Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#121
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
For what it's worth, I copied hal.dll from the good PC and the copy is on my thumb drive right now.


(I can't help but think of Stanley Kubrick here.)
  • 0

Advertisements


#122
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Find the hal.dll file on the good PC.
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll"


Hah! For once I was ahead of you. I was typing that I was doing that very thing while you were suggesting it.


"Boot into the Recovery console. Select C:

Type:

copy E:\hal.dll c:\Windows\System32\hal.dll"

I'll try. Not sure where to "select C", but I'll try....
  • 0

#123
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
remember when you booted into the Recovery Console it asked you which windows you wanted. C or E?

It might be best to back up the file first:

copy c:\Windows\System32\hal.dll c:\Windows\System32\hal.old

Ron
  • 0

#124
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I did exactly as you said, it came back with "The system cannot find the file specified".
  • 0

#125
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
" Find the hal.dll file on the good PC.
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll

Boot into the Recovery console. Select C:

Type:

copy E:\hal.dll c:\Windows\System32\hal.dll"

I missed that part. Should I do it now, even though I got the "file not found"?
  • 0

#126
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
What makes us think our pal hal.dll is in the mystery, "E" drive? Remember how there wasn't much on that drive? I bet there is a folder called "windows", but I am not sure there is much in there- except what the virus needs. I'm not the expert, but I'm just sayin,...
  • 0

#127
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
You can look from the Recovery Console.

Select E:

Then

cd \windows\system32

dir hal.dll

repeat for C:

There has to be a hal.dll somewhere or it couldn't boot.

Probably one in \windows\system32\dllcache
  • 0

#128
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
You can look from the Recovery Console.

Select E:

Then

cd \windows\system32

dir hal.dll

repeat for C:

There has to be a hal.dll somewhere or it couldn't boot.

Probably one in \windows\system32\dllcache



I just looked in the C:\windows\system32 folder directly. There it is, but the funny thing is, it's in all capitol letters, it's "HAL.DLL"

Does that matter?


To me, it looks suspicious like that, as if it's a fake hal. Like the virus killed the real one and installed that instead.
  • 0

#129
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I understand that the problem is replacing "Bad Hal" with a good one while the machine is running. It needs it to run so you can't do that. But what about booting up with the Hiren CD? Can I boot with that and then transfer a good copy from the thumb drive?
  • 0

#130
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
It's possible. Depends on if the mini XP will recognize your hard drive. Give it a shot.
  • 0

Advertisements


#131
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Hmmmm. Does this matter? I looked closely at Good Hal, from the "Good PC", ("hal.dll" with the small letters)

, and Bad Hal, from the infected machine, "HAL.DLL". If you look, the size is different.



Good Hal

size: 131 KB (134,400 bytes)
size on disk: 132 KB (135,168 bytes)


Bad Hal

size: 131 KB (134,272 bytes)
size on disk: 132 KB (135,168 bytes)


Notice that the size of Bad Hal is a little smaller.
  • 0

#132
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"It's possible. Depends on if the mini XP will recognize your hard drive. Give it a shot. "

Will do.
  • 0

#133
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I was able to save a copy of bad hal, then replace with good hal, Tried to reboot, and I got caught in that loop, had to pop the disk out,.

Then I didn't switch to "Good Windows" fast enough, so It's rebooting off bad windows. Will

lather, rinse, repeat, to good windows. hold on...
  • 0

#134
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
$hit.

Booted into "good Windows", got the same error message. "hal.dll" is corrupt.

I'm out of ideas. But the good news is- I'm the expert who comes up with the good ideas. :-)

So I'm going to sit back and wait for you to have a stroke of genius here. I'm counting on you. I know you can do it.
  • 0

#135
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
seems to me the answer is staring us in the face.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP