Re: Web searches hijacked by malware

On 10/12/2009 16:15, Mike Easter wrote:
~BD~ wrote:
Mike Easter wrote:
I'm reading that the real MS one has tools in the Recovery Console,
which includes the tools fixboot and fixmbr;
Personally, I would much rather work with choices from all of the
tools in something like Hiren's or TinyXP or a linux live CD.
I do recall trying to access the Recovery Console in the dim and
distant
past, but vaguely remember getting stuck when faced with item 3./4. -
"When you are prompted, type the Administrator password".
Here's how you get to and use the Recovery Console. Select the R for
Recovery Console at the blue Startup screen. The first Recovery Console
screen changes to black and requests which installation and if there is
only one, you must press 1 before Enter. Then comes the prompt for
Admin pw; but the default is blank so you just hit Enter. This article
shows you screenshots of all of that. http://snipr.com/tmxx4 How to
access the Recovery Console:

You can use the Help to see the commands and Help command to get a
little info about them. That MS kb article I cited earlier also
describes the commands.



That information is very helpful. Bookmarked for possible future use.


Might it be reasonable to deduce that unless one does actually use the
Recovery Console to rewrite the MBR (or use one of the other methods
you have mentioned) simply running the 'Install' procedure on the Windows
set-up CD *could* leave a virus or other form of malware sitting in
the MBR ready to pounce once again into the bright and shiny new
installation?
If you have a damaged or infected mbr, the routine XP install won't do
anything about it. I once had a problem mbr, not from a virus but from
some kind of grub misadventure. It was such 'strange' damage that I had
to use a sector editor to zero it out; fix mbr didn't work. That is
another example in which it seemed to me that I needed some tools with
more flexibility or power than the hammer and chisel ones such as are
listed in the MS Recovery Console.

It sounds as if you are more of a computer 'fixer' than a 'user', Mike!

It is good to hear you confirm that a routine install of XP does *not* correct an infected MBR.
http://www.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-your-mbr

AFAICT, there is no easy way to determine if one has actually attracted such an infection.
Perhaps whenever one feels it necessary to reinstall Windows, the MBR should be rewritten first.


I wonder if that's what 'Moe Trin' was getting at.
When you refer to ?something? someone was 'getting at', you should find
their words and quote them.


You are right. I'm sorry about that ....... but it was not really what he said, it was what I thought he might have been inferring!


FYI, I have now used my XP CD to boot to the Recovery Console just as you have described. Thank you! :)

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)
.

Relevant Pages

  • Re: Web searches hijacked by malware
    ... When one elects to carry out a new install of XP (this is the Home ... I'm sorry I can't recall from where I've got this notion about the MBR ... I'm reading that the real MS one has tools in the Recovery Console, ... Recovery Console from the Windows XP CD-ROM - If you have not ...
    (alt.computer.security)
  • Re: Unmountable Boot Volume AND Session3 Initialization Failed
    ... When I boot up my laptop as usual, it gives me BIOS options and then the PGP ... When I boot to that slipstreamed Windows XP Install CD, ... I'm able to get to the Recovery Console. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Unmountable Boot Volume AND Session3 Initialization Failed
    ... I believe I successfully created a 'slipstream' Windows XP install CD using ... I was given the Windows ... Install and Recovery Console options. ... aren't any drives installed on the system. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: illegal system dll relocation
    ... "Lem" wrote: ... i tried booting from original XP disk, going to recovery console and I guess reinstalling kernel32.dll. ... boot from a Windows CD and go to recovery console. ... Note that a Repair Install will likely *not* remove any malware that may have infested your computer and caused your problem in the first place. ...
    (microsoft.public.windowsxp.general)
  • Re: Unmountable Boot Volume AND Session3 Initialization Failed
    ... PGP encryption puts a 'hook' in the MBR, when you boot the hard disk the MBR hook runs a programs that presents you with the PGP screen so that you may unlock the disk. ... If no then the disk remains encrypted and there is diddly squat that you will be able to do with the Recovery Console. ... The next best thing would be to install PGP on another computer and then mount the disk on that installation and then see if you can unlock the disk or remove the encryption on the disk from the other Windows installation. ... aren't any drives installed on the system. ...
    (microsoft.public.windowsxp.help_and_support)