[RKinner]

I've asked about this beast in our internal forum. Don't be surprised if you may get some requests for scans or instructions from some of our more experienced folk. No promises. Depends on who is on line today.

[Advertisements]

I did that, and the results are interesting. There is a mystery drive, Drive E. Hold on, I'll post it in detail....

[rootkits-r-evil]

I did that, and the results are interesting. There is a mystery drive, Drive E. Hold on, I'll post it in detail....

[rootkits-r-evil]

This is like when you get in an accident, and when you bring the car to the body shop and the guy calls into the garage- "Holy Cow! Hey Guys- come check out this guy's car. Wow!"

__________


But I understand. I've been reading about this virus online too. And it's interesting.

Here is a photo of what happens when I type"map" in recovery console. (After telling it which version of Windows that is supposedly installed on my machine to use)





As you can see, There's:

? FAT16 102MB \Device\Harddisk0\Partition1
C: NTFS 111803MB \Device\Harddisk0\Partition2
E: Fat32 2558MB \Device\Harddisk0\Partition3
D: \Device\CDRom0

[rootkits-r-evil]

OK, so what do I do now?

I have a sneaky, hidden partition on my hard drive that the computer itself doesn't know about- containing..... who knows what?

Shall I continue to run tests, scans, or fixes on the other partition?

What's the game plan?

[RKinner]

Can you create the Hiren boot disk and back up your mbr as in post 29?

I think if we fix the MBR then we can remove the funny partition but I don't want to do it unless I can back it up first.

Ron

[rootkits-r-evil]

Yes. But let me ask you this- could I do it with the BartsPE boot disk I have already? Or should I take the time to make the one you suggest?

[rootkits-r-evil]

And how about that photo I posted? Isn't that amazing?

[rootkits-r-evil]

Actually, this Hirams looks pretty good. A great thing to have. It's downloading, but will take over an hour and a half for me.

[rootkits-r-evil]

"Hiren".

[rootkits-r-evil]

I usually use freeisoburner
http://www.freeisoburner.com/
to make the bootable CD.

Actually, the download had CD burning software in it that worked just fine.




Or boot from it directly.

I booted the infected machine with it. It's running now. (Geez, this disk is awesome. Why wouldn't everyone with a Windows machine want one of these hanging around? It's been one of the few bright spots in this ordeal actually.)

There should be a menu. Chose the MBR Tools.


OK, here goes...

[rootkits-r-evil]

There should be a menu.

There is.

Chose the MBR Tools.


I don't see that.


Closest thing I see is "Boot HDD 1 MBR".

There is a "custom menu", but it's not there either.


Not sure what to do?

[RKinner]

Appears this bug eats your antivirus and replaces it with itself. If you still have Symantec, make sure you kill all of its processes and drivers.

I'm going to have to go to bed now. Missed my nap today because of the party.

Once you back up the mbr, I'd run some fo the anti-virus scans that come with Hiren's then I'd try replacing the mbr with the standard XP MPR. Then boot into Recovery Console and delete the E:\ partition.

Good luck.

[RKinner]

Choose Dos Programs then 9 then I think you will see the MBR

[rootkits-r-evil]

Appears this bug eats your antivirus and replaces it with itself. If you still have Symantec, make sure you kill all of its processes and drivers.


never had it. that's just the freebee that came with the machine you see. Never used it.

I'm going to have to go to bed now. Missed my nap today because of the party.

Understand. Clearly, like me, you keep weird hours.

Once you back up the mbr, I'd try replacing it with the standard XP MPR. Then boot into Recovery Console and delete the E:\ partition.

_______________ > I just can't find this "MBR Tools". <_______________


Beyond that, I think I'll be OK.

Thank you.

[rootkits-r-evil]

"Choose Dos Programs then 9 then I think you will see the MBR "

No, but it gives me another menu with 9 other choices. "9" is "back"