I've done both of these 'silly things'!

[Guest ~BD~]

In this article http://www.claymania.com/panic.html it says:-

 

You have probably come to this page because your computer is not working

properly. You may have heard that things named computer viruses can cause

computers to act abnormally, and now you think you have a virus. Before you

go ahead...

 

Do NOT panic!!

 

This is very important. Having a virus basically means that there is a

program on your computer that doesn't belong there. It's this simple, so

really there is no need to panic. In fact, a panicking user can be much more

dangerous than any virus! Users often cause more damage while attempting to

exterminate a virus than the virus itself could ever have caused.

 

Panic may cause a user to do two very silly things: formatting and using

FDisk.

 

Formatting

You may have overheard rumors according to which there is an infallible

method to get rid of a virus, namely formatting. Formatting is a process

that effectively removes all data stored on a medium (although that is not

its actual purpose), including any virus.

Well, don't fall for this myth. It's not always true. In fact, it may work,

but formatting is generally a bad idea for several reasons:

a.. Formatting is in most cases absolutely unnecessary. Most viruses can

be removed quite easily.

b.. Formatting and reinstalling the operating system and all applications

is time consuming.

c.. Data loss will occur if you forget to back up your data before wiping

everything.

d.. Format may remove everything except the virus.

FDisk

Some of you may even have heard about a miraculous tool named Fdisk

(generally in connection with so-called "boot sector viruses" or the MBR).

The MBR is a small sector on your hard disk that contains a small program

and partition information. The truth about Fdisk is that it can be useful,

but its use can also result in data loss. If you don't know exactly which

virus you are dealing with, Fdisk can be very destructive!! Fdisk is

definitely not an anti-virus tool, so don't use it.

_____________________________________________________________________________

 

As I said in the title "I've done both of these 'silly things'!", so

..........

 

I am particularly interested in /this/ statement therein:-

 

"Format may remove everything except the virus".

 

I'd be most grateful if someone will explain this to me. TIA

--

Dave

[Guest Tom]

~BD~ wrote:<span style="color:blue">

> In this article http://www.claymania.com/panic.html it says:-

>

> You have probably come to this page because your computer is not working

> properly. You may have heard that things named computer viruses can cause

> computers to act abnormally, and now you think you have a virus. Before you

> go ahead...

>

> Do NOT panic!!

>

> This is very important. Having a virus basically means that there is a

> program on your computer that doesn't belong there. It's this simple, so

> really there is no need to panic. In fact, a panicking user can be much more

> dangerous than any virus! Users often cause more damage while attempting to

> exterminate a virus than the virus itself could ever have caused.

>

> Panic may cause a user to do two very silly things: formatting and using

> FDisk.

>

> Formatting

> You may have overheard rumors according to which there is an infallible

> method to get rid of a virus, namely formatting. Formatting is a process

> that effectively removes all data stored on a medium (although that is not

> its actual purpose), including any virus.

> Well, don't fall for this myth. It's not always true. In fact, it may work,

> but formatting is generally a bad idea for several reasons:

> a.. Formatting is in most cases absolutely unnecessary. Most viruses can

> be removed quite easily.

> b.. Formatting and reinstalling the operating system and all applications

> is time consuming.

> c.. Data loss will occur if you forget to back up your data before wiping

> everything.

> d.. Format may remove everything except the virus.

> FDisk

> Some of you may even have heard about a miraculous tool named Fdisk

> (generally in connection with so-called "boot sector viruses" or the MBR).

> The MBR is a small sector on your hard disk that contains a small program

> and partition information. The truth about Fdisk is that it can be useful,

> but its use can also result in data loss. If you don't know exactly which

> virus you are dealing with, Fdisk can be very destructive!! Fdisk is

> definitely not an anti-virus tool, so don't use it.

> _____________________________________________________________________________

>

> As I said in the title "I've done both of these 'silly things'!", so

> .........

>

> I am particularly interested in /this/ statement therein:-

>

> "Format may remove everything except the virus".

>

> I'd be most grateful if someone will explain this to me. TIA

> --

> Dave

>

>

> </span>

Simple really, Format doesn't write very much to your disk at all.

It puts a Hexadecimal E5 in the first character of each entry in the

root directory (marks it as empty and available), then reads the rest of

the disk to look for bad sectors. It doesn't touch the Master Boot

record or the partition table, that's fdisk's job.

[Guest Peter Foldes]

Hello Dave

 

Please refrain from starting your usual dialogue with this post here. The link claymania

is legitimate and very easy to understand

--

Peter

 

Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.

 

"~BD~" <BoaterDave@nospam.invalid> wrote in message news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> In this article http://www.claymania.com/panic.html it says:-

>

> You have probably come to this page because your computer is not working

> properly. You may have heard that things named computer viruses can cause

> computers to act abnormally, and now you think you have a virus. Before you

> go ahead...

>

> Do NOT panic!!

>

> This is very important. Having a virus basically means that there is a

> program on your computer that doesn't belong there. It's this simple, so

> really there is no need to panic. In fact, a panicking user can be much more

> dangerous than any virus! Users often cause more damage while attempting to

> exterminate a virus than the virus itself could ever have caused.

>

> Panic may cause a user to do two very silly things: formatting and using

> FDisk.

>

> Formatting

> You may have overheard rumors according to which there is an infallible

> method to get rid of a virus, namely formatting. Formatting is a process

> that effectively removes all data stored on a medium (although that is not

> its actual purpose), including any virus.

> Well, don't fall for this myth. It's not always true. In fact, it may work,

> but formatting is generally a bad idea for several reasons:

> a.. Formatting is in most cases absolutely unnecessary. Most viruses can

> be removed quite easily.

> b.. Formatting and reinstalling the operating system and all applications

> is time consuming.

> c.. Data loss will occur if you forget to back up your data before wiping

> everything.

> d.. Format may remove everything except the virus.

> FDisk

> Some of you may even have heard about a miraculous tool named Fdisk

> (generally in connection with so-called "boot sector viruses" or the MBR).

> The MBR is a small sector on your hard disk that contains a small program

> and partition information. The truth about Fdisk is that it can be useful,

> but its use can also result in data loss. If you don't know exactly which

> virus you are dealing with, Fdisk can be very destructive!! Fdisk is

> definitely not an anti-virus tool, so don't use it.

> _____________________________________________________________________________

>

> As I said in the title "I've done both of these 'silly things'!", so

> .........

>

> I am particularly interested in /this/ statement therein:-

>

> "Format may remove everything except the virus".

>

> I'd be most grateful if someone will explain this to me. TIA

> --

> Dave

>

>

></span>

[Guest ~BD~]

"Tom" <t.wyckoff@verizon.net> wrote in message

news:8ZOHj.2114$fq2.1319@trndny03...

<snip><span style="color:blue">

> As I said in the title "I've done both of these 'silly things'!", so<span style="color:green">

>> .........

>>

>> I am particularly interested in /this/ statement therein:-

>>

>> "Format may remove everything except the virus".

>>

>> I'd be most grateful if someone will explain this to me. TIA

>> --

>> Dave

>>

>>

>></span>

> Simple really, Format doesn't write very much to your disk at all.

> It puts a Hexadecimal E5 in the first character of each entry in the root

> directory (marks it as empty and available), then reads the rest of the

> disk to look for bad sectors. It doesn't touch the Master Boot record or

> the partition table, that's fdisk's job.</span>

 

Thank you for your reply, Tom.

 

I do not profess to understand all the technicalities but I have learnt much

by trial and error. My understanding from comments made by PA Bear at

AumHa.net was that carrying out a format leaves one's computer in a

virtually 'as new' state. However, I have used a programme from a magazine

CD (Undelete?) which enabled me to recover files from a clean, formatted,

hard drive. I'm fairly certain that I've done so even when I've used FDISK

too.

 

The Claymania statement seems to infer that even if one uses both FDISK

and Format, a virus could remain - and still come back to bite you!

 

Is this possible?

 

If so, what would be the solution - other than replacing the hard disk with

a new one? TIA for futher comment.

 

One other query. When using my retail version XP Home set-up CD to load

Windows, one is given a choice of a 'regular' or 'quick' format procedure.

How do the procedures differ? Thanks for any advice on this.

 

Dave

[Guest FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> In this article http://www.claymania.com/panic.html it says:-</span>

 

[snip]

<span style="color:blue">

> I am particularly interested in /this/ statement therein:-

>

> "Format may remove everything except the virus".

>

> I'd be most grateful if someone will explain this to me. TIA</span>

 

The virus could reside in the boot code, which 'format' wouldn't touch.

You would effectively lose all data stored as files, while format went

about its business sprucing up the underlying structure. Kind of like

tightening up bookshelves to make them ready for some new books.

The boot code isn't stored in a file, so is unaffected by formatting.

[Guest ~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:uTueJUqkIHA.484@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...</span>

<snip><span style="color:blue">

> The virus could reside in the boot code, which 'format' wouldn't touch.

> You would effectively lose all data stored as files, while format went

> about its business sprucing up the underlying structure. Kind of like

> tightening up bookshelves to make them ready for some new books.

> The boot code isn't stored in a file, so is unaffected by formatting.

></span>

Thank you for your response. I'm beginning to understand! style_emoticons/

 

Have you any idea how one may remove a virus from the boot code? TIA.

[Guest Leo]

Who appointed you moderator of this group?

 

I'm enjoying this thread (I might learn something) so bug off.

 

--

Leo

 

"A liberal is someone who feels a great debt to his fellow man, which

debt he proposes to pay off with your money." - G. Gordon Liddy

 

 

"Peter Foldes" <okf22@hotmail.com> wrote in message

news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...

Hello Dave

 

Please refrain from starting your usual dialogue with this post here. The

link claymania

is legitimate and very easy to understand

--

Peter

[Guest ~BD~]

"Peter Foldes" <okf22@hotmail.com> wrote in message

news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...

Hello Dave

 

Please refrain from starting your usual dialogue with this post here. The

link claymania

is legitimate and very easy to understand

--

Peter

 

Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.

 

<snip>

 

Hello Peter - I trust you are well.

 

You are well aware that I've been 'researching' how bad thing are done

nowadays on the Internet. You also know that I did my best to convince

others of the need to combat Cybercrime which has increased exponentially

over the last 3 years.

 

'jen' introduced a topic yesterday on annexcafe.general.user2user entitled

Massive IFrame Attack. I'd be interested to learn what you might think of

what has been said in that thread.

 

Dave

[Guest FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:%23t19DoqkIHA.1680@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:uTueJUqkIHA.484@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...</span>

> <snip><span style="color:green">

>> The virus could reside in the boot code, which 'format' wouldn't touch.

>> You would effectively lose all data stored as files, while format went

>> about its business sprucing up the underlying structure. Kind of like

>> tightening up bookshelves to make them ready for some new books.

>> The boot code isn't stored in a file, so is unaffected by formatting.

>></span>

> Thank you for your response. I'm beginning to understand! style_emoticons/

>

> Have you any idea how one may remove a virus from the boot code? TIA.</span>

 

Sure, you overwrite/replace the correct code where it belongs. The trouble

is that sometimes you need part of the malicious code to recover your data

from the malware. Say for instance the virus encrypted some of your files,

and

you decide to overwrite the boot code (stomping on the virus) then reboot

only

to find the algorithm and 'key' to recovering your data was also stomped on.

 

...also consider that some of your backups may have been affected if the

malware

was there long enough.

 

The whole Fdisk/MBR thing just illustrates the old saw 'a little knowledge

is a dangerous thing'.

[Guest ~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

><span style="color:green"><span style="color:darkred">

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...</span>

>> <snip>

>> Have you any idea how one may remove a virus from the boot code? TIA.</span>

>

> Sure, you overwrite/replace the correct code where it belongs. The trouble

> is that sometimes you need part of the malicious code to recover your data

> from the malware. Say for instance the virus encrypted some of your files,

> and

> you decide to overwrite the boot code (stomping on the virus) then reboot

> only

> to find the algorithm and 'key' to recovering your data was also stomped

> on.

>

> ..also consider that some of your backups may have been affected if the

> malware

> was there long enough.

>

> The whole Fdisk/MBR thing just illustrates the old saw 'a little knowledge

> is a dangerous thing'.

></span>

Thanks once again. You say "Sure, you overwrite/replace the correct code

where it belongs". You didn't explain How . If you know, please advise. TIA

 

Data retention is not relevant to this exercise. The object is to have a

'clean sheet' so to speak! style_emoticons/

I do take on board, though, your point regarding backups possibly being

contaminated.

[Guest ~BD~]

"Peter Foldes" <okf22@hotmail.com> wrote in message

news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...

Hello Dave

 

Please refrain from starting your usual dialogue with this post here. The

link claymania

is legitimate and very easy to understand

--

Peter

___________________________________________________

 

I have no doubt at all that information provided by the claymania link is

valid and lgitimate.

 

You are one of the few folk, Peter, who have followed my multifarious

questions both here and on Annexcafe. Perhaps you could/would help me with a

small connundrum.

 

Annexcafe had (maybe still has) a 'back-up' facility with another

server-owner for use in the event of server problems - I believe it was a

reciprocal arrangement. The site ........ www.dogagent.com. I used to be

able to read newsgroup messages there too, by using 'news.dogagent.com' but

that facility seems no longer available (at least here on my PC).

 

Should you have the time, I wonder if you could investigate/suggest the

possible cause and report back in due course. TIA

 

Dave

[Guest Dave H]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:uZa1ZSwkIHA.4244@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Annexcafe had (maybe still has) a 'back-up' facility with another

> server-owner for use in the event of server problems - I believe it was a

> reciprocal arrangement. The site ........ www.dogagent.com. I used to be

> able to read newsgroup messages there too, by using 'news.dogagent.com'

> but that facility seems no longer available (at least here on my PC).

>

> Should you have the time, I wonder if you could investigate/suggest the

> possible cause and report back in due course. TIA

></span>

 

Answer from server owner-

You are blocked because I considered you a nutter, with conspiracy theories

filling your mind.

Never was there anything you contributed of value, just meanderings of an

old befuddled mind.

Heaps of patience and reasoning were used upon you, all wasted.

 

In short, I considered you an old fool who got on my nerves.

The things keeping you out are considerable, and still there are things in

reserve I could use.

 

You knew all this, so why bother going where you are not wanted?

Don't want an answer to that of course.

 

So long, thanks for all the fish.

--

Dave

[Guest ~BD~]

 

"Dave H" <spambox7@pepedog.com> wrote in message

news:8591BB24-1483-4532-9B92-42F00A0228D6@microsoft.com...<span style="color:blue">

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:uZa1ZSwkIHA.4244@TK2MSFTNGP06.phx.gbl...</span>

<snip>

 

So long, thanks for all the fish.<span style="color:blue">

> --

> Dave</span>

[Guest FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>><span style="color:darkred">

>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>> <snip>

>>> Have you any idea how one may remove a virus from the boot code? TIA.</span>

>>

>> Sure, you overwrite/replace the correct code where it belongs. The

>> trouble

>> is that sometimes you need part of the malicious code to recover your

>> data

>> from the malware. Say for instance the virus encrypted some of your

>> files, and

>> you decide to overwrite the boot code (stomping on the virus) then reboot

>> only

>> to find the algorithm and 'key' to recovering your data was also stomped

>> on.

>>

>> ..also consider that some of your backups may have been affected if the

>> malware

>> was there long enough.

>>

>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>> knowledge is a dangerous thing'.

>></span>

> Thanks once again. You say "Sure, you overwrite/replace the correct code

> where it belongs". You didn't explain How . If you know, please advise.

> TIA</span>

 

http://support.microsoft.com/kb/69013

 

After reading this, you should see how it could be dangerous if the user

doesn't know what he or she is doing. I used to have a dual boot box

Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

messed things up considerably on that box for instance.

<span style="color:blue">

> Data retention is not relevant to this exercise. The object is to have a

> 'clean sheet' so to speak! style_emoticons/</span>

 

I can't tell you how to do it correctly for your system, because I don't

know

what correct is for your system.

<span style="color:blue">

> I do take on board, though, your point regarding backups possibly being

> contaminated.</span>

 

The chances of you having the specific kind of virus that attaches to boot

code is extremely small.

 

Formatting the drive will likely be sufficient for your purposes.

[Guest kurt wismer]

FromTheRafters wrote:<span style="color:blue">

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...</span>

[snip]<span style="color:blue"><span style="color:green">

>> I do take on board, though, your point regarding backups possibly

>> being contaminated.</span>

>

> The chances of you having the specific kind of virus that attaches to

> boot code is extremely small.</span>

 

true for viruses, less true for malware in general... specifically,

there's mbr malware being deployed via drive-by downloads from

compromised websites as we speak... i believe you can get more

information by searching for the keyword "mebroot"...

 

--

"it's not the right time to be sober

now the idiots have taken over

spreading like a social cancer,

is there an answer?"

[Guest ~BD~]

Indeed, Kurt. Thank you for your response.

 

A quote from Computer Active

http://www.computeractive.co.uk/computerac...-takes-security

 

"Mebroot, which is designed to steal personal information and bank details,

is embedded in legitimate websites.

If the latest updates and patches for browsers or the XP operating system

have been applied, then anti-virus software can stop the rootkit and the

associate malware such as keystroke loggers and others it downloads.

 

But if patches have not been applied the malware downloads to a PC and then

hides from security software. It can be removed quite simply, according to

Hypponen, but currently only by the user rewriting the MBR".

 

My question remains. HOW does a user rewrite the MBR.

 

Many thanks to anyone who can provide the answer!

 

--

 

Dave

[Guest ~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>>

>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...<span style="color:darkred">

>>>

>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>> <snip>

>>>> Have you any idea how one may remove a virus from the boot code? TIA.

>>>

>>> Sure, you overwrite/replace the correct code where it belongs. The

>>> trouble

>>> is that sometimes you need part of the malicious code to recover your

>>> data

>>> from the malware. Say for instance the virus encrypted some of your

>>> files, and

>>> you decide to overwrite the boot code (stomping on the virus) then

>>> reboot only

>>> to find the algorithm and 'key' to recovering your data was also stomped

>>> on.

>>>

>>> ..also consider that some of your backups may have been affected if the

>>> malware

>>> was there long enough.

>>>

>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>> knowledge is a dangerous thing'.

>>></span>

>> Thanks once again. You say "Sure, you overwrite/replace the correct code

>> where it belongs". You didn't explain How . If you know, please advise.

>> TIA</span>

>

> http://support.microsoft.com/kb/69013

>

> After reading this, you should see how it could be dangerous if the user

> doesn't know what he or she is doing. I used to have a dual boot box

> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

> messed things up considerably on that box for instance.

><span style="color:green">

>> Data retention is not relevant to this exercise. The object is to have a

>> 'clean sheet' so to speak! style_emoticons/</span>

>

> I can't tell you how to do it correctly for your system, because I don't

> know

> what correct is for your system.

><span style="color:green">

>> I do take on board, though, your point regarding backups possibly being

>> contaminated.</span>

>

> The chances of you having the specific kind of virus that attaches to boot

> code is extremely small.

>

> Formatting the drive will likely be sufficient for your purposes.

></span>

Thank you so much for your helpful comments. I have read all the information

at the page to which your link carried me and then went on to explore

Article ID : 255867 regarding 'How to Use the Fdisk Tool .........'

 

All this information relates to systems before Windows XP. If one has been

using a hard disk - and let us assume that (although unlikely, in your view)

it has been infected by a Mebroot virus - if one simply boots from a

retail copy of XP (Home in my case) with a view to reinstalling Windows XP,

is the 'Format procedure' incorporated in the set-up programme sufficient to

erradicate a virus attached to the code in the MBR?

 

My intuition tells me that the virus will remain - ready to act again as

soon as the machine is reconnected to the Internet.

 

Maybe I am completely wrong about this, but it is why I wish to know how to

ensure that everything is wiped off a disc before reinstalling Windows. FYI,

I have also used a facility called Darik's Boot and Nuke to destroy all data

on a disk - but remain uncertain if even this procedure will destroy MBR

malware. I wonder if anyone reading here will know.

--

Dave

[Guest ~BD~]

"Dave H" <spambox7@pepedog.com> wrote in message

news:8591BB24-1483-4532-9B92-42F00A0228D6@microsoft.com...<span style="color:blue">

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:uZa1ZSwkIHA.4244@TK2MSFTNGP06.phx.gbl...<span style="color:green">

>> Annexcafe had (maybe still has) a 'back-up' facility with another

>> server-owner for use in the event of server problems - I believe it was a

>> reciprocal arrangement. The site ........ www.dogagent.com. I used to be

>> able to read newsgroup messages there too, by using 'news.dogagent.com'

>> but that facility seems no longer available (at least here on my PC).

>>

>> Should you have the time, I wonder if you could investigate/suggest the

>> possible cause and report back in due course. TIA

>></span>

>

> Answer from server owner-

> You are blocked because I considered you a nutter, with conspiracy

> theories

> filling your mind.

> Never was there anything you contributed of value, just meanderings of an

> old befuddled mind.

> Heaps of patience and reasoning were used upon you, all wasted.

>

> In short, I considered you an old fool who got on my nerves.

> The things keeping you out are considerable, and still there are things in

> reserve I could use.

>

> You knew all this, so why bother going where you are not wanted?

> Don't want an answer to that of course.

>

> So long, thanks for all the fish.

> --

> Dave

>

></span>

I hope you liked the video clip, Dave (but there again, I don't suppose you

followed the link!)

 

It was good of you to confirm that it is action which you have taken as

the server owner which prevents me from reviewing your newsgroups, even

though (as far as I know) I did nothing to provoke such action. AFAICR I

don't think I ever posted in your newsgroups, just enjoyed some of the

hundreds of photographs posted there (many of them of excellent quality).

 

I'd like to refer you to this item, Dave. Taken from here

http://www.theregister.co.uk/2008/03/31/co...ments/#c_188544

The attacks are getting more sophisticated, too

By Franklin

Posted Monday 31st March 2008 21:18 GMT

 

There's an entire underground network of computers and servers behind these

attacks; in my experience, a poisoned Web site doesn't usually drop malware

itself. Rather, it redirects the hapless visitor to another server, which

makes extensive and detailed logs about where the visitor came from, before

then choosing one of a list of payload sites to further redirect the user

to.

 

I've made a fairly detailed map of part of this underground network at

 

http://tacit.livejournal.com/238112.html

 

And, not surprisingly, iPower, Inc. is still leading the world in the number

of compromised, poisoned Web sites being hosted by a single Web host. In

fact, almost four months after a major security breach which saw thousands

of sites hosted by iPower compromised, the breach has not yet been fixed and

hackers can compromise and poison any site hosted on iPower servers at will.

 

--

 

It's not a game, Dave. This is REAL!

 

Which side are you on?

 

BD

[Guest FromTheRafters]

"kurt wismer" <kurtw@sympatico.ca> wrote in message

news:fssbus$hah$1@registered.motzarella.org...<span style="color:blue">

> FromTheRafters wrote:<span style="color:green">

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...</span>

> [snip]<span style="color:green"><span style="color:darkred">

>>> I do take on board, though, your point regarding backups possibly being

>>> contaminated.</span>

>>

>> The chances of you having the specific kind of virus that attaches to

>> boot code is extremely small.</span>

>

> true for viruses, less true for malware in general... specifically,

> there's mbr malware being deployed via drive-by downloads from compromised

> websites as we speak... i believe you can get more information by

> searching for the keyword "mebroot"...</span>

 

Thanks kurt, I'll check that out. style_emoticons/)

[Guest FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>>

>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>

>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>> <snip>

>>>>> Have you any idea how one may remove a virus from the boot code? TIA.

>>>>

>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>> trouble

>>>> is that sometimes you need part of the malicious code to recover your

>>>> data

>>>> from the malware. Say for instance the virus encrypted some of your

>>>> files, and

>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>> reboot only

>>>> to find the algorithm and 'key' to recovering your data was also

>>>> stomped on.

>>>>

>>>> ..also consider that some of your backups may have been affected if the

>>>> malware

>>>> was there long enough.

>>>>

>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>> knowledge is a dangerous thing'.

>>>>

>>> Thanks once again. You say "Sure, you overwrite/replace the correct code

>>> where it belongs". You didn't explain How . If you know, please advise.

>>> TIA</span>

>>

>> http://support.microsoft.com/kb/69013

>>

>> After reading this, you should see how it could be dangerous if the user

>> doesn't know what he or she is doing. I used to have a dual boot box

>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>> messed things up considerably on that box for instance.

>><span style="color:darkred">

>>> Data retention is not relevant to this exercise. The object is to have a

>>> 'clean sheet' so to speak! style_emoticons/</span>

>>

>> I can't tell you how to do it correctly for your system, because I don't

>> know

>> what correct is for your system.

>><span style="color:darkred">

>>> I do take on board, though, your point regarding backups possibly being

>>> contaminated.</span>

>>

>> The chances of you having the specific kind of virus that attaches to

>> boot code is extremely small.

>>

>> Formatting the drive will likely be sufficient for your purposes.

>></span>

> Thank you so much for your helpful comments. I have read all the

> information at the page to which your link carried me and then went on to

> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

> .........'

>

> All this information relates to systems before Windows XP. If one has been

> using a hard disk - and let us assume that (although unlikely, in your

> view) it has been infected by a Mebroot virus - if one simply boots from

> a retail copy of XP (Home in my case) with a view to reinstalling Windows

> XP, is the 'Format procedure' incorporated in the set-up programme

> sufficient to erradicate a virus attached to the code in the MBR?

>

> My intuition tells me that the virus will remain - ready to act again as

> soon as the machine is reconnected to the Internet.

>

> Maybe I am completely wrong about this, but it is why I wish to know how

> to ensure that everything is wiped off a disc before reinstalling Windows.

> FYI, I have also used a facility called Darik's Boot and Nuke to destroy

> all data on a disk - but remain uncertain if even this procedure will

> destroy MBR malware. I wonder if anyone reading here will know.</span>

 

Vista http://support.microsoft.com/kb/927392

 

Some others

http://www.datarecovery.com.sg/data_recove..._corruption.htm

Wanted to post a KB article - but this came to me first.

 

HTH

[Guest David H. Lipman]

From: "FromTheRafters" <Erratic@ne.rr.com>

 

|

| "kurt wismer" <kurtw@sympatico.ca> wrote in message

| news:fssbus$hah$1@registered.motzarella.org...<span style="color:blue"><span style="color:green">

>> FromTheRafters wrote:<span style="color:darkred">

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...</span>

>> [snip]<span style="color:darkred">

>>>> I do take on board, though, your point regarding backups possibly being

>>>> contaminated.

>>>

>>> The chances of you having the specific kind of virus that attaches to

>>> boot code is extremely small.</span>

>>

>> true for viruses, less true for malware in general... specifically,

>> there's mbr malware being deployed via drive-by downloads from compromised

>> websites as we speak... i believe you can get more information by

>> searching for the keyword "mebroot"...</span></span>

|

| Thanks kurt, I'll check that out. style_emoticons/)

 

The mebroot is a Trojan that uses the MBR as part of its RootKit technique.

 

http://www.symantec.com/enterprise/securit...janmebroot.html

 

http://www.symantec.com/security_response/...-010718-3448-99

 

This is different from the traditional boot sector infectors which are true viruses.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest ~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message

news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

>

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>>

>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...<span style="color:darkred">

>>>

>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>>

>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>>

>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>>> <snip>

>>>>>> Have you any idea how one may remove a virus from the boot code? TIA.

>>>>>

>>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>>> trouble

>>>>> is that sometimes you need part of the malicious code to recover your

>>>>> data

>>>>> from the malware. Say for instance the virus encrypted some of your

>>>>> files, and

>>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>>> reboot only

>>>>> to find the algorithm and 'key' to recovering your data was also

>>>>> stomped on.

>>>>>

>>>>> ..also consider that some of your backups may have been affected if

>>>>> the malware

>>>>> was there long enough.

>>>>>

>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>>> knowledge is a dangerous thing'.

>>>>>

>>>> Thanks once again. You say "Sure, you overwrite/replace the correct

>>>> code where it belongs". You didn't explain How . If you know, please

>>>> advise. TIA

>>>

>>> http://support.microsoft.com/kb/69013

>>>

>>> After reading this, you should see how it could be dangerous if the user

>>> doesn't know what he or she is doing. I used to have a dual boot box

>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>>> messed things up considerably on that box for instance.

>>>

>>>> Data retention is not relevant to this exercise. The object is to have

>>>> a 'clean sheet' so to speak! style_emoticons/

>>>

>>> I can't tell you how to do it correctly for your system, because I don't

>>> know

>>> what correct is for your system.

>>>

>>>> I do take on board, though, your point regarding backups possibly being

>>>> contaminated.

>>>

>>> The chances of you having the specific kind of virus that attaches to

>>> boot code is extremely small.

>>>

>>> Formatting the drive will likely be sufficient for your purposes.

>>></span>

>> Thank you so much for your helpful comments. I have read all the

>> information at the page to which your link carried me and then went on to

>> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

>> .........'

>>

>> All this information relates to systems before Windows XP. If one has

>> been using a hard disk - and let us assume that (although unlikely, in

>> your view) it has been infected by a Mebroot virus - if one simply

>> boots from a retail copy of XP (Home in my case) with a view to

>> reinstalling Windows XP, is the 'Format procedure' incorporated in the

>> set-up programme sufficient to erradicate a virus attached to the code in

>> the MBR?

>>

>> My intuition tells me that the virus will remain - ready to act again as

>> soon as the machine is reconnected to the Internet.

>>

>> Maybe I am completely wrong about this, but it is why I wish to know how

>> to ensure that everything is wiped off a disc before reinstalling

>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke to

>> destroy all data on a disk - but remain uncertain if even this procedure

>> will destroy MBR malware. I wonder if anyone reading here will know.</span>

>

> Vista http://support.microsoft.com/kb/927392

>

> Some others

> http://www.datarecovery.com.sg/data_recove..._corruption.htm

> Wanted to post a KB article - but this came to me first.

>

> HTH

>

></span>

More very helpful and interesting information. Thank you.

 

It would seem that the rootkit cannot be removed while the OS is running, as

it must be removed while the rootkit code itself is not running. So says

Symantec, which goes on to say "During our tests, running the "fixmbr"

command from within the Windows Recovery Console successfully removed the

malicious MBR entry. To help prevent similar attacks in the future, and if

your system BIOS includes the Master Boot Record write-protection feature,

now is a good time to enable it"!

 

The implication, to me, is that if one does become infected with such

malware, a straight-forward re-installation will fail to erradicate the

problem.

 

Other views welcomed!

--

Dave

[Guest FromTheRafters]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:%23n1HZ2FlIHA.3636@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> From: "FromTheRafters" <Erratic@ne.rr.com>

>

> |

> | "kurt wismer" <kurtw@sympatico.ca> wrote in message

> | news:fssbus$hah$1@registered.motzarella.org...<span style="color:green"><span style="color:darkred">

>>> FromTheRafters wrote:

>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>> [snip]

>>>>> I do take on board, though, your point regarding backups possibly

>>>>> being

>>>>> contaminated.

>>>>

>>>> The chances of you having the specific kind of virus that attaches to

>>>> boot code is extremely small.

>>>

>>> true for viruses, less true for malware in general... specifically,

>>> there's mbr malware being deployed via drive-by downloads from

>>> compromised

>>> websites as we speak... i believe you can get more information by

>>> searching for the keyword "mebroot"...</span></span>

> |

> | Thanks kurt, I'll check that out. style_emoticons/)

>

> The mebroot is a Trojan that uses the MBR as part of its RootKit

> technique.

>

> http://www.symantec.com/enterprise/securit...janmebroot.html

>

> http://www.symantec.com/security_response/...-010718-3448-99

>

> This is different from the traditional boot sector infectors which are

> true viruses.</span>

 

Thanks Dave. If you have this, and you format the disk,

are you essentially left with just a corrupted MBR?

[Guest FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>

> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>>

>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>>

>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...

>>>>

>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...

>>>>>

>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message

>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...

>>>>>>

>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message

>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

>>>>>>> <snip>

>>>>>>> Have you any idea how one may remove a virus from the boot code?

>>>>>>> TIA.

>>>>>>

>>>>>> Sure, you overwrite/replace the correct code where it belongs. The

>>>>>> trouble

>>>>>> is that sometimes you need part of the malicious code to recover your

>>>>>> data

>>>>>> from the malware. Say for instance the virus encrypted some of your

>>>>>> files, and

>>>>>> you decide to overwrite the boot code (stomping on the virus) then

>>>>>> reboot only

>>>>>> to find the algorithm and 'key' to recovering your data was also

>>>>>> stomped on.

>>>>>>

>>>>>> ..also consider that some of your backups may have been affected if

>>>>>> the malware

>>>>>> was there long enough.

>>>>>>

>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little

>>>>>> knowledge is a dangerous thing'.

>>>>>>

>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct

>>>>> code where it belongs". You didn't explain How . If you know, please

>>>>> advise. TIA

>>>>

>>>> http://support.microsoft.com/kb/69013

>>>>

>>>> After reading this, you should see how it could be dangerous if the

>>>> user

>>>> doesn't know what he or she is doing. I used to have a dual boot box

>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have

>>>> messed things up considerably on that box for instance.

>>>>

>>>>> Data retention is not relevant to this exercise. The object is to have

>>>>> a 'clean sheet' so to speak! style_emoticons/

>>>>

>>>> I can't tell you how to do it correctly for your system, because I

>>>> don't know

>>>> what correct is for your system.

>>>>

>>>>> I do take on board, though, your point regarding backups possibly

>>>>> being contaminated.

>>>>

>>>> The chances of you having the specific kind of virus that attaches to

>>>> boot code is extremely small.

>>>>

>>>> Formatting the drive will likely be sufficient for your purposes.

>>>>

>>> Thank you so much for your helpful comments. I have read all the

>>> information at the page to which your link carried me and then went on

>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool

>>> .........'

>>>

>>> All this information relates to systems before Windows XP. If one has

>>> been using a hard disk - and let us assume that (although unlikely, in

>>> your view) it has been infected by a Mebroot virus - if one simply

>>> boots from a retail copy of XP (Home in my case) with a view to

>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the

>>> set-up programme sufficient to erradicate a virus attached to the code

>>> in the MBR?

>>>

>>> My intuition tells me that the virus will remain - ready to act again as

>>> soon as the machine is reconnected to the Internet.

>>>

>>> Maybe I am completely wrong about this, but it is why I wish to know how

>>> to ensure that everything is wiped off a disc before reinstalling

>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke

>>> to destroy all data on a disk - but remain uncertain if even this

>>> procedure will destroy MBR malware. I wonder if anyone reading here will

>>> know.</span>

>>

>> Vista http://support.microsoft.com/kb/927392

>>

>> Some others

>> http://www.datarecovery.com.sg/data_recove..._corruption.htm

>> Wanted to post a KB article - but this came to me first.

>>

>> HTH

>>

>></span>

> More very helpful and interesting information. Thank you.

>

> It would seem that the rootkit cannot be removed while the OS is running,

> as it must be removed while the rootkit code itself is not running. So

> says Symantec, which goes on to say "During our tests, running the

> "fixmbr" command from within the Windows Recovery Console successfully

> removed the malicious MBR entry. To help prevent similar attacks in the

> future, and if your system BIOS includes the Master Boot Record

> write-protection feature, now is a good time to enable it"!

>

> The implication, to me, is that if one does become infected with such

> malware, a straight-forward re-installation will fail to erradicate the

> problem.

>

> Other views welcomed!</span>

 

My guess is that any re-installation that leaves the MBR alone

while losing the rest of the malware installation would result in

the "problem" being replaced with a merely corrupted MBR.

 

Just a guess though.

[Guest David H. Lipman]

From: "FromTheRafters" <Erratic@ne.rr.com>

 

<span style="color:blue"><span style="color:green">

>>

>> The mebroot is a Trojan that uses the MBR as part of its RootKit

>> technique.

>>

>> http://www.symantec.com/enterprise/securit...janmebroot.html

>>

>> http://www.symantec.com/security_response/...-010718-3448-99

>>

>> This is different from the traditional boot sector infectors which are

>> true viruses.</span></span>

 

|

| Thanks Dave. If you have this, and you format the disk,

| are you essentially left with just a corrupted MBR?

 

I don't think so but... I can't say for sure.

 

I would say that IF you went to this method, you should delete the partition table,

repartition and then reformat not just reformat the hard disk.

 

 

BTW: Symantec has a removal tool...

http://www.symantec.com/security_response/...-020817-4716-99

 

What the tool does

The Removal Tool does the following:

- Restores the Master Boot Record

- Terminates the associated processes

- Deletes the associated files

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp