#107
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I pretty sure I do not. And the whole point here was to not have to reinstall. I want to try for "lucky". I'm a lucky guy.

Call me "Lucky", and what is the next step?
  • 0

#108
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I looked, and there is no CD. Which is OK, because I really, REALLY don't want to give up and re-install the OS and lose years of work setting it all up. That would be admitting defeat.

Reinstalling the OS = Disaster.
  • 0

#109
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Looking at the boot.ini I see something funny. It says:

multi(0)disk(0)rdisk(0)partition(2)\

Seems to me that is the hidden partition it is calling for. I would think the regular partition would be 1 and not 2.


Open boot.ini in notepad as you did before and make it say

[boot loader]
timeout=10
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Good Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Then next to the last line is a copy of the original last line with the partition number changed to 1 and the word Good added before Microsoft. Otherwise it's the same.

File, Save. (This is a read only file so you have to tell it you want to write it.) If it won't let you, open up a command prompt as before and type:
attrib  -r  \boot.ini
Then try to save it. Reboot and you should have three choices. Pick the one that says Good Microsoft Windows XP Home Edition. I want to see if that boots.

Ron
  • 0

#110
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Then next to the last line is a copy of the original last line with the partition number changed to 1 and the word Good added before Microsoft. Otherwise it's the same.

File, Save. (This is a read only file so you have to tell it you want to write it.) If it won't let you,



It wouldn't.

open up a command prompt as before and type:

attrib -r \boot.ini


Then try to save it.



It said, "Not resetting hidden file -C:\boot.ini"

Because I have to go back and forth with a thumb drive, I didn't cut and paste the text. Does it matter how many spaces between "attrib" and "-r"? or anything like that?
  • 0

#111
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I typed it exact. That is two spaces. Same thing.
  • 0

#112
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Try
attrib  -r  -h  -s  \boot.ini

one space should be enough. I use two in the code box so that you can see where the space goes.
  • 0

#113
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
If that doesn't work then try the official MS way:

http://support.microsoft.com/kb/289022
  • 0

#114
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
If that doesn't work then try the official MS way:

http://support.microsoft.com/kb/289022



I read it three times and it made no sense to me.
  • 0

#115
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I think that worked! I'm going to try to reboot.
  • 0

Advertisements


#116
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, as you said, it gave me three choices. (Four actually, including, "don't chose this.")


BUT....

I selected "Windows Good", and it gives me a black screen that says,,.,

"windows could not start because the following file is missing or corrupt:

<Windows Root>\system32\hal.dll

please re-install a copy of the above file.
  • 0

#117
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Is the PC that works also an XP? You can try copying the file from C:\Windows\System32\hal.dll on the good PC to the bad PC. Problem I see is getting it onto the C:\ drive. I suppose you can boot into the bad Windows and copy it to C:\ then boot into the Recovery Console, log on to the C: drive and type:

copy E:\hal.dll c:\Windows\System32\hal.dll
  • 0

#118
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
or just try the one in E

copy E:\Windows\System32\hal.dll c:\Windows\System32\hal.dll
  • 0

#119
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Is the PC that works also an XP?"

Yes.

"You can try copying the file from C:\Windows\System32\hal.dll on the good PC to the bad PC."

Not sure how to do that.

"Problem I see is getting it onto the C:\ drive. I suppose you can boot into the bad Windows and copy it to C:\ then boot into the Recovery Console, log on to the C: drive and type:

copy E:\hal.dll c:\Windows\System32\hal.dll "


I don't understand. You're over my head here.
  • 0

#120
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Find the hal.dll file on the good PC.
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll

Boot into the Recovery console. Select C:

Type:

copy E:\hal.dll c:\Windows\System32\hal.dll
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP