Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Challenging Rootkit


  • Please log in to reply

#76
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,662 posts
  • MVP
OK. Type:

MBRWiz /save=C:\savedMBR


see what happens
  • 0

Advertisements


#77
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"Bad command or file name".
  • 0

#78
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
MBRWiz /save=C:\savedMBR


Is there supposed to be a space after the "Z"? (I typed one because there is one in what you typed.)
  • 0

#79
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,662 posts
  • MVP
I assume you had a space after mbrwiz?

Type:
dir

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again

Ron
  • 0

#80
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I assume you had a space after mbrwiz?

Yes.

Type:
dir


I did.

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again



You lost me again. I don't understand. I don't know DOS, I don't understand how to interpret what I am looking at here. I see lots of white letters and numbers on a black screen- beyond that, I do not know how to interpret them.

Here is a photo. (Please keep in mind that to someone like me, this might as well be Swahili or the writings of ancient Druids. I'm sorry, but I just don't understand it.)

Posted Image
  • 0

#81
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
What should I do?
  • 0

#82
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Or how about this...?

This is what is on my screen right now.

Isn't this what we want? Won't one of the first two choices here back up the MBR so we can get to it again if need be?

Posted Image
  • 0

#83
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,662 posts
  • MVP
CompCav says I gave you the wrong command. Should be

mbrwizd /save=C:\savedMBR

But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it.

Ron
  • 0

#84
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK. Hold on, will boot into that...
  • 0

#85
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it."

OK, am booted up on MiniXp from the Hirem disk.

I can click on the "Start" menu- so what's "the one we want"?
  • 0

Advertisements


#86
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
No wait! You don't mean, "Start", ---> "all programs". You mean from the Start Menu, HBCD Programs.


That gives me a Windows Explorer type window, and I see, "MBRFix.cmd"


THAT'S what we want, right?
  • 0

#87
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
This is WAY better. I can handle this. Typing DOS commands blindly was painful. That would give a headache to a bottle of Advil.
  • 0

#88
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, so I see "MBRFix.cmd". Assuming that's "what we want", what do I do next?
  • 0

#89
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,662 posts
  • MVP
You still need to type in a DOS like prompt:

From CompCav:

"click start
click Programs
click HBCD Menu
click Browse folder
in right hand window page down to MbrFix.cmd
a black command window will open and also a MbrFix.txt window.
In the taskbar click on the c:\ in the box next to B:\Temp\HBCD...
Now the black command window should show with b:\Temp\HBCD>_
Type the command as you had in #29 with adding the location to save the file.

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
(The OP can check on the c drive to see it is in the root directory)

Then the command to fix it:

MbrFix /drive 0 fixmbr /yes


Then he can close the command window and click Start in the lower left hand corner,

click Shutdown
in the window that comes up hit the down arrow to select Restart / Eject
Then click OK

(The machine will eject the Hirens Boot CD and Start up normally.)"

This leaves the E:\ partition intact so perhaps we should try and run MBR Wizard while we are here before we reboot?

It's not clear to me from the write up how exactly it gets to the E:\ partition but the writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.
http://resources.inf...tealth-rootkit/

Ron
  • 0

#90
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.


I knew it! I was thinking I couldn't even just re-install the OS for that reason. And I;'ve seen threads, as I said, where people said that is what they were going to do and the thread was closed. I just knew they were wrong in thinking they were all set.

This virus just $ucks.

OK, here I go...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP