Re: I've done both of these 'silly things'!
- From: "~BD~" <BoaterDave@xxxxxxxxxxxxxx>
- Date: Thu, 3 Apr 2008 22:38:54 +0100
"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message
news:%230ZTkJRlIHA.536@xxxxxxxxxxxxxxxxxxxxxxx
"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message
news:uaggyGLlIHA.5368@xxxxxxxxxxxxxxxxxxxxxxx
"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message
news:O9XorxFlIHA.5080@xxxxxxxxxxxxxxxxxxxxxxx
More very helpful and interesting information. Thank you.
"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message
news:%23SC2F8%23kIHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message
news:eyTQU$2kIHA.5088@xxxxxxxxxxxxxxxxxxxxxxx
Thank you so much for your helpful comments. I have read all the
"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message
news:%23RzxTUrkIHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
"FromTheRafters" <Erratic@xxxxxxxxx> wrote in message
news:OK6Sf$qkIHA.4480@xxxxxxxxxxxxxxxxxxxxxxx
Thanks once again. You say "Sure, you overwrite/replace the correct
"~BD~" <BoaterDave@xxxxxxxxxxxxxx> wrote in message<snip>
news:uY7fSHmkIHA.2396@xxxxxxxxxxxxxxxxxxxxxxx
Have you any idea how one may remove a virus from the boot code?
TIA.
Sure, you overwrite/replace the correct code where it belongs. The
trouble
is that sometimes you need part of the malicious code to recover
your data
from the malware. Say for instance the virus encrypted some of your
files, and
you decide to overwrite the boot code (stomping on the virus) then
reboot only
to find the algorithm and 'key' to recovering your data was also
stomped on.
..also consider that some of your backups may have been affected if
the malware
was there long enough.
The whole Fdisk/MBR thing just illustrates the old saw 'a little
knowledge is a dangerous thing'.
code where it belongs". You didn't explain *How*. If you know, please
advise. TIA
http://support.microsoft.com/kb/69013
After reading this, you should see how it could be dangerous if the
user
doesn't know what he or she is doing. I used to have a dual boot box
Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
messed things up considerably on that box for instance.
Data retention is not relevant to this exercise. The object is to
have a 'clean sheet' so to speak! :)
I can't tell you how to do it correctly for your system, because I
don't know
what correct is for your system.
I do take on board, though, your point regarding backups possibly
being contaminated.
The chances of you having the specific kind of virus that attaches to
boot code is extremely small.
Formatting the drive will likely be sufficient for your purposes.
information at the page to which your link carried me and then went on
to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
.........'
All this information relates to systems before Windows XP. If one has
been using a hard disk - and let us assume that (although unlikely, in
your view) it *has* been infected by a Mebroot virus - if one simply
boots from a retail copy of XP (Home in my case) with a view to
reinstalling Windows XP, is the 'Format procedure' incorporated in the
set-up programme sufficient to erradicate a virus attached to the code
in the MBR?
My intuition tells me that the virus will remain - ready to act again
as soon as the machine is reconnected to the Internet.
Maybe I am completely wrong about this, but it is why I wish to know
how to ensure that everything is wiped off a disc before reinstalling
Windows. FYI, I have also used a facility called Darik's Boot and Nuke
to destroy all data on a disk - but remain uncertain if even this
procedure will destroy MBR malware. I wonder if anyone reading here
will know.
Vista http://support.microsoft.com/kb/927392
Some others
http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
Wanted to post a KB article - but this came to me first.
HTH
It would seem that the rootkit cannot be removed while the OS is running,
as it must be removed while the rootkit code itself is not running. So
says Symantec, which goes on to say "During our tests, running the
"fixmbr" command from within the Windows Recovery Console successfully
removed the malicious MBR entry. To help prevent similar attacks in the
future, and if your system BIOS includes the Master Boot Record
write-protection feature, now is a good time to enable it"!
The implication, to me, is that if one *does* become infected with such
malware, a straight-forward re-installation will fail to erradicate the
problem.
Other views welcomed!
My guess is that any re-installation that leaves the MBR alone
while losing the rest of the malware installation would result in
the "problem" being replaced with a merely corrupted MBR.
Just a guess though.
Many thanks for your contributions in this thread. It is appreciated! :)
--
Dave
.
- References:
- Re: I've done both of these 'silly things'!
- From: ~BD~
- Re: I've done both of these 'silly things'!
- From: FromTheRafters
- Re: I've done both of these 'silly things'!
- From: ~BD~
- Re: I've done both of these 'silly things'!
- From: FromTheRafters
- Re: I've done both of these 'silly things'!
- Prev by Date: Re: What's using my CPU?
- Next by Date: Re: New Virus
- Previous by thread: Re: I've done both of these 'silly things'!
- Next by thread: Re: stubborn Keylogger !
- Index(es):
Relevant Pages
|
