I've done both of these 'silly things'!

FromTheRafters · Apr 1, 2008

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...

>>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>

>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>

>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>> <snip>

>>>>> Have you any idea how one may remove a virus from the boot code? TIA.

>>>>

>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>> trouble

>>>> is that sometimes you need part of the malicious code to recover your

>>>> data

>>>> from the malware. Say for instance the virus encrypted some of your

>>>> files, and

>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>> reboot only

>>>> to find the algorithm and 'key' to recovering your data was also

>>>> stomped on.

>>>>

>>>> ..also consider that some of your backups may have been affected if the

>>>> malware

>>>> was there long enough.

>>>>

>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>> knowledge is a dangerous thing'.

>>>>

>>> Thanks once again. You say "Sure, you overwrite/replace the correct code

>>> where it belongs". You didn't explain How . If you know, please advise.

>>> TIA

>>

>> http://support.microsoft.com/kb/69013

>>

>> After reading this, you should see how it could be dangerous if the user

>> doesn't know what he or she is doing. I used to have a dual boot box

>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>> messed things up considerably on that box for instance.

>>

>>> Data retention is not relevant to this exercise. The object is to have a

>>> 'clean sheet' so to speak! style_emoticons/

>>

>> I can't tell you how to do it correctly for your system, because I don't

>> know

>> what correct is for your system.

>>

>>> I do take on board, though, your point regarding backups possibly being

>>> contaminated.

>>

>> The chances of you having the specific kind of virus that attaches to

>> boot code is extremely small.

>>

>> Formatting the drive will likely be sufficient for your purposes.

>>

> Thank you so much for your helpful comments. I have read all the

> information at the page to which your link carried me and then went on to

> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

> .........'

>

> All this information relates to systems before Windows XP. If one has been

> using a hard disk - and let us assume that (although unlikely, in your

> view) it has been infected by a Mebroot virus - if one simply boots from

> a retail copy of XP (Home in my case) with a view to reinstalling Windows

> XP, is the 'Format procedure' incorporated in the set-up programme

> sufficient to erradicate a virus attached to the code in the MBR?

>

> My intuition tells me that the virus will remain - ready to act again as

> soon as the machine is reconnected to the Internet.

>

> Maybe I am completely wrong about this, but it is why I wish to know how

> to ensure that everything is wiped off a disc before reinstalling Windows.

> FYI, I have also used a facility called Darik's Boot and Nuke to destroy

> all data on a disk - but remain uncertain if even this procedure will

> destroy MBR malware. I wonder if anyone reading here will know.

Vista http://support.microsoft.com/kb/927392

Some others

http://www.datarecovery.com.sg/data_recove..._corruption.htm

Wanted to post a KB article - but this came to me first.

HTH

David H. Lipman · Apr 1, 2008

From: "FromTheRafters" <Erratic@ne.rr.com>

|

| "kurt wismer" <kurtw@sympatico.ca> wrote in message

| news:fssbus$hah$1@registered.motzarella.org...

>> FromTheRafters wrote:

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>> [snip]

>>>> I do take on board, though, your point regarding backups possibly being

>>>> contaminated.

>>>

>>> The chances of you having the specific kind of virus that attaches to

>>> boot code is extremely small.

>>

>> true for viruses, less true for malware in general... specifically,

>> there's mbr malware being deployed via drive-by downloads from compromised

>> websites as we speak... i believe you can get more information by

>> searching for the keyword "mebroot"...

|

| Thanks kurt, I'll check that out. style_emoticons/)

The mebroot is a Trojan that uses the MBR as part of its RootKit technique.

http://www.symantec.com/enterprise/securit...janmebroot.html

http://www.symantec.com/security_response/...-010718-3448-99

This is different from the traditional boot sector infectors which are true viruses.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

~BD~ · Apr 2, 2008

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...

>>

>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...

>>>

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>>

>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>>

>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>>> <snip>

>>>>>> Have you any idea how one may remove a virus from the boot code? TIA.

>>>>>

>>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>>> trouble

>>>>> is that sometimes you need part of the malicious code to recover your

>>>>> data

>>>>> from the malware. Say for instance the virus encrypted some of your

>>>>> files, and

>>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>>> reboot only

>>>>> to find the algorithm and 'key' to recovering your data was also

>>>>> stomped on.

>>>>>

>>>>> ..also consider that some of your backups may have been affected if

>>>>> the malware

>>>>> was there long enough.

>>>>>

>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>>> knowledge is a dangerous thing'.

>>>>>

>>>> Thanks once again. You say "Sure, you overwrite/replace the correct

>>>> code where it belongs". You didn't explain How . If you know, please

>>>> advise. TIA

>>>

>>> http://support.microsoft.com/kb/69013

>>>

>>> After reading this, you should see how it could be dangerous if the user

>>> doesn't know what he or she is doing. I used to have a dual boot box

>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>>> messed things up considerably on that box for instance.

>>>

>>>> Data retention is not relevant to this exercise. The object is to have

>>>> a 'clean sheet' so to speak! style_emoticons/

>>>

>>> I can't tell you how to do it correctly for your system, because I don't

>>> know

>>> what correct is for your system.

>>>

>>>> I do take on board, though, your point regarding backups possibly being

>>>> contaminated.

>>>

>>> The chances of you having the specific kind of virus that attaches to

>>> boot code is extremely small.

>>>

>>> Formatting the drive will likely be sufficient for your purposes.

>>>

>> Thank you so much for your helpful comments. I have read all the

>> information at the page to which your link carried me and then went on to

>> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

>> .........'

>>

>> All this information relates to systems before Windows XP. If one has

>> been using a hard disk - and let us assume that (although unlikely, in

>> your view) it has been infected by a Mebroot virus - if one simply

>> boots from a retail copy of XP (Home in my case) with a view to

>> reinstalling Windows XP, is the 'Format procedure' incorporated in the

>> set-up programme sufficient to erradicate a virus attached to the code in

>> the MBR?

>>

>> My intuition tells me that the virus will remain - ready to act again as

>> soon as the machine is reconnected to the Internet.

>>

>> Maybe I am completely wrong about this, but it is why I wish to know how

>> to ensure that everything is wiped off a disc before reinstalling

>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke to

>> destroy all data on a disk - but remain uncertain if even this procedure

>> will destroy MBR malware. I wonder if anyone reading here will know.

>

> Vista http://support.microsoft.com/kb/927392

>

> Some others

> http://www.datarecovery.com.sg/data_recove..._corruption.htm

> Wanted to post a KB article - but this came to me first.

>

> HTH

>

>

More very helpful and interesting information. Thank you.

It would seem that the rootkit cannot be removed while the OS is running, as

it must be removed while the rootkit code itself is not running. So says

Symantec, which goes on to say "During our tests, running the "fixmbr"

command from within the Windows Recovery Console successfully removed the

malicious MBR entry. To help prevent similar attacks in the future, and if

your system BIOS includes the Master Boot Record write-protection feature,

now is a good time to enable it"!

The implication, to me, is that if one does become infected with such

malware, a straight-forward re-installation will fail to erradicate the

problem.

Other views welcomed!

--

Dave

FromTheRafters · Apr 2, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:%23n1HZ2FlIHA.3636@TK2MSFTNGP02.phx.gbl...

> From: "FromTheRafters" <Erratic@ne.rr.com>

>

> |

> | "kurt wismer" <kurtw@sympatico.ca> wrote in message

> | news:fssbus$hah$1@registered.motzarella.org...

>>> FromTheRafters wrote:

>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>> [snip]

>>>>> I do take on board, though, your point regarding backups possibly

>>>>> being

>>>>> contaminated.

>>>>

>>>> The chances of you having the specific kind of virus that attaches to

>>>> boot code is extremely small.

>>>

>>> true for viruses, less true for malware in general... specifically,

>>> there's mbr malware being deployed via drive-by downloads from

>>> compromised

>>> websites as we speak... i believe you can get more information by

>>> searching for the keyword "mebroot"...

> |

> | Thanks kurt, I'll check that out. style_emoticons/)

>

> The mebroot is a Trojan that uses the MBR as part of its RootKit

> technique.

>

> http://www.symantec.com/enterprise/securit...janmebroot.html

>

> http://www.symantec.com/security_response/...-010718-3448-99

>

> This is different from the traditional boot sector infectors which are

> true viruses.

Thanks Dave. If you have this, and you format the disk,

are you essentially left with just a corrupted MBR?

FromTheRafters · Apr 2, 2008

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...

>>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...

>>>

>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...

>>>>

>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>>>

>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>>>

>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>>>> <snip>

>>>>>>> Have you any idea how one may remove a virus from the boot code?

>>>>>>> TIA.

>>>>>>

>>>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>>>> trouble

>>>>>> is that sometimes you need part of the malicious code to recover your

>>>>>> data

>>>>>> from the malware. Say for instance the virus encrypted some of your

>>>>>> files, and

>>>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>>>> reboot only

>>>>>> to find the algorithm and 'key' to recovering your data was also

>>>>>> stomped on.

>>>>>>

>>>>>> ..also consider that some of your backups may have been affected if

>>>>>> the malware

>>>>>> was there long enough.

>>>>>>

>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>>>> knowledge is a dangerous thing'.

>>>>>>

>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct

>>>>> code where it belongs". You didn't explain How . If you know, please

>>>>> advise. TIA

>>>>

>>>> http://support.microsoft.com/kb/69013

>>>>

>>>> After reading this, you should see how it could be dangerous if the

>>>> user

>>>> doesn't know what he or she is doing. I used to have a dual boot box

>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>>>> messed things up considerably on that box for instance.

>>>>

>>>>> Data retention is not relevant to this exercise. The object is to have

>>>>> a 'clean sheet' so to speak! style_emoticons/

>>>>

>>>> I can't tell you how to do it correctly for your system, because I

>>>> don't know

>>>> what correct is for your system.

>>>>

>>>>> I do take on board, though, your point regarding backups possibly

>>>>> being contaminated.

>>>>

>>>> The chances of you having the specific kind of virus that attaches to

>>>> boot code is extremely small.

>>>>

>>>> Formatting the drive will likely be sufficient for your purposes.

>>>>

>>> Thank you so much for your helpful comments. I have read all the

>>> information at the page to which your link carried me and then went on

>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

>>> .........'

>>>

>>> All this information relates to systems before Windows XP. If one has

>>> been using a hard disk - and let us assume that (although unlikely, in

>>> your view) it has been infected by a Mebroot virus - if one simply

>>> boots from a retail copy of XP (Home in my case) with a view to

>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the

>>> set-up programme sufficient to erradicate a virus attached to the code

>>> in the MBR?

>>>

>>> My intuition tells me that the virus will remain - ready to act again as

>>> soon as the machine is reconnected to the Internet.

>>>

>>> Maybe I am completely wrong about this, but it is why I wish to know how

>>> to ensure that everything is wiped off a disc before reinstalling

>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke

>>> to destroy all data on a disk - but remain uncertain if even this

>>> procedure will destroy MBR malware. I wonder if anyone reading here will

>>> know.

>>

>> Vista http://support.microsoft.com/kb/927392

>>

>> Some others

>> http://www.datarecovery.com.sg/data_recove..._corruption.htm

>> Wanted to post a KB article - but this came to me first.

>>

>> HTH

>>

>>

> More very helpful and interesting information. Thank you.

>

> It would seem that the rootkit cannot be removed while the OS is running,

> as it must be removed while the rootkit code itself is not running. So

> says Symantec, which goes on to say "During our tests, running the

> "fixmbr" command from within the Windows Recovery Console successfully

> removed the malicious MBR entry. To help prevent similar attacks in the

> future, and if your system BIOS includes the Master Boot Record

> write-protection feature, now is a good time to enable it"!

>

> The implication, to me, is that if one does become infected with such

> malware, a straight-forward re-installation will fail to erradicate the

> problem.

>

> Other views welcomed!

My guess is that any re-installation that leaves the MBR alone

while losing the rest of the malware installation would result in

the "problem" being replaced with a merely corrupted MBR.

Just a guess though.

David H. Lipman · Apr 2, 2008

From: "FromTheRafters" <Erratic@ne.rr.com>



>>

>> The mebroot is a Trojan that uses the MBR as part of its RootKit

>> technique.

>>

>> http://www.symantec.com/enterprise/securit...janmebroot.html

>>

>> http://www.symantec.com/security_response/...-010718-3448-99

>>

>> This is different from the traditional boot sector infectors which are

>> true viruses.

|

| Thanks Dave. If you have this, and you format the disk,

| are you essentially left with just a corrupted MBR?

I don't think so but... I can't say for sure.

I would say that IF you went to this method, you should delete the partition table,

repartition and then reformat not just reformat the hard disk.

BTW: Symantec has a removal tool...

http://www.symantec.com/security_response/...-020817-4716-99

What the tool does

The Removal Tool does the following:

- Restores the Master Boot Record

- Terminates the associated processes

- Deletes the associated files

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

~BD~ · Apr 3, 2008

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:%230ZTkJRlIHA.536@TK2MSFTNGP06.phx.gbl...

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...

>>

>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...

>>>

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...

>>>>

>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...

>>>>>

>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>>>>

>>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>>>>

>>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>>>>> <snip>

>>>>>>>> Have you any idea how one may remove a virus from the boot code?

>>>>>>>> TIA.

>>>>>>>

>>>>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>>>>> trouble

>>>>>>> is that sometimes you need part of the malicious code to recover

>>>>>>> your data

>>>>>>> from the malware. Say for instance the virus encrypted some of your

>>>>>>> files, and

>>>>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>>>>> reboot only

>>>>>>> to find the algorithm and 'key' to recovering your data was also

>>>>>>> stomped on.

>>>>>>>

>>>>>>> ..also consider that some of your backups may have been affected if

>>>>>>> the malware

>>>>>>> was there long enough.

>>>>>>>

>>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>>>>> knowledge is a dangerous thing'.

>>>>>>>

>>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct

>>>>>> code where it belongs". You didn't explain How . If you know, please

>>>>>> advise. TIA

>>>>>

>>>>> http://support.microsoft.com/kb/69013

>>>>>

>>>>> After reading this, you should see how it could be dangerous if the

>>>>> user

>>>>> doesn't know what he or she is doing. I used to have a dual boot box

>>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>>>>> messed things up considerably on that box for instance.

>>>>>

>>>>>> Data retention is not relevant to this exercise. The object is to

>>>>>> have a 'clean sheet' so to speak! style_emoticons/

>>>>>

>>>>> I can't tell you how to do it correctly for your system, because I

>>>>> don't know

>>>>> what correct is for your system.

>>>>>

>>>>>> I do take on board, though, your point regarding backups possibly

>>>>>> being contaminated.

>>>>>

>>>>> The chances of you having the specific kind of virus that attaches to

>>>>> boot code is extremely small.

>>>>>

>>>>> Formatting the drive will likely be sufficient for your purposes.

>>>>>

>>>> Thank you so much for your helpful comments. I have read all the

>>>> information at the page to which your link carried me and then went on

>>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

>>>> .........'

>>>>

>>>> All this information relates to systems before Windows XP. If one has

>>>> been using a hard disk - and let us assume that (although unlikely, in

>>>> your view) it has been infected by a Mebroot virus - if one simply

>>>> boots from a retail copy of XP (Home in my case) with a view to

>>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the

>>>> set-up programme sufficient to erradicate a virus attached to the code

>>>> in the MBR?

>>>>

>>>> My intuition tells me that the virus will remain - ready to act again

>>>> as soon as the machine is reconnected to the Internet.

>>>>

>>>> Maybe I am completely wrong about this, but it is why I wish to know

>>>> how to ensure that everything is wiped off a disc before reinstalling

>>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke

>>>> to destroy all data on a disk - but remain uncertain if even this

>>>> procedure will destroy MBR malware. I wonder if anyone reading here

>>>> will know.

>>>

>>> Vista http://support.microsoft.com/kb/927392

>>>

>>> Some others

>>> http://www.datarecovery.com.sg/data_recove..._corruption.htm

>>> Wanted to post a KB article - but this came to me first.

>>>

>>> HTH

>>>

>>>

>> More very helpful and interesting information. Thank you.

>>

>> It would seem that the rootkit cannot be removed while the OS is running,

>> as it must be removed while the rootkit code itself is not running. So

>> says Symantec, which goes on to say "During our tests, running the

>> "fixmbr" command from within the Windows Recovery Console successfully

>> removed the malicious MBR entry. To help prevent similar attacks in the

>> future, and if your system BIOS includes the Master Boot Record

>> write-protection feature, now is a good time to enable it"!

>>

>> The implication, to me, is that if one does become infected with such

>> malware, a straight-forward re-installation will fail to erradicate the

>> problem.

>>

>> Other views welcomed!

>

> My guess is that any re-installation that leaves the MBR alone

> while losing the rest of the malware installation would result in

> the "problem" being replaced with a merely corrupted MBR.

>

> Just a guess though.

Many thanks for your contributions in this thread. It is appreciated! style_emoticons/

--

Dave

Richard Urban · Apr 14, 2008

Boot using a DOS setup floppy (latest/last version).

Type fdisk /mbr

The /mbr is an undocumented call that will replace the mbr on the master

hard drive. It is best to physically disconnect all other hard drives when

performing this call to prevent any unwanted actions due to multiple hard

drives being connected.

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...

> Indeed, Kurt. Thank you for your response.

>

> A quote from Computer Active

> http://www.computeractive.co.uk/computerac...-takes-security

>

> "Mebroot, which is designed to steal personal information and bank

> details, is embedded in legitimate websites.

> If the latest updates and patches for browsers or the XP operating system

> have been applied, then anti-virus software can stop the rootkit and the

> associate malware such as keystroke loggers and others it downloads.

>

> But if patches have not been applied the malware downloads to a PC and

> then hides from security software. It can be removed quite simply,

> according to Hypponen, but currently only by the user rewriting the MBR".

>

> My question remains. HOW does a user rewrite the MBR.

>

> Many thanks to anyone who can provide the answer!

>

> --

>

> Dave

>

>

>

>

>

>

FromTheRafters · Apr 14, 2008

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...

> Boot using a DOS setup floppy (latest/last version).

>

> Type fdisk /mbr

>

> The /mbr is an undocumented call that will replace the mbr on the master

> hard drive. It is best to physically disconnect all other hard drives when

> performing this call to prevent any unwanted actions due to multiple hard

> drives being connected.

Care must be taken to ensure that the correct MBR code

is what replaces the existing code. Why do you assume

the "latest/last" DOS version is the correct one for the

OP's system?



> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...

>> Indeed, Kurt. Thank you for your response.

>>

>> A quote from Computer Active

>> http://www.computeractive.co.uk/computerac...-takes-security

>>

>> "Mebroot, which is designed to steal personal information and bank

>> details, is embedded in legitimate websites.

>> If the latest updates and patches for browsers or the XP operating system

>> have been applied, then anti-virus software can stop the rootkit and the

>> associate malware such as keystroke loggers and others it downloads.

>>

>> But if patches have not been applied the malware downloads to a PC and

>> then hides from security software. It can be removed quite simply,

>> according to Hypponen, but currently only by the user rewriting the MBR".

>>

>> My question remains. HOW does a user rewrite the MBR.

>>

>> Many thanks to anyone who can provide the answer!

>>

>> --

>>

>> Dave

>>

>>

>>

>>

>>

>>

>

Richard Urban · Apr 14, 2008

Because I have never found a hard drive that it would not clear/rewrite the

MBR and make the drive usable again. I use what ""I"" know is best for me. I

recommend the same to others.

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:epJlv9jnIHA.4292@TK2MSFTNGP04.phx.gbl...

>

> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

> news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...

>> Boot using a DOS setup floppy (latest/last version).

>>

>> Type fdisk /mbr

>>

>> The /mbr is an undocumented call that will replace the mbr on the master

>> hard drive. It is best to physically disconnect all other hard drives

>> when performing this call to prevent any unwanted actions due to multiple

>> hard drives being connected.

>

> Care must be taken to ensure that the correct MBR code

> is what replaces the existing code. Why do you assume

> the "latest/last" DOS version is the correct one for the

> OP's system?

>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...

>>> Indeed, Kurt. Thank you for your response.

>>>

>>> A quote from Computer Active

>>> http://www.computeractive.co.uk/computerac...-takes-security

>>>

>>> "Mebroot, which is designed to steal personal information and bank

>>> details, is embedded in legitimate websites.

>>> If the latest updates and patches for browsers or the XP operating

>>> system have been applied, then anti-virus software can stop the rootkit

>>> and the associate malware such as keystroke loggers and others it

>>> downloads.

>>>

>>> But if patches have not been applied the malware downloads to a PC and

>>> then hides from security software. It can be removed quite simply,

>>> according to Hypponen, but currently only by the user rewriting the

>>> MBR".

>>>

>>> My question remains. HOW does a user rewrite the MBR.

>>>

>>> Many thanks to anyone who can provide the answer!

>>>

>>> --

>>>

>>> Dave

>>>

>>>

>>>

>>>

>>>

>>>

>>

>

Massimo · Apr 14, 2008

Hello,

On Mon, 14 Apr 2008 01:58:59 -0400, "Richard Urban"

<richardurbanREMOVETHIS@hotmail.com> wrote:



>Boot using a DOS setup floppy (latest/last version).

>

>Type fdisk /mbr

>

>The /mbr is an undocumented call that will replace the mbr on the master

>hard drive. It is best to physically disconnect all other hard drives when

>performing this call to prevent any unwanted actions due to multiple hard

>drives being connected.

>

>

I read this posting but do not know what has been said before. I

believe to remember that the fdisk /mbr call can only be used on a fat

(16,32?) system. Does the OP have that kind of format on his hd? If

not, could this call ruin his hd?

Massimo

============



>"~BD~" <BoaterDave@nospam.invalid> wrote in message

>news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...

>> Indeed, Kurt. Thank you for your response.

>>

>> A quote from Computer Active

>> http://www.computeractive.co.uk/computerac...-takes-security

>>

>> "Mebroot, which is designed to steal personal information and bank

>> details, is embedded in legitimate websites.

>> If the latest updates and patches for browsers or the XP operating system

>> have been applied, then anti-virus software can stop the rootkit and the

>> associate malware such as keystroke loggers and others it downloads.

>>

>> But if patches have not been applied the malware downloads to a PC and

>> then hides from security software. It can be removed quite simply,

>> according to Hypponen, but currently only by the user rewriting the MBR".

>>

>> My question remains. HOW does a user rewrite the MBR.

>>

>> Many thanks to anyone who can provide the answer!

>>

>> --

>>

>> Dave

>>

>>

>>

>>

>>

>>

jen · Apr 14, 2008

The OP's OS is XP. He should instead boot from the Recovery Console and

type: fixmbr.

Fixmbr Command Syntax:

fixmbr (device_name):

device_name = This is where you designate the exact drive location that

a master boot record will be written to. If no device is specified, the

master boot record will be written to the primary boot drive.

Fixmbr Command Examples:

fixmbr \Device\HardDisk0

In the above example, the master boot record is written to the drive

located at \Device\HardDisk0.

fixmbr:

In this example, the master boot record is written to the device that

your primary system is loaded onto. If you have a single installation of

Windows installed, which is normally the case, running the fixmbr

command in this way is usually the right way to go.

Fixmbr Command Availability:

The fixmbr command is only available from within the Recovery Console in

Windows 2000 and Windows XP.

-jen

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...

> Boot using a DOS setup floppy (latest/last version).

>

> Type fdisk /mbr

>

> The /mbr is an undocumented call that will replace the mbr on the

> master hard drive. It is best to physically disconnect all other hard

> drives when performing this call to prevent any unwanted actions due

> to multiple hard drives being connected.

>

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...

>> Indeed, Kurt. Thank you for your response.

>>

>> A quote from Computer Active

>> http://www.computeractive.co.uk/computerac...-takes-security

>>

>> "Mebroot, which is designed to steal personal information and bank

>> details, is embedded in legitimate websites.

>> If the latest updates and patches for browsers or the XP operating

>> system have been applied, then anti-virus software can stop the

>> rootkit and the associate malware such as keystroke loggers and

>> others it downloads.

>>

>> But if patches have not been applied the malware downloads to a PC

>> and then hides from security software. It can be removed quite

>> simply, according to Hypponen, but currently only by the user

>> rewriting the MBR".

>>

>> My question remains. HOW does a user rewrite the MBR.

>>

>> Many thanks to anyone who can provide the answer!

>>

>> --

>>

>> Dave

>>

>>

>>

>>

>>

>>

>

I've done both of these 'silly things'!

FromTheRafters

Guest

David H. Lipman

Guest

~BD~

Guest

FromTheRafters

Guest

FromTheRafters

Guest

David H. Lipman

Guest

~BD~

Guest

Richard Urban

Guest

FromTheRafters

Guest

Richard Urban

Guest

Massimo

Guest

jen

Guest