Alternative Corrective MBR Procedures

The MBR utils out there all suffer the same thing they just backup the entire MBR because they just backup by sector size which is always 512 bytes. MBRFix, MBRWizard etc. To recover from a MBR rootkit all that is needed is to just to backup and restore the first 440 bytes. FixMbr on the recovery console does this but i prefer to have another util on a CD or USB stick for this. The command Fdisk /mbr did this too but is not for XP/NT so no good. It looks after many a search theres so few utils out there that do it if any. A way to do i propose is to backup the 512 bytes then extract the boot part, save it to disk, trim it with a auto editor and resave it as another file and then restore this edited boot part back so it not destroying your PT . This might sound fiddly but if all the commands are run from a bat file it is totally automatic.

So when you want to fix your pc you not sat there thinking i need to get rid of this rootkit but if i do will it damage my data or not. You don't want to have that decision to make.

It not my MBRWhisky as i said before i inserted load and save backup HEAD under the File menu. I then used it to backup the Eaz-Fix boot overlay outside of Windows to successfully backup all Eaz-Fix snapshots.

That Hiren CD is strictly Warez.

 

There is tools that will do it in windows called dsfo and dsfi. http://members.ozemail.com.au/~nulifetv/freezip/freeware/dsfok.zip

so...

dsfo \\.\PHYSICALDRIVE0 0 512 C:\mbr.dat - This would backup the original MBR of disk 0.
dsfo C:\mbr.dat 0 446 C:\oldmbr.dat - This would save the first 446 bytes from mbr.dat
dsfo C:\oldmbr.dat 446 66 C:\oldpt.dat - This would just save my original partition table to oldpt.dat

so i now have the original MBR and original Partition Table saved seperately, that's handy

i then later change the partition down the line...

so i backup my new MBR and partition table, thats handy also to have

dsfo \\.\PHYSICALDRIVE0 0 512 C:\newmbr.dat - This would backup the new MBR of disk 0 which would contain the rootkit.
dsfo C:\newmbr.dat 446 66 C:\newpt.dat - This would just save my new partition table to newpt.dat

so i can then delete newmbr.dat as it contains the rootkit and not my original MBR.

so bearing in mind can only write back no less than 1 sector(512bytes) i join the old MBR and the new partition table back together.

copy /b c:\oldmbr.dat+C:\newpt.dat C:\savembr.dat

and then write it to disk...

dsfi \\.\PHYSICALDRIVE0 0 512 C:\savembr.dat

I now restored my original MBR and kept my new PT no more nasty rootkit. no more corrupt data.

What's hard about that all run from a bat file?

I just now need a way to do it in Dos! so those tools are out.

 

Ok seems i had easier solution under my nose. The Dos version of MBRWizard 2.0 beta has repair option. This is good, as MBRWiz has useful options i use already.

MBRWizD /Repair=1 /Disk=0

Designed to create a new Master Boot Record on a blank disk, or fix a damaged, corrupt, or missing MBR. Specifying an option of '1' will save a PE/XP/2003 MBR to the specifed disk. Note, this option will not modify the partition table.

 

I now implemented to repair MBR and so remove MBR rootkit into my dos recovery menu. This is the safe way to repair the MBR as discussed. It also means you don't have to bother backing up the MBR as it comes with a standard XP MBR

@Easter congratulations on a great descriptive title and for the thread content.

@Haiiry Coo thanks alot for your contributions. MBRWhisky is a frontend to MBRWizard. There is 1 shortcoming to MBRWizard including MBRWhisky,
it doesn't detect logical partitions as the MBR is kept elsewhere for that type of partition. MBRWhisky has the MBR Repair option also You can run it from windows and little will complain. It maybe MS may come out with a patch to stop this happening.