Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help installing/booting home ed from external drv only


  • This topic is locked This topic is locked
6 replies to this topic

#1 spot2112

spot2112

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 04 September 2010 - 12:39 AM

Hello...


Would someone be so kind as to help me get a brand new external drive running with XP, with no internal drive connected?

I installed windows to the external drive, and at the very end of copy phase, before first reboot, I got "No Drive Found!" Click okay and you get a window called "MBRinst.exe" with lots of helpful information about switches etc. i can use to fix the problem, only I have no access to the program MBRinst if it even exists in my OS.

Personal FAIL, I didnt disconnect the other devices (besides the onboard drive) and the external drive was drive(4). So I did just that and ran fixmbr from recovery console dvd and tried again. Again, at end of copy phase, same error and info pop ups, then reboot at first splash screen. Subsequent reboots result in the boot selection screen, complete with last known config option.


I need to install this way because I cant seem to wipe a rootkit off the internal drive.

Currently I have the system running on the internal drive, external disconnected. SP3 is installed, but no other updates. I loaded a few investigating tools and a firewall, windows defender and malwarebytes with defs from last april. All of this (SP3, tools, firewall) come from DVD's burned whe I thought the rootkit was gone, but now I don't trust them.

Using disk investigator, I have found some interesting code in various sectors on the drive, and I think I know the module that has been involved, CSRSVR.exe.


The malware info is just background...

My _ultimate_ goal here is to recover data from a second external drive we have to assume is infected. but first a clean install on a new external drive.


Anyone want to tackle this one with me?

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:42 PM

Posted 04 September 2010 - 01:02 AM

Since you have the installation disk, just wipe the internal hdd with an application like Darik'c Boot and Nook. Over writing the hdd will take care of any infection that you have.

As for booting from the external hdd, if this will work depends on your BIOS. The BIOS has to be able to boot from an external hdd.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Drovers Dog

Drovers Dog

  • Members
  • 1,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:42 AM

Posted 04 September 2010 - 05:47 AM

You said this,

I need to install this way because I cant seem to wipe a rootkit off the internal drive.


Can you give more details of it? I just maybe be able to Help you out with this one. I played with this one for months, if it is the same, Mate, and ended up beating it, if it is the same one? It threw lots of people out at the time because simply reformat and reinstall DIDDN"T work, it kept coming back. Nothing could detect it, but it was there and kept coming back. Trust me, I have good expertise in what I do, as I repair and reclaim Computers for disadvantaged people and know many many Tricks, all legal in most Countries. But some Countries do not want Details of it Publicified? That is what the writers of the particular Code relied on.

I almost went crazy about it but eventually found the Cure to it. If it is the same one, I am happy to share what I learned about it here. It was one different Mother of a thing.

The Root Kill was lodged in quite a few unusual places once it became imbeded and would just spread into your External Drive, if it would let you install there.

Ray.

Edited by Drovers Dog, 04 September 2010 - 06:08 AM.

What ever you give to others, you will get back doubled, Just make sure you only give Nice Things?......DD saying

There is a saying, "You just can't make a silk purse out of a sow's ear" it means "to be happy with what you have and not look for the impossible"......DD saying

The "Spirit" of the people who died, on that terrible day 9/11 will NEVER REST until such time as the "Imbeciles" that caused it, are eliminated through out the World.....DD saying

What is a Dog?

#4 spot2112

spot2112
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 04 September 2010 - 08:54 AM

I appreciate the quick replies.

Dc3, when a drive is wiped, do you know if the MBR is wiped? I have not been able to find that info, but I believe it does. Just want to confirm. I used the clean command (i think under diskpart, never can remember). I thought I had it taken care of but later saw in the logs it looked like the RK was back after the first exe ran after install.


I tried boot n nuke actually, about 3 re-installs ago. It kept crashing. I had it on two different UBCD4Win (3.5 & 3.6) those dvds were made while I was likely infected, and don't have an easy way to get a new copy on the drive. I could DL to iPhone, but rootkit won't let me install iPhone explorer or similar.

DroversDog, what kind of detail would be helpful? Should we move to another forum to discuss rootkit?

I have process explorer and process monitor, used them to find the possible module involved.

I can give you a general idea of the code that i found in the sectors if you like. It looks like code borrowed from legitimate apps. The last programming language I learned was FORTRAN 77, so I can't really id the language without being told what to look for.

Logs and such generated over several installs can be found here.

Thanks again.



The RK seems to be listening on 135 and 443 TCP/UDP.

#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:42 PM

Posted 04 September 2010 - 11:29 AM

When you wipe the hdd it overwrites all data on the drive.

I have been using Wipedrive for several years, but wasn't aware until today that there is now a free download of it. You can download it here.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Drovers Dog

Drovers Dog

  • Members
  • 1,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:42 AM

Posted 04 September 2010 - 09:48 PM

DroversDog, what kind of detail would be helpful? Should we move to another forum to discuss rootkit?

I have process explorer and process monitor, used them to find the possible module involved.


I did check out the Link you gave and am sure you may well have a variant of this little Fellow that is a real tricky one to get rid of. But it can be done.

MBR Rootkit, A New Breed of Malware Posted by Kimmo @ 11:08 GMT | Comments

News broke out earlier this year of a new breed of rootkit using techniques never before seen in modern malware. The most notable of them is the fact that the rootkit replaces the infected system's Master Boot Record (MBR).

The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.

In the competition between rootkits and rootkit detectors, the first to execute has the upper hand. And you can't execute earlier than from the MBR. Of course, MBR viruses used to be very common in the DOS days, 15 years ago or so. But this is 2008.

This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.

Below are some details about the MBR rootkit's stealth features:

The ntoskrnl.exe module hook that executes the kernel-mode downloader payload is set to the nt!Phase1Initialization function which resides in the INIT section. This means that after the system has initialized the section is wiped out from memory and no sign of the hook is any longer present.

The rootkit stores data that's required to survive reboots in physical sectors instead of files. This means that the data, including the real payload, is not visible or in any way accessible to normal applications. Therefore the rootkit does not have to hook the normal set of interfaces to keep them hidden.

The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object which is shown in the picture below.


http://www.f-secure.com/weblog/archives/00001393.html

It actually hides in Hardware, I had 9 Computers down with it and eventually found where it was hiding. In the DVD ROM of all places. Have a read of the Article and if you want I will try to guide you through it. It does entail some serious work on yoiur part, but I am 90% sure it can be fixed, as I have fixed mine.

Ray.

Edited by Drovers Dog, 04 September 2010 - 10:03 PM.

What ever you give to others, you will get back doubled, Just make sure you only give Nice Things?......DD saying

There is a saying, "You just can't make a silk purse out of a sow's ear" it means "to be happy with what you have and not look for the impossible"......DD saying

The "Spirit" of the people who died, on that terrible day 9/11 will NEVER REST until such time as the "Imbeciles" that caused it, are eliminated through out the World.....DD saying

What is a Dog?

#7 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:42 PM

Posted 04 September 2010 - 11:02 PM

Hello,

Since there is a topic in progress here: http://www.bleepingcomputer.com/forums/topic339791.html

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.



To avoid confusion, I am closing this topic. Good luck with your log.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users