Re: I've done both of these 'silly things'!


"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message news:uaggyGLlIHA.5368@xxxxxxxxxxxxxxxxxxxxxxx

"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message news:O9XorxFlIHA.5080@xxxxxxxxxxxxxxxxxxxxxxx

"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message news:%23SC2F8%23kIHA.1212@xxxxxxxxxxxxxxxxxxxxxxx

"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message news:eyTQU$2kIHA.5088@xxxxxxxxxxxxxxxxxxxxxxx

"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message news:%23RzxTUrkIHA.4140@xxxxxxxxxxxxxxxxxxxxxxx

"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message news:OK6Sf$qkIHA.4480@xxxxxxxxxxxxxxxxxxxxxxx

"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message news:uY7fSHmkIHA.2396@xxxxxxxxxxxxxxxxxxxxxxx
<snip>
Have you any idea how one may remove a virus from the boot code? TIA.

Sure, you overwrite/replace the correct code where it belongs. The trouble
is that sometimes you need part of the malicious code to recover your data
from the malware. Say for instance the virus encrypted some of your files, and
you decide to overwrite the boot code (stomping on the virus) then reboot only
to find the algorithm and 'key' to recovering your data was also stomped on.

..also consider that some of your backups may have been affected if the malware
was there long enough.

The whole Fdisk/MBR thing just illustrates the old saw 'a little knowledge is a dangerous thing'.

Thanks once again. You say "Sure, you overwrite/replace the correct code where it belongs". You didn't explain *How*. If you know, please advise. TIA

http://support.microsoft.com/kb/69013

After reading this, you should see how it could be dangerous if the user
doesn't know what he or she is doing. I used to have a dual boot box
Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
messed things up considerably on that box for instance.

Data retention is not relevant to this exercise. The object is to have a 'clean sheet' so to speak! :)

I can't tell you how to do it correctly for your system, because I don't know
what correct is for your system.

I do take on board, though, your point regarding backups possibly being contaminated.

The chances of you having the specific kind of virus that attaches to boot code is extremely small.

Formatting the drive will likely be sufficient for your purposes.

Thank you so much for your helpful comments. I have read all the information at the page to which your link carried me and then went on to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool .........'

All this information relates to systems before Windows XP. If one has been using a hard disk - and let us assume that (although unlikely, in your view) it *has* been infected by a Mebroot virus - if one simply boots from a retail copy of XP (Home in my case) with a view to reinstalling Windows XP, is the 'Format procedure' incorporated in the set-up programme sufficient to erradicate a virus attached to the code in the MBR?

My intuition tells me that the virus will remain - ready to act again as soon as the machine is reconnected to the Internet.

Maybe I am completely wrong about this, but it is why I wish to know how to ensure that everything is wiped off a disc before reinstalling Windows. FYI, I have also used a facility called Darik's Boot and Nuke to destroy all data on a disk - but remain uncertain if even this procedure will destroy MBR malware. I wonder if anyone reading here will know.

Vista http://support.microsoft.com/kb/927392

Some others http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
Wanted to post a KB article - but this came to me first.

HTH


More very helpful and interesting information. Thank you.

It would seem that the rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. So says Symantec, which goes on to say "During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it"!

The implication, to me, is that if one *does* become infected with such malware, a straight-forward re-installation will fail to erradicate the problem.

Other views welcomed!

My guess is that any re-installation that leaves the MBR alone
while losing the rest of the malware installation would result in
the "problem" being replaced with a merely corrupted MBR.

Just a guess though.

.

Relevant Pages

  • Re: Dim 4600 Simply Will Not Boot
    ... As soon as I clicked 'empty recycle bin' the pop up windows started ... Got message from virus ... Downloaded and renamed the Malwarebytes anti malware program. ... Computer does not boot. ...
    (alt.sys.pc-clone.dell)
  • Re: Windows will not boot under any circumstances!
    ... That lag in your Virus Scan reminded me of a Virus I once saw. ... I was interested to see if your computer could Boot from other media. ... want to see if your laptop will boot. ... Recovery Process from the Partition get before it fails? ...
    (microsoft.public.windows.mediacenter)
  • Re: Fixing broken XP install on XPS machine
    ... simply boot from the windows CD ... friend who's an IT tech" messed with it after an apparent virus attack. ... machine (which DOES boot and run) has been very unstable since. ... We decided to first try a conservative strategy, doing a repair install ...
    (alt.sys.pc-clone.dell)
  • Re: System freezes or stops working
    ... virus or spyware as you mention but the machine freezes ... >> hard time to get it to boot in safe mode. ... View, Folder Options, View ... >doing a repair installation of XP. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Ive done both of these silly things!
    ... Have you any idea how one may remove a virus from the boot code? ... from the malware. ... procedure will destroy MBR malware. ...
    (microsoft.public.security.virus)