PDA

View Full Version : Need MBR Repair Tool...



PudnikSchool
2013-01-02, 20:36
Hello,

My windows 2008 Server R2 was infected with a rootkit.

I have cleaned up all the files but I have *multiple* MBRs that have been affected.

They were detected by the home version of spybot.

The primary OS will boot and run, but it still shuts down at random due to the infected MBRs on multiple physical disks.

Please recommend a multiple MBR repair tool, other than MBRwizard Suite, that will:

required:

- Repair MBRs on multiple system and non-system disks, not just the current system disk

- Write plain Windows Server 2008 R2 MBRs that Spybot Home Edition will detect as valid MBRs

- runs at the command line

nice-to-have:

- runs as a GUI

- runs in either normal mode or safe mode

Thanx in advance to all who reply.

PudnikAtSchool

S1ybot
2013-01-03, 22:05
DBAN using a "full" disk wipe
You haven't listed what hardware you have, but if its a true SCSI setup re-flash the firmware on your raid card and HDDs. Don't connect any NICs until its fully patched and secured. (assuming DMZ).

PudnikSchool
2013-01-04, 08:12
My Hardware:

Moboard: K8 Triton Series AMD64 CPU

HDD in question, from MBRcheck report:

PhysicalDrive2 Model Number: ST3160023A, Rev: 8.01 (160 GB)

OK, I burned onto a DVD the latest version of DBAN and attempted to wipe the drive Spybot 2 is reporting as having an unknown MBR. It crashed, then dumped me to an advertisement screen.

I then installed a fresh version of:
Windows Server 2008 R2 Standard Edition 64-bit version

Onto that drive. This, and the previous bootrec command attempts, should have at least cleared the MBR on that drive. I think it should have replaced any MBR records with a Windows 7 MBR.

Instead, Spybot 2 is still detecting an unknown MBR on that drive. Even more strange, the MBRcheck utility is reporting the MBR as a Windows 98 MBR! :sick:

\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00100000 (NTFS)

149 GB \\.\PhysicalDrive2 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E

So, my next question is:

Is there a tool that I can use, even if it has to be burned onto a boot disk, that will wipe Sector 0 on that physical disk clean, then replace the MBR with a Windows 7 MBR that Spybot 2 and MBRcheck will detect correctly...?

Thanx again for all your help,
PudnikSchool

P.S. I am a registered owner of Spybot 2 Professional Edition...

PudnikSchool
2013-01-06, 08:05
...I unplugged the data plug from the drive, spybot gave the system a clean bill of health, and I left the computer on for a full 8 hours and it did not shut down.

So it looks like I need to replace that drive, and also upgrade my motherboard to one which has a robust BIOS, and a TPM chip so I can encrypt all my drives, even the system ones.

Thanx for your help :)