Guest ~BD~ Posted April 3, 2008 Posted April 3, 2008 "FromTheRafters" <Erratic@ne.rr.com> wrote in message news:%230ZTkJRlIHA.536@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > > "~BD~" <BoaterDave@nospam.invalid> wrote in message > news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> >> "FromTheRafters" <Erratic@ne.rr.com> wrote in message >> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...<span style="color:darkred"> >>> >>> "~BD~" <BoaterDave@nospam.invalid> wrote in message >>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl... >>>> >>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message >>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl... >>>>> >>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message >>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl... >>>>>> >>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message >>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl... >>>>>>> >>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message >>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl... >>>>>>>> <snip> >>>>>>>> Have you any idea how one may remove a virus from the boot code? >>>>>>>> TIA. >>>>>>> >>>>>>> Sure, you overwrite/replace the correct code where it belongs. The >>>>>>> trouble >>>>>>> is that sometimes you need part of the malicious code to recover >>>>>>> your data >>>>>>> from the malware. Say for instance the virus encrypted some of your >>>>>>> files, and >>>>>>> you decide to overwrite the boot code (stomping on the virus) then >>>>>>> reboot only >>>>>>> to find the algorithm and 'key' to recovering your data was also >>>>>>> stomped on. >>>>>>> >>>>>>> ..also consider that some of your backups may have been affected if >>>>>>> the malware >>>>>>> was there long enough. >>>>>>> >>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little >>>>>>> knowledge is a dangerous thing'. >>>>>>> >>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct >>>>>> code where it belongs". You didn't explain How . If you know, please >>>>>> advise. TIA >>>>> >>>>> http://support.microsoft.com/kb/69013 >>>>> >>>>> After reading this, you should see how it could be dangerous if the >>>>> user >>>>> doesn't know what he or she is doing. I used to have a dual boot box >>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have >>>>> messed things up considerably on that box for instance. >>>>> >>>>>> Data retention is not relevant to this exercise. The object is to >>>>>> have a 'clean sheet' so to speak! style_emoticons/ >>>>> >>>>> I can't tell you how to do it correctly for your system, because I >>>>> don't know >>>>> what correct is for your system. >>>>> >>>>>> I do take on board, though, your point regarding backups possibly >>>>>> being contaminated. >>>>> >>>>> The chances of you having the specific kind of virus that attaches to >>>>> boot code is extremely small. >>>>> >>>>> Formatting the drive will likely be sufficient for your purposes. >>>>> >>>> Thank you so much for your helpful comments. I have read all the >>>> information at the page to which your link carried me and then went on >>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool >>>> .........' >>>> >>>> All this information relates to systems before Windows XP. If one has >>>> been using a hard disk - and let us assume that (although unlikely, in >>>> your view) it has been infected by a Mebroot virus - if one simply >>>> boots from a retail copy of XP (Home in my case) with a view to >>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the >>>> set-up programme sufficient to erradicate a virus attached to the code >>>> in the MBR? >>>> >>>> My intuition tells me that the virus will remain - ready to act again >>>> as soon as the machine is reconnected to the Internet. >>>> >>>> Maybe I am completely wrong about this, but it is why I wish to know >>>> how to ensure that everything is wiped off a disc before reinstalling >>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke >>>> to destroy all data on a disk - but remain uncertain if even this >>>> procedure will destroy MBR malware. I wonder if anyone reading here >>>> will know. >>> >>> Vista http://support.microsoft.com/kb/927392 >>> >>> Some others >>> http://www.datarecovery.com.sg/data_recove..._corruption.htm >>> Wanted to post a KB article - but this came to me first. >>> >>> HTH >>> >>></span> >> More very helpful and interesting information. Thank you. >> >> It would seem that the rootkit cannot be removed while the OS is running, >> as it must be removed while the rootkit code itself is not running. So >> says Symantec, which goes on to say "During our tests, running the >> "fixmbr" command from within the Windows Recovery Console successfully >> removed the malicious MBR entry. To help prevent similar attacks in the >> future, and if your system BIOS includes the Master Boot Record >> write-protection feature, now is a good time to enable it"! >> >> The implication, to me, is that if one does become infected with such >> malware, a straight-forward re-installation will fail to erradicate the >> problem. >> >> Other views welcomed!</span> > > My guess is that any re-installation that leaves the MBR alone > while losing the rest of the malware installation would result in > the "problem" being replaced with a merely corrupted MBR. > > Just a guess though.</span> Many thanks for your contributions in this thread. It is appreciated! style_emoticons/ -- Dave Quote
Guest Richard Urban Posted April 14, 2008 Posted April 14, 2008 Boot using a DOS setup floppy (latest/last version). Type fdisk /mbr The /mbr is an undocumented call that will replace the mbr on the master hard drive. It is best to physically disconnect all other hard drives when performing this call to prevent any unwanted actions due to multiple hard drives being connected. "~BD~" <BoaterDave@nospam.invalid> wrote in message news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Indeed, Kurt. Thank you for your response. > > A quote from Computer Active > http://www.computeractive.co.uk/computerac...-takes-security > > "Mebroot, which is designed to steal personal information and bank > details, is embedded in legitimate websites. > If the latest updates and patches for browsers or the XP operating system > have been applied, then anti-virus software can stop the rootkit and the > associate malware such as keystroke loggers and others it downloads. > > But if patches have not been applied the malware downloads to a PC and > then hides from security software. It can be removed quite simply, > according to Hypponen, but currently only by the user rewriting the MBR". > > My question remains. HOW does a user rewrite the MBR. > > Many thanks to anyone who can provide the answer! > > -- > > Dave > > > > > > </span> Quote
Guest FromTheRafters Posted April 14, 2008 Posted April 14, 2008 "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Boot using a DOS setup floppy (latest/last version). > > Type fdisk /mbr > > The /mbr is an undocumented call that will replace the mbr on the master > hard drive. It is best to physically disconnect all other hard drives when > performing this call to prevent any unwanted actions due to multiple hard > drives being connected.</span> Care must be taken to ensure that the correct MBR code is what replaces the existing code. Why do you assume the "latest/last" DOS version is the correct one for the OP's system? <span style="color:blue"> > "~BD~" <BoaterDave@nospam.invalid> wrote in message > news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> Indeed, Kurt. Thank you for your response. >> >> A quote from Computer Active >> http://www.computeractive.co.uk/computerac...-takes-security >> >> "Mebroot, which is designed to steal personal information and bank >> details, is embedded in legitimate websites. >> If the latest updates and patches for browsers or the XP operating system >> have been applied, then anti-virus software can stop the rootkit and the >> associate malware such as keystroke loggers and others it downloads. >> >> But if patches have not been applied the malware downloads to a PC and >> then hides from security software. It can be removed quite simply, >> according to Hypponen, but currently only by the user rewriting the MBR". >> >> My question remains. HOW does a user rewrite the MBR. >> >> Many thanks to anyone who can provide the answer! >> >> -- >> >> Dave >> >> >> >> >> >></span> > </span> Quote
Guest Richard Urban Posted April 14, 2008 Posted April 14, 2008 Because I have never found a hard drive that it would not clear/rewrite the MBR and make the drive usable again. I use what ""I"" know is best for me. I recommend the same to others. "FromTheRafters" <Erratic@ne.rr.com> wrote in message news:epJlv9jnIHA.4292@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > > "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message > news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> Boot using a DOS setup floppy (latest/last version). >> >> Type fdisk /mbr >> >> The /mbr is an undocumented call that will replace the mbr on the master >> hard drive. It is best to physically disconnect all other hard drives >> when performing this call to prevent any unwanted actions due to multiple >> hard drives being connected.</span> > > Care must be taken to ensure that the correct MBR code > is what replaces the existing code. Why do you assume > the "latest/last" DOS version is the correct one for the > OP's system? ><span style="color:green"> >> "~BD~" <BoaterDave@nospam.invalid> wrote in message >> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:darkred"> >>> Indeed, Kurt. Thank you for your response. >>> >>> A quote from Computer Active >>> http://www.computeractive.co.uk/computerac...-takes-security >>> >>> "Mebroot, which is designed to steal personal information and bank >>> details, is embedded in legitimate websites. >>> If the latest updates and patches for browsers or the XP operating >>> system have been applied, then anti-virus software can stop the rootkit >>> and the associate malware such as keystroke loggers and others it >>> downloads. >>> >>> But if patches have not been applied the malware downloads to a PC and >>> then hides from security software. It can be removed quite simply, >>> according to Hypponen, but currently only by the user rewriting the >>> MBR". >>> >>> My question remains. HOW does a user rewrite the MBR. >>> >>> Many thanks to anyone who can provide the answer! >>> >>> -- >>> >>> Dave >>> >>> >>> >>> >>> >>></span> >></span> > </span> Quote
Guest Massimo Posted April 14, 2008 Posted April 14, 2008 Hello, On Mon, 14 Apr 2008 01:58:59 -0400, "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote: <span style="color:blue"> >Boot using a DOS setup floppy (latest/last version). > >Type fdisk /mbr > >The /mbr is an undocumented call that will replace the mbr on the master >hard drive. It is best to physically disconnect all other hard drives when >performing this call to prevent any unwanted actions due to multiple hard >drives being connected. > ></span> I read this posting but do not know what has been said before. I believe to remember that the fdisk /mbr call can only be used on a fat (16,32?) system. Does the OP have that kind of format on his hd? If not, could this call ruin his hd? Massimo ============ <span style="color:blue"> >"~BD~" <BoaterDave@nospam.invalid> wrote in message >news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> Indeed, Kurt. Thank you for your response. >> >> A quote from Computer Active >> http://www.computeractive.co.uk/computerac...-takes-security >> >> "Mebroot, which is designed to steal personal information and bank >> details, is embedded in legitimate websites. >> If the latest updates and patches for browsers or the XP operating system >> have been applied, then anti-virus software can stop the rootkit and the >> associate malware such as keystroke loggers and others it downloads. >> >> But if patches have not been applied the malware downloads to a PC and >> then hides from security software. It can be removed quite simply, >> according to Hypponen, but currently only by the user rewriting the MBR". >> >> My question remains. HOW does a user rewrite the MBR. >> >> Many thanks to anyone who can provide the answer! >> >> -- >> >> Dave >> >> >> >> >> >> </span></span> Quote
Guest jen Posted April 15, 2008 Posted April 15, 2008 The OP's OS is XP. He should instead boot from the Recovery Console and type: fixmbr. Fixmbr Command Syntax: fixmbr (device_name): device_name = This is where you designate the exact drive location that a master boot record will be written to. If no device is specified, the master boot record will be written to the primary boot drive. Fixmbr Command Examples: fixmbr \Device\HardDisk0 In the above example, the master boot record is written to the drive located at \Device\HardDisk0. fixmbr: In this example, the master boot record is written to the device that your primary system is loaded onto. If you have a single installation of Windows installed, which is normally the case, running the fixmbr command in this way is usually the right way to go. Fixmbr Command Availability: The fixmbr command is only available from within the Recovery Console in Windows 2000 and Windows XP. -jen "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Boot using a DOS setup floppy (latest/last version). > > Type fdisk /mbr > > The /mbr is an undocumented call that will replace the mbr on the > master hard drive. It is best to physically disconnect all other hard > drives when performing this call to prevent any unwanted actions due > to multiple hard drives being connected. > > > "~BD~" <BoaterDave@nospam.invalid> wrote in message > news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> Indeed, Kurt. Thank you for your response. >> >> A quote from Computer Active >> http://www.computeractive.co.uk/computerac...-takes-security >> >> "Mebroot, which is designed to steal personal information and bank >> details, is embedded in legitimate websites. >> If the latest updates and patches for browsers or the XP operating >> system have been applied, then anti-virus software can stop the >> rootkit and the associate malware such as keystroke loggers and >> others it downloads. >> >> But if patches have not been applied the malware downloads to a PC >> and then hides from security software. It can be removed quite >> simply, according to Hypponen, but currently only by the user >> rewriting the MBR". >> >> My question remains. HOW does a user rewrite the MBR. >> >> Many thanks to anyone who can provide the answer! >> >> -- >> >> Dave >> >> >> >> >> >></span> > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.