dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
723
share rss forum feed


tahoejeff
Premium
join:2001-07-01
Wisconsin Dells, WI

Too late to create windows restore disc set?

I'm fixing a pc that has rootkit.mbr.pihar.g.
The normal bootrec /fixmbr was not able to fix the issue, as I expected.
The pc owner never created his Toshiba Windows restore disc set, so I am doing that now. What are the chances the set I'm creating will have the rootkit built into it?

I do have a Win 7 home premium 64bit upgrade disc, if that would work...but then I'd be hunting for drivers.

1-Would it be safe to assume that the rootkit cannot write itself to the restore discs?
2-Would my upgrade disk work to install to a Toshiba oem license key? I know I could also find an ISO that is not an upgrade version, if you think that's necessary.
--
The Geek Shall Inherit the Earth



sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

1. Not a safe assumption. A rootkit could do pretty much anything. Will it? Depends on what the author was after when he wrote it.

2. Probably, but being an upgrade, you'd have to install some other Windows first.
--
Oh, Opera, what have you done?


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to tahoejeff

tahoejeff, here is an article about a "TDL4" bootkit infection.. maybe it will help:

»secure-computer-solutions.com/bl···t_1.html



tahoejeff
Premium
join:2001-07-01
Wisconsin Dells, WI

Thank you both for the replies. Redwolfe, I wish my search results would have provided your information sooner.
Creating the restore set failed, so I have installed my upgrade version.
Trawling the Toshiba site for drivers isn't fun. Almost makes me want to go back to recommending Dell laptops...
--
The Geek Shall Inherit the Earth



norwegian
Premium
join:2005-02-15
Outback

said by tahoejeff:

Trawling the Toshiba site for drivers isn't fun. Almost makes me want to go back to recommending Dell laptops...

Sometimes it is best to look at the C: drive for the Toshiba folder as all drivers are in fact there on the computer.

However if there is alternate data streams tied to all files with the infection, it maybe more trouble than it is worth.

If you want a hand looking for drivers, list the exact laptop.
I have had some issues with download drivers off the site.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to tahoejeff

said by tahoejeff:

I'm fixing a pc that has rootkit.mbr.pihar.g.
The normal bootrec /fixmbr was not able to fix the issue, as I expected.

I have not heard of the /fixmbr working on multiple partition systems, only on a standard single partition. However I'm happy to be proved wrong in this regards. I might learn something.

As you have processed the fixmbr, I doubt anything in regards to the recovery set would work, and of course there is a serious infection.

Starting from scatch and wiping the HDD, not just creating a new partition is the best option.
It might be worth getting a set of CD's off Toshiba if you find you have problems sourcing drivers.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to sivran

I did install Windows 7 Home Premium x64 from an upgrade DVD to a newly formatted HDD. I could not use the product key from the install disk, though; had to use the MS product key update service, and enter the product key from the CoA label on the computer case for activation.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



ashrc4
Premium
join:2009-02-06
australia
reply to tahoejeff

said by tahoejeff:

The normal bootrec /fixmbr was not able to fix the issue, as I expected.

Have you considered EaseUS partition master has it's own fix MBR option that uses ISO for the job.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
reply to tahoejeff

Malwarebytes Anti-Rootkit can remove it. The best thing to do would be to post in »Security Cleanup and follow the instructions for what you need to post, and be specific on what you have already done to try to remove the rootkit. It looks like you may already have reinstalled on the infected system, but you still need to scan with Malwarebytes Anti-Rootkit, depending on how you reinstalled, it may still be there.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010



tahoejeff
Premium
join:2001-07-01
Wisconsin Dells, WI
reply to norwegian

Thank you Norwegian.
It was a real struggle finding the correct driver for the wireless adapter, because Toshiba listed numerous for this model.
Once I found the right driver for wireless, I was able to find the rest of the drivers with a simple free tool called SlimDrivers.
--
The Geek Shall Inherit the Earth