Re: Web searches hijacked by malware



On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article
<7oauj0F3nj7ptU1@xxxxxxxxxxxxxxxxxx>, Mike Easter wrote:

~BD~ wrote:

Mike Easter wrote:

I don't have one of those real MS ones

I don't normally worry about the MS media, but I don't believe I've
seen systems delivered recently with real MS media - it's all
manufacturer rescue image CDs/DVDs.

I've not carried out the install exercise for some months now (not
since I bought my iMac!) but IIRC there are no 'tools' as such -
for the likes of me, anyway!

How often does your average user do an install? Back when you had
two floppy disks to install MS-DOS 3.x, a lot more people were doing
so, and it wasn't anywhere _near_ as complicated as one of the
current versions of windoze. Installing applications could be (and
often was) complicated, but not the O/S itself.

When one elects to carry out a new install of XP (this is the Home
edition I have) one is asked to format and one can choose 'Quick'
or 'normal' (longer!).

My (very limited) understanding is that both clear the directory and
the table that translated between file name and physical location on
the disk (the FAT tables in DOS, inodes in many types of *nix). With
the "quick" format, the data remains physically present (recoverable
with a disk editor, or anything else using physical addressing).
This means that if the mal-ware is using physical addressing, it may
still be dangerous.

I'm sorry I can't recall from where I've got this notion about the
MBR remaining intact (and possibly still being infected). Perhaps
someone else will know.

The MBR is the only "known" location on a disk. The BIOS knows where
it is, and knows that there should be a bit of machine code that
starts the boot loading process. Part of that machine code is the
physical address of the rest of the boot loader and the operating
system. Thus when you do an install, the MBR will be overwritten
with the necessary data to find the rest of that code. As the
MBR is a small sector (512 bytes), and the disk system is incapable
of writing/reading individual bytes, the entire block will be
overwritten.

I'm reading that the real MS one has tools in the Recovery Console,
which includes the tools fixboot and fixmbr; and in addition that
fdisk has the undocumented command fdisk /mbr which rewrites the mbr.

I thought the 'fdisk /mbr' was DOS, win9x and winme, and was replaced
by fixmbr in XP. My understanding is that these tools are enough
to eradicate a boot sector virus. Of course, they do nothing with
the rest of the virus (originally pointed to by the MBR), but if
nothing is pointing to it, it's not likely to be runnable.

From MS's kb 314058

and how many users can find that document? More correctly, how many
would even know to _look_ for it? Most computer operating systems
are built for that 6 year old that microsoft was using to advertise
windoze 7 on US television a month or two ago. Just click this icon,
or select that menu item, and all will be fine... ``trust me''.

Old guy
.



Relevant Pages

  • Re: kernel panic during install
    ... happening in the first stages of install before you even get to the disk ... It has created a ram disk and loaded a default file system there ... > volumes of bogus email, mails with made up usernames at my domain. ... > media check I get the same results. ...
    (comp.os.linux.setup)
  • Re: install oem version of XP Mediacenter 2005
    ... Media center OEM is Three disks. ... Disk 1 is Windows XP Professional, ... install won't know to go instal the Media Center bits. ...
    (microsoft.public.windows.mediacenter)
  • Re: [opensuse] installing GRUB on adjusted clone
    ... If when you installed openSUSE you put grub in the MBR, ... reinstall grub anyway because the new disk layout is different. ... the new disk (or YaST can install this same code or it can be done ... You can easily verify if the Vista boot sector was cloned, ...
    (SuSE)
  • Re: MSDN MCE2005 Install - NO MCE Application?!
    ... As long as you were asked for the second disk, you probably used the MSDN key for MCE. ... Go to Start, Programs, Accessories, Media Center. ... >I installed MCE2005 from my MSDN install disks to my Dell machine. ...
    (microsoft.public.windows.mediacenter)
  • Re: Want to do OEM reintall, but dont have CDs
    ... Contact the seller and have them supply you with the media ... that always comes with a Dell. ... Dell ships a restore disk ... Is it possible to do a reinstall with | borrowed media, and just reactivate using the code from the original install? ...
    (microsoft.public.windowsxp.general)