remove or disable MBR

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
kowboy33
Posts: 1
Joined: 12 Sep 2012, 15:34

remove or disable MBR

#1 Post by kowboy33 »

Have two issues. Two drives, C and F

My win7 64 machine got infected by a rootkit. After many hous of trying to fix it, i got a new HD and reloaded everything. New Anti virus(bit defender) and Firewall(comodo)
Using my old XP box to access the disks using a USB to Sata connection.

C: 1TB
Have a rootkit buried deep in the mbr, nothing is able to remove or fix it.
Would like to remove the mbr or any recommendations to stop it form booting, its trying to boot when i connect thru the USB2Sata. Not going to even try to connect this to my new win7 unless the booting stops.
Still have data on the drive.

F: 2TB
I did connect this one to Win7 thru usb2sata, but
The file format is set to RAW. Looking for a way to recover or convert back to ntfs.


Basically i want to be able to get the data from these drives, insure its safe, and then i will reformat both of them to be used for future data and backups. Hoping to get this done soon, so i can take a clean image of my newly rebuilt drive. So, i don't have to go thru reloading again.

Thanks for any advice.

Lito
Posts: 83
Joined: 08 Sep 2012, 06:58

Re: remove or disable MBR

#2 Post by Lito »

For the drive with the rootkit or mbr problem that nothing can fix, I would run Dban, if there is nothing on that disk that you would want saving. You can get Dban from http://www.dban.org . What you get is an iso file, meaning an image of a CD or DVD that you will have to burn to a blank CD. You can do that with tools like Nero (not free), Imgburn (free), K3B (free with many versions of Linux), Brasero (linux again), etc. That will give you a boot CD.
Before you boot your Dban CD, you will have to diisconnect your good new disk. The one you just finished installing the system in. Take it out of the machine. If you have many USB ports, disconnect as many as possible. Do not disconnet the ports, where your keyboard or mouse plug in. Make a note of the cables you pull and where they fit.
Now you will have to temporarily fit the bad HHD (the one with the rootkit) in the machine. Make sure the BIOS in your machine is set to boot from CD. Get your Dban CD in the cd drive . You can use a straighten up paparclip to open the tray without power, gently push the paperclip in a little hole that is around the CD's power button. When you are ready, power up and boot from the Dban CD. It will take quite a few hours. Might be a good time to take a nap. When finished everything in the disk would be gone, including the rootkit.

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: remove or disable MBR

#3 Post by dragonfly41 »

Have you tried this to disinfect?

http://support.kaspersky.com/faq/?qid=208280684

Lito
Posts: 83
Joined: 08 Sep 2012, 06:58

Re: remove or disable MBR

#4 Post by Lito »

I have found this information only today.
May be it can help.
Have a look at this article:
http://www.h-online.com/security/featur ... 50313.html

At the end of the rootkit analysis, the researcher names and provides the link to a tool from Avast:

aswMBR.exe

http://public.avast.com/~gmerek/aswMBR.htm

It may be worth a try.

Locked