(I can't help but think of Stanley Kubrick here.)

Challenging Rootkit
Started by
rootkits-r-evil
, Aug 20 2011 04:03 PM
#121
Posted 22 August 2011 - 09:26 PM

(I can't help but think of Stanley Kubrick here.)
#122
Posted 22 August 2011 - 09:29 PM

"Find the hal.dll file on the good PC.
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll"
Hah! For once I was ahead of you. I was typing that I was doing that very thing while you were suggesting it.
"Boot into the Recovery console. Select C:
Type:
copy E:\hal.dll c:\Windows\System32\hal.dll"
I'll try. Not sure where to "select C", but I'll try....
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll"
Hah! For once I was ahead of you. I was typing that I was doing that very thing while you were suggesting it.
"Boot into the Recovery console. Select C:
Type:
copy E:\hal.dll c:\Windows\System32\hal.dll"
I'll try. Not sure where to "select C", but I'll try....
#123
Posted 22 August 2011 - 09:34 PM

remember when you booted into the Recovery Console it asked you which windows you wanted. C or E?
It might be best to back up the file first:
copy c:\Windows\System32\hal.dll c:\Windows\System32\hal.old
Ron
It might be best to back up the file first:
copy c:\Windows\System32\hal.dll c:\Windows\System32\hal.old
Ron
#124
Posted 22 August 2011 - 09:40 PM

I did exactly as you said, it came back with "The system cannot find the file specified".
#125
Posted 22 August 2011 - 10:22 PM

" Find the hal.dll file on the good PC.
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll
Boot into the Recovery console. Select C:
Type:
copy E:\hal.dll c:\Windows\System32\hal.dll"
I missed that part. Should I do it now, even though I got the "file not found"?
Copy it to the USB drive.
Move it to the bad.
Copy from the usb drive to C:\hal.dll
Boot into the Recovery console. Select C:
Type:
copy E:\hal.dll c:\Windows\System32\hal.dll"
I missed that part. Should I do it now, even though I got the "file not found"?
#126
Posted 22 August 2011 - 10:30 PM

What makes us think our pal hal.dll is in the mystery, "E" drive? Remember how there wasn't much on that drive? I bet there is a folder called "windows", but I am not sure there is much in there- except what the virus needs. I'm not the expert, but I'm just sayin,...
#127
Posted 22 August 2011 - 10:35 PM

You can look from the Recovery Console.
Select E:
Then
cd \windows\system32
dir hal.dll
repeat for C:
There has to be a hal.dll somewhere or it couldn't boot.
Probably one in \windows\system32\dllcache
Select E:
Then
cd \windows\system32
dir hal.dll
repeat for C:
There has to be a hal.dll somewhere or it couldn't boot.
Probably one in \windows\system32\dllcache
#128
Posted 22 August 2011 - 10:42 PM

You can look from the Recovery Console.
Select E:
Then
cd \windows\system32
dir hal.dll
repeat for C:
There has to be a hal.dll somewhere or it couldn't boot.
Probably one in \windows\system32\dllcache
I just looked in the C:\windows\system32 folder directly. There it is, but the funny thing is, it's in all capitol letters, it's "HAL.DLL"
Does that matter?
To me, it looks suspicious like that, as if it's a fake hal. Like the virus killed the real one and installed that instead.
Select E:
Then
cd \windows\system32
dir hal.dll
repeat for C:
There has to be a hal.dll somewhere or it couldn't boot.
Probably one in \windows\system32\dllcache
I just looked in the C:\windows\system32 folder directly. There it is, but the funny thing is, it's in all capitol letters, it's "HAL.DLL"
Does that matter?
To me, it looks suspicious like that, as if it's a fake hal. Like the virus killed the real one and installed that instead.
#129
Posted 22 August 2011 - 10:45 PM

I understand that the problem is replacing "Bad Hal" with a good one while the machine is running. It needs it to run so you can't do that. But what about booting up with the Hiren CD? Can I boot with that and then transfer a good copy from the thumb drive?
#130
Posted 22 August 2011 - 10:48 PM

It's possible. Depends on if the mini XP will recognize your hard drive. Give it a shot.
#131
Posted 22 August 2011 - 10:57 PM

Hmmmm. Does this matter? I looked closely at Good Hal, from the "Good PC", ("hal.dll" with the small letters)
, and Bad Hal, from the infected machine, "HAL.DLL". If you look, the size is different.
Good Hal
size: 131 KB (134,400 bytes)
size on disk: 132 KB (135,168 bytes)
Bad Hal
size: 131 KB (134,272 bytes)
size on disk: 132 KB (135,168 bytes)
Notice that the size of Bad Hal is a little smaller.
, and Bad Hal, from the infected machine, "HAL.DLL". If you look, the size is different.
Good Hal
size: 131 KB (134,400 bytes)
size on disk: 132 KB (135,168 bytes)
Bad Hal
size: 131 KB (134,272 bytes)
size on disk: 132 KB (135,168 bytes)
Notice that the size of Bad Hal is a little smaller.
#132
Posted 22 August 2011 - 10:57 PM

"It's possible. Depends on if the mini XP will recognize your hard drive. Give it a shot. "
Will do.
Will do.
#133
Posted 22 August 2011 - 11:16 PM

I was able to save a copy of bad hal, then replace with good hal, Tried to reboot, and I got caught in that loop, had to pop the disk out,.
Then I didn't switch to "Good Windows" fast enough, so It's rebooting off bad windows. Will
lather, rinse, repeat, to good windows. hold on...
Then I didn't switch to "Good Windows" fast enough, so It's rebooting off bad windows. Will
lather, rinse, repeat, to good windows. hold on...
#134
Posted 22 August 2011 - 11:21 PM

$hit.
Booted into "good Windows", got the same error message. "hal.dll" is corrupt.
I'm out of ideas. But the good news is- I'm the expert who comes up with the good ideas. :-)
So I'm going to sit back and wait for you to have a stroke of genius here. I'm counting on you. I know you can do it.
Booted into "good Windows", got the same error message. "hal.dll" is corrupt.
I'm out of ideas. But the good news is- I'm the expert who comes up with the good ideas. :-)
So I'm going to sit back and wait for you to have a stroke of genius here. I'm counting on you. I know you can do it.
#135
Posted 22 August 2011 - 11:23 PM

seems to me the answer is staring us in the face.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:






