[RKinner]

OK. Type:

MBRWiz /save=C:\savedMBR


see what happens

[Advertisements]

"Bad command or file name".

[rootkits-r-evil]

"Bad command or file name".

[rootkits-r-evil]

MBRWiz /save=C:\savedMBR


Is there supposed to be a space after the "Z"? (I typed one because there is one in what you typed.)

[RKinner]

I assume you had a space after mbrwiz?

Type:
dir

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again

Ron

[rootkits-r-evil]

I assume you had a space after mbrwiz?

Yes.

Type:
dir

I did.

If it gives you a list of folders then:

cd mbrwiz (Or whatever it calls the folder) then try the command again


You lost me again. I don't understand. I don't know DOS, I don't understand how to interpret what I am looking at here. I see lots of white letters and numbers on a black screen- beyond that, I do not know how to interpret them.

Here is a photo. (Please keep in mind that to someone like me, this might as well be Swahili or the writings of ancient Druids. I'm sorry, but I just don't understand it.)

[rootkits-r-evil]

What should I do?

[rootkits-r-evil]

Or how about this...?

This is what is on my screen right now.

Isn't this what we want? Won't one of the first two choices here back up the MBR so we can get to it again if need be?

[RKinner]

CompCav says I gave you the wrong command. Should be

mbrwizd /save=C:\savedMBR

But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it.

Ron

[rootkits-r-evil]

OK. Hold on, will boot into that...

[rootkits-r-evil]

"But just Reboot and choose the mini XP. CompCav says the drive has to be mounted so if we just boot into the mini XP then Start, All Programs you should see the one we want and not have to mount it."

OK, am booted up on MiniXp from the Hirem disk.

I can click on the "Start" menu- so what's "the one we want"?

[rootkits-r-evil]

No wait! You don't mean, "Start", ---> "all programs". You mean from the Start Menu, HBCD Programs.


That gives me a Windows Explorer type window, and I see, "MBRFix.cmd"


THAT'S what we want, right?

[rootkits-r-evil]

This is WAY better. I can handle this. Typing DOS commands blindly was painful. That would give a headache to a bottle of Advil.

[rootkits-r-evil]

OK, so I see "MBRFix.cmd". Assuming that's "what we want", what do I do next?

[RKinner]

You still need to type in a DOS like prompt:

From CompCav:

"click start
click Programs
click HBCD Menu
click Browse folder
in right hand window page down to MbrFix.cmd
a black command window will open and also a MbrFix.txt window.
In the taskbar click on the c:\ in the box next to B:\Temp\HBCD...
Now the black command window should show with b:\Temp\HBCD>_
Type the command as you had in #29 with adding the location to save the file.

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
(The OP can check on the c drive to see it is in the root directory)

Then the command to fix it:

MbrFix /drive 0 fixmbr /yes


Then he can close the command window and click Start in the lower left hand corner,

click Shutdown
in the window that comes up hit the down arrow to select Restart / Eject
Then click OK

(The machine will eject the Hirens Boot CD and Start up normally.)"

This leaves the E:\ partition intact so perhaps we should try and run MBR Wizard while we are here before we reboot?

It's not clear to me from the write up how exactly it gets to the E:\ partition but the writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.
http://resources.inf...tealth-rootkit/

Ron

[rootkits-r-evil]

writeup I saw had people reinstalling Windows and getting reinfected because they hadn't removed the partition.


I knew it! I was thinking I couldn't even just re-install the OS for that reason. And I;'ve seen threads, as I said, where people said that is what they were going to do and the thread was closed. I just knew they were wrong in thinking they were all set.

This virus just $ucks.

OK, here I go...