I've done both of these 'silly things'!

[David H. Lipman]

From: "FromTheRafters" <Erratic@ne.rr.com>

|
| "kurt wismer" <kurtw@sympatico.ca> wrote in message
| news:fssbus$hah$1@registered.motzarella.org...
>> FromTheRafters wrote:
>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>> [snip]
>>>> I do take on board, though, your point regarding backups possibly being
>>>> contaminated.
>>>
>>> The chances of you having the specific kind of virus that attaches to
>>> boot code is extremely small.
>>
>> true for viruses, less true for malware in general... specifically,
>> there's mbr malware being deployed via drive-by downloads from compromised
>> websites as we speak... i believe you can get more information by
>> searching for the keyword "mebroot"...
|
| Thanks kurt, I'll check that out. )

The mebroot is a Trojan that uses the MBR as part of its RootKit technique.

http://www.symantec.com/enterprise/...g/2008/01/from_bootroot_to_trojanmebroot.html

http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99

This is different from the traditional boot sector infectors which are true viruses.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message
news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...
>
> "~BD~" <BoaterDave@nospam.invalid> wrote in message
> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...
>>
>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...
>>>
>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>>
>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>>>
>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>>>> <snip>
>>>>>> Have you any idea how one may remove a virus from the boot code? TIA.
>>>>>
>>>>> Sure, you overwrite/replace the correct code where it belongs. The
>>>>> trouble
>>>>> is that sometimes you need part of the malicious code to recover your
>>>>> data
>>>>> from the malware. Say for instance the virus encrypted some of your
>>>>> files, and
>>>>> you decide to overwrite the boot code (stomping on the virus) then
>>>>> reboot only
>>>>> to find the algorithm and 'key' to recovering your data was also
>>>>> stomped on.
>>>>>
>>>>> ..also consider that some of your backups may have been affected if
>>>>> the malware
>>>>> was there long enough.
>>>>>
>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>>>> knowledge is a dangerous thing'.
>>>>>
>>>> Thanks once again. You say "Sure, you overwrite/replace the correct
>>>> code where it belongs". You didn't explain *How*. If you know, please
>>>> advise. TIA
>>>
>>> http://support.microsoft.com/kb/69013
>>>
>>> After reading this, you should see how it could be dangerous if the user
>>> doesn't know what he or she is doing. I used to have a dual boot box
>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
>>> messed things up considerably on that box for instance.
>>>
>>>> Data retention is not relevant to this exercise. The object is to have
>>>> a 'clean sheet' so to speak!
>>>
>>> I can't tell you how to do it correctly for your system, because I don't
>>> know
>>> what correct is for your system.
>>>
>>>> I do take on board, though, your point regarding backups possibly being
>>>> contaminated.
>>>
>>> The chances of you having the specific kind of virus that attaches to
>>> boot code is extremely small.
>>>
>>> Formatting the drive will likely be sufficient for your purposes.
>>>
>> Thank you so much for your helpful comments. I have read all the
>> information at the page to which your link carried me and then went on to
>> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
>> .........'
>>
>> All this information relates to systems before Windows XP. If one has
>> been using a hard disk - and let us assume that (although unlikely, in
>> your view) it *has* been infected by a Mebroot virus - if one simply
>> boots from a retail copy of XP (Home in my case) with a view to
>> reinstalling Windows XP, is the 'Format procedure' incorporated in the
>> set-up programme sufficient to erradicate a virus attached to the code in
>> the MBR?
>>
>> My intuition tells me that the virus will remain - ready to act again as
>> soon as the machine is reconnected to the Internet.
>>
>> Maybe I am completely wrong about this, but it is why I wish to know how
>> to ensure that everything is wiped off a disc before reinstalling
>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke to
>> destroy all data on a disk - but remain uncertain if even this procedure
>> will destroy MBR malware. I wonder if anyone reading here will know.
>
> Vista http://support.microsoft.com/kb/927392
>
> Some others
> http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
> Wanted to post a KB article - but this came to me first.
>
> HTH
>
>
More very helpful and interesting information. Thank you.

It would seem that the rootkit cannot be removed while the OS is running, as
it must be removed while the rootkit code itself is not running. So says
Symantec, which goes on to say "During our tests, running the "fixmbr"
command from within the Windows Recovery Console successfully removed the
malicious MBR entry. To help prevent similar attacks in the future, and if
your system BIOS includes the Master Boot Record write-protection feature,
now is a good time to enable it"!

The implication, to me, is that if one *does* become infected with such
malware, a straight-forward re-installation will fail to erradicate the
problem.

Other views welcomed!
--
Dave

 

[FromTheRafters]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23n1HZ2FlIHA.3636@TK2MSFTNGP02.phx.gbl...
> From: "FromTheRafters" <Erratic@ne.rr.com>
>
> |
> | "kurt wismer" <kurtw@sympatico.ca> wrote in message
> | news:fssbus$hah$1@registered.motzarella.org...
>>> FromTheRafters wrote:
>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>> [snip]
>>>>> I do take on board, though, your point regarding backups possibly
>>>>> being
>>>>> contaminated.
>>>>
>>>> The chances of you having the specific kind of virus that attaches to
>>>> boot code is extremely small.
>>>
>>> true for viruses, less true for malware in general... specifically,
>>> there's mbr malware being deployed via drive-by downloads from
>>> compromised
>>> websites as we speak... i believe you can get more information by
>>> searching for the keyword "mebroot"...
> |
> | Thanks kurt, I'll check that out. )
>
> The mebroot is a Trojan that uses the MBR as part of its RootKit
> technique.
>
> http://www.symantec.com/enterprise/...g/2008/01/from_bootroot_to_trojanmebroot.html
>
> http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99
>
> This is different from the traditional boot sector infectors which are
> true viruses.

Thanks Dave. If you have this, and you format the disk,
are you essentially left with just a corrupted MBR?

 

[FromTheRafters]

"~BD~" <BoaterDave@nospam.invalid> wrote in message
news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...
>
> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...
>>
>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...
>>>
>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...
>>>>
>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>>>
>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>>>>
>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>>>>> <snip>
>>>>>>> Have you any idea how one may remove a virus from the boot code?
>>>>>>> TIA.
>>>>>>
>>>>>> Sure, you overwrite/replace the correct code where it belongs. The
>>>>>> trouble
>>>>>> is that sometimes you need part of the malicious code to recover your
>>>>>> data
>>>>>> from the malware. Say for instance the virus encrypted some of your
>>>>>> files, and
>>>>>> you decide to overwrite the boot code (stomping on the virus) then
>>>>>> reboot only
>>>>>> to find the algorithm and 'key' to recovering your data was also
>>>>>> stomped on.
>>>>>>
>>>>>> ..also consider that some of your backups may have been affected if
>>>>>> the malware
>>>>>> was there long enough.
>>>>>>
>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>>>>> knowledge is a dangerous thing'.
>>>>>>
>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct
>>>>> code where it belongs". You didn't explain *How*. If you know, please
>>>>> advise. TIA
>>>>
>>>> http://support.microsoft.com/kb/69013
>>>>
>>>> After reading this, you should see how it could be dangerous if the
>>>> user
>>>> doesn't know what he or she is doing. I used to have a dual boot box
>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
>>>> messed things up considerably on that box for instance.
>>>>
>>>>> Data retention is not relevant to this exercise. The object is to have
>>>>> a 'clean sheet' so to speak!
>>>>
>>>> I can't tell you how to do it correctly for your system, because I
>>>> don't know
>>>> what correct is for your system.
>>>>
>>>>> I do take on board, though, your point regarding backups possibly
>>>>> being contaminated.
>>>>
>>>> The chances of you having the specific kind of virus that attaches to
>>>> boot code is extremely small.
>>>>
>>>> Formatting the drive will likely be sufficient for your purposes.
>>>>
>>> Thank you so much for your helpful comments. I have read all the
>>> information at the page to which your link carried me and then went on
>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
>>> .........'
>>>
>>> All this information relates to systems before Windows XP. If one has
>>> been using a hard disk - and let us assume that (although unlikely, in
>>> your view) it *has* been infected by a Mebroot virus - if one simply
>>> boots from a retail copy of XP (Home in my case) with a view to
>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the
>>> set-up programme sufficient to erradicate a virus attached to the code
>>> in the MBR?
>>>
>>> My intuition tells me that the virus will remain - ready to act again as
>>> soon as the machine is reconnected to the Internet.
>>>
>>> Maybe I am completely wrong about this, but it is why I wish to know how
>>> to ensure that everything is wiped off a disc before reinstalling
>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke
>>> to destroy all data on a disk - but remain uncertain if even this
>>> procedure will destroy MBR malware. I wonder if anyone reading here will
>>> know.
>>
>> Vista http://support.microsoft.com/kb/927392
>>
>> Some others
>> http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
>> Wanted to post a KB article - but this came to me first.
>>
>> HTH
>>
>>
> More very helpful and interesting information. Thank you.
>
> It would seem that the rootkit cannot be removed while the OS is running,
> as it must be removed while the rootkit code itself is not running. So
> says Symantec, which goes on to say "During our tests, running the
> "fixmbr" command from within the Windows Recovery Console successfully
> removed the malicious MBR entry. To help prevent similar attacks in the
> future, and if your system BIOS includes the Master Boot Record
> write-protection feature, now is a good time to enable it"!
>
> The implication, to me, is that if one *does* become infected with such
> malware, a straight-forward re-installation will fail to erradicate the
> problem.
>
> Other views welcomed!

My guess is that any re-installation that leaves the MBR alone
while losing the rest of the malware installation would result in
the "problem" being replaced with a merely corrupted MBR.

Just a guess though.

 

[David H. Lipman]

From: "FromTheRafters" <Erratic@ne.rr.com>


>>
>> The mebroot is a Trojan that uses the MBR as part of its RootKit
>> technique.
>>
>> http://www.symantec.com/enterprise/...g/2008/01/from_bootroot_to_trojanmebroot.html
>>
>> http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99
>>
>> This is different from the traditional boot sector infectors which are
>> true viruses.

|
| Thanks Dave. If you have this, and you format the disk,
| are you essentially left with just a corrupted MBR?

I don't think so but... I can't say for sure.

I would say that IF you went to this method, you should delete the partition table,
repartition and then reformat not just reformat the hard disk.


BTW: Symantec has a removal tool...
http://www.symantec.com/security_response/writeup.jsp?docid=2008-020817-4716-99

What the tool does
The Removal Tool does the following:
- Restores the Master Boot Record
- Terminates the associated processes
- Deletes the associated files

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[~BD~]

"FromTheRafters" <Erratic@ne.rr.com> wrote in message
news:%230ZTkJRlIHA.536@TK2MSFTNGP06.phx.gbl...
>
> "~BD~" <BoaterDave@nospam.invalid> wrote in message
> news:uaggyGLlIHA.5368@TK2MSFTNGP04.phx.gbl...
>>
>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>> news:O9XorxFlIHA.5080@TK2MSFTNGP02.phx.gbl...
>>>
>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>> news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...
>>>>
>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>>>> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...
>>>>>
>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>>>>
>>>>>> "FromTheRafters" <Erratic@ne.rr.com> wrote in message
>>>>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>>>>>
>>>>>>>>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>>>>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>>>>>> <snip>
>>>>>>>> Have you any idea how one may remove a virus from the boot code?
>>>>>>>> TIA.
>>>>>>>
>>>>>>> Sure, you overwrite/replace the correct code where it belongs. The
>>>>>>> trouble
>>>>>>> is that sometimes you need part of the malicious code to recover
>>>>>>> your data
>>>>>>> from the malware. Say for instance the virus encrypted some of your
>>>>>>> files, and
>>>>>>> you decide to overwrite the boot code (stomping on the virus) then
>>>>>>> reboot only
>>>>>>> to find the algorithm and 'key' to recovering your data was also
>>>>>>> stomped on.
>>>>>>>
>>>>>>> ..also consider that some of your backups may have been affected if
>>>>>>> the malware
>>>>>>> was there long enough.
>>>>>>>
>>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>>>>>> knowledge is a dangerous thing'.
>>>>>>>
>>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct
>>>>>> code where it belongs". You didn't explain *How*. If you know, please
>>>>>> advise. TIA
>>>>>
>>>>> http://support.microsoft.com/kb/69013
>>>>>
>>>>> After reading this, you should see how it could be dangerous if the
>>>>> user
>>>>> doesn't know what he or she is doing. I used to have a dual boot box
>>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
>>>>> messed things up considerably on that box for instance.
>>>>>
>>>>>> Data retention is not relevant to this exercise. The object is to
>>>>>> have a 'clean sheet' so to speak!
>>>>>
>>>>> I can't tell you how to do it correctly for your system, because I
>>>>> don't know
>>>>> what correct is for your system.
>>>>>
>>>>>> I do take on board, though, your point regarding backups possibly
>>>>>> being contaminated.
>>>>>
>>>>> The chances of you having the specific kind of virus that attaches to
>>>>> boot code is extremely small.
>>>>>
>>>>> Formatting the drive will likely be sufficient for your purposes.
>>>>>
>>>> Thank you so much for your helpful comments. I have read all the
>>>> information at the page to which your link carried me and then went on
>>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
>>>> .........'
>>>>
>>>> All this information relates to systems before Windows XP. If one has
>>>> been using a hard disk - and let us assume that (although unlikely, in
>>>> your view) it *has* been infected by a Mebroot virus - if one simply
>>>> boots from a retail copy of XP (Home in my case) with a view to
>>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the
>>>> set-up programme sufficient to erradicate a virus attached to the code
>>>> in the MBR?
>>>>
>>>> My intuition tells me that the virus will remain - ready to act again
>>>> as soon as the machine is reconnected to the Internet.
>>>>
>>>> Maybe I am completely wrong about this, but it is why I wish to know
>>>> how to ensure that everything is wiped off a disc before reinstalling
>>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke
>>>> to destroy all data on a disk - but remain uncertain if even this
>>>> procedure will destroy MBR malware. I wonder if anyone reading here
>>>> will know.
>>>
>>> Vista http://support.microsoft.com/kb/927392
>>>
>>> Some others
>>> http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
>>> Wanted to post a KB article - but this came to me first.
>>>
>>> HTH
>>>
>>>
>> More very helpful and interesting information. Thank you.
>>
>> It would seem that the rootkit cannot be removed while the OS is running,
>> as it must be removed while the rootkit code itself is not running. So
>> says Symantec, which goes on to say "During our tests, running the
>> "fixmbr" command from within the Windows Recovery Console successfully
>> removed the malicious MBR entry. To help prevent similar attacks in the
>> future, and if your system BIOS includes the Master Boot Record
>> write-protection feature, now is a good time to enable it"!
>>
>> The implication, to me, is that if one *does* become infected with such
>> malware, a straight-forward re-installation will fail to erradicate the
>> problem.
>>
>> Other views welcomed!
>
> My guess is that any re-installation that leaves the MBR alone
> while losing the rest of the malware installation would result in
> the "problem" being replaced with a merely corrupted MBR.
>
> Just a guess though.

Many thanks for your contributions in this thread. It is appreciated!
--
Dave

 

[Richard Urban]

Boot using a DOS setup floppy (latest/last version).

Type fdisk /mbr

The /mbr is an undocumented call that will replace the mbr on the master
hard drive. It is best to physically disconnect all other hard drives when
performing this call to prevent any unwanted actions due to multiple hard
drives being connected.


"~BD~" <BoaterDave@nospam.invalid> wrote in message
news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...
> Indeed, Kurt. Thank you for your response.
>
> A quote from Computer Active
> http://www.computeractive.co.uk/computeractive/news/2207251/mebroot-attack-takes-security
>
> "Mebroot, which is designed to steal personal information and bank
> details, is embedded in legitimate websites.
> If the latest updates and patches for browsers or the XP operating system
> have been applied, then anti-virus software can stop the rootkit and the
> associate malware such as keystroke loggers and others it downloads.
>
> But if patches have not been applied the malware downloads to a PC and
> then hides from security software. It can be removed quite simply,
> according to Hypponen, but currently only by the user rewriting the MBR".
>
> My question remains. HOW does a user rewrite the MBR.
>
> Many thanks to anyone who can provide the answer!
>
> --
>
> Dave
>
>
>
>
>
>

 

[FromTheRafters]

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...
> Boot using a DOS setup floppy (latest/last version).
>
> Type fdisk /mbr
>
> The /mbr is an undocumented call that will replace the mbr on the master
> hard drive. It is best to physically disconnect all other hard drives when
> performing this call to prevent any unwanted actions due to multiple hard
> drives being connected.

Care must be taken to ensure that the correct MBR code
is what replaces the existing code. Why do you assume
the "latest/last" DOS version is the correct one for the
OP's system?

> "~BD~" <BoaterDave@nospam.invalid> wrote in message
> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...
>> Indeed, Kurt. Thank you for your response.
>>
>> A quote from Computer Active
>> http://www.computeractive.co.uk/computeractive/news/2207251/mebroot-attack-takes-security
>>
>> "Mebroot, which is designed to steal personal information and bank
>> details, is embedded in legitimate websites.
>> If the latest updates and patches for browsers or the XP operating system
>> have been applied, then anti-virus software can stop the rootkit and the
>> associate malware such as keystroke loggers and others it downloads.
>>
>> But if patches have not been applied the malware downloads to a PC and
>> then hides from security software. It can be removed quite simply,
>> according to Hypponen, but currently only by the user rewriting the MBR".
>>
>> My question remains. HOW does a user rewrite the MBR.
>>
>> Many thanks to anyone who can provide the answer!
>>
>> --
>>
>> Dave
>>
>>
>>
>>
>>
>>
>

 

[Richard Urban]

Because I have never found a hard drive that it would not clear/rewrite the
MBR and make the drive usable again. I use what ""I"" know is best for me. I
recommend the same to others.


"FromTheRafters" <Erratic@ne.rr.com> wrote in message
news:epJlv9jnIHA.4292@TK2MSFTNGP04.phx.gbl...
>
> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
> news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...
>> Boot using a DOS setup floppy (latest/last version).
>>
>> Type fdisk /mbr
>>
>> The /mbr is an undocumented call that will replace the mbr on the master
>> hard drive. It is best to physically disconnect all other hard drives
>> when performing this call to prevent any unwanted actions due to multiple
>> hard drives being connected.
>
> Care must be taken to ensure that the correct MBR code
> is what replaces the existing code. Why do you assume
> the "latest/last" DOS version is the correct one for the
> OP's system?
>
>> "~BD~" <BoaterDave@nospam.invalid> wrote in message
>> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...
>>> Indeed, Kurt. Thank you for your response.
>>>
>>> A quote from Computer Active
>>> http://www.computeractive.co.uk/computeractive/news/2207251/mebroot-attack-takes-security
>>>
>>> "Mebroot, which is designed to steal personal information and bank
>>> details, is embedded in legitimate websites.
>>> If the latest updates and patches for browsers or the XP operating
>>> system have been applied, then anti-virus software can stop the rootkit
>>> and the associate malware such as keystroke loggers and others it
>>> downloads.
>>>
>>> But if patches have not been applied the malware downloads to a PC and
>>> then hides from security software. It can be removed quite simply,
>>> according to Hypponen, but currently only by the user rewriting the
>>> MBR".
>>>
>>> My question remains. HOW does a user rewrite the MBR.
>>>
>>> Many thanks to anyone who can provide the answer!
>>>
>>> --
>>>
>>> Dave
>>>
>>>
>>>
>>>
>>>
>>>
>>
>

 

[Massimo]

Hello,

On Mon, 14 Apr 2008 01:58:59 -0400, "Richard Urban"
<richardurbanREMOVETHIS@hotmail.com> wrote:

>Boot using a DOS setup floppy (latest/last version).
>
>Type fdisk /mbr
>
>The /mbr is an undocumented call that will replace the mbr on the master
>hard drive. It is best to physically disconnect all other hard drives when
>performing this call to prevent any unwanted actions due to multiple hard
>drives being connected.
>
>
I read this posting but do not know what has been said before. I
believe to remember that the fdisk /mbr call can only be used on a fat
(16,32?) system. Does the OP have that kind of format on his hd? If
not, could this call ruin his hd?

Massimo
============

>"~BD~" <BoaterDave@nospam.invalid> wrote in message
>news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...
>> Indeed, Kurt. Thank you for your response.
>>
>> A quote from Computer Active
>> http://www.computeractive.co.uk/computeractive/news/2207251/mebroot-attack-takes-security
>>
>> "Mebroot, which is designed to steal personal information and bank
>> details, is embedded in legitimate websites.
>> If the latest updates and patches for browsers or the XP operating system
>> have been applied, then anti-virus software can stop the rootkit and the
>> associate malware such as keystroke loggers and others it downloads.
>>
>> But if patches have not been applied the malware downloads to a PC and
>> then hides from security software. It can be removed quite simply,
>> according to Hypponen, but currently only by the user rewriting the MBR".
>>
>> My question remains. HOW does a user rewrite the MBR.
>>
>> Many thanks to anyone who can provide the answer!
>>
>> --
>>
>> Dave
>>
>>
>>
>>
>>
>>

 

[jen]

The OP's OS is XP. He should instead boot from the Recovery Console and
type: fixmbr.

Fixmbr Command Syntax:

fixmbr (device_name):

device_name = This is where you designate the exact drive location that
a master boot record will be written to. If no device is specified, the
master boot record will be written to the primary boot drive.
Fixmbr Command Examples:

fixmbr \Device\HardDisk0

In the above example, the master boot record is written to the drive
located at \Device\HardDisk0.

fixmbr:

In this example, the master boot record is written to the device that
your primary system is loaded onto. If you have a single installation of
Windows installed, which is normally the case, running the fixmbr
command in this way is usually the right way to go.
Fixmbr Command Availability:

The fixmbr command is only available from within the Recovery Console in
Windows 2000 and Windows XP.

-jen

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
news:%23dzAjSfnIHA.1212@TK2MSFTNGP05.phx.gbl...
> Boot using a DOS setup floppy (latest/last version).
>
> Type fdisk /mbr
>
> The /mbr is an undocumented call that will replace the mbr on the
> master hard drive. It is best to physically disconnect all other hard
> drives when performing this call to prevent any unwanted actions due
> to multiple hard drives being connected.
>
>
> "~BD~" <BoaterDave@nospam.invalid> wrote in message
> news:eyfwys8kIHA.6032@TK2MSFTNGP03.phx.gbl...
>> Indeed, Kurt. Thank you for your response.
>>
>> A quote from Computer Active
>> http://www.computeractive.co.uk/computeractive/news/2207251/mebroot-attack-takes-security
>>
>> "Mebroot, which is designed to steal personal information and bank
>> details, is embedded in legitimate websites.
>> If the latest updates and patches for browsers or the XP operating
>> system have been applied, then anti-virus software can stop the
>> rootkit and the associate malware such as keystroke loggers and
>> others it downloads.
>>
>> But if patches have not been applied the malware downloads to a PC
>> and then hides from security software. It can be removed quite
>> simply, according to Hypponen, but currently only by the user
>> rewriting the MBR".
>>
>> My question remains. HOW does a user rewrite the MBR.
>>
>> Many thanks to anyone who can provide the answer!
>>
>> --
>>
>> Dave
>>
>>
>>
>>
>>
>>
>