|
Posted by ~BD~ on April 3, 2008, 5:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>> <snip>
>>>>>>>> Have you any idea how one may remove a virus from the boot code?
>>>>>>>> TIA.
>>>>>>>
>>>>>>> Sure, you overwrite/replace the correct code where it belongs. The
>>>>>>> trouble
>>>>>>> is that sometimes you need part of the malicious code to recover
>>>>>>> your data
>>>>>>> from the malware. Say for instance the virus encrypted some of your
>>>>>>> files, and
>>>>>>> you decide to overwrite the boot code (stomping on the virus) then
>>>>>>> reboot only
>>>>>>> to find the algorithm and 'key' to recovering your data was also
>>>>>>> stomped on.
>>>>>>>
>>>>>>> ..also consider that some of your backups may have been affected if
>>>>>>> the malware
>>>>>>> was there long enough.
>>>>>>>
>>>>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>>>>>> knowledge is a dangerous thing'.
>>>>>>>
>>>>>> Thanks once again. You say "Sure, you overwrite/replace the correct
>>>>>> code where it belongs". You didn't explain *How*. If you know, please
>>>>>> advise. TIA
>>>>>
>>>>> http://support.microsoft.com/kb/69013
>>>>>
>>>>> After reading this, you should see how it could be dangerous if the
>>>>> user
>>>>> doesn't know what he or she is doing. I used to have a dual boot box
>>>>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
>>>>> messed things up considerably on that box for instance.
>>>>>
>>>>>> Data retention is not relevant to this exercise. The object is to
>>>>>> have a 'clean sheet' so to speak! :)
>>>>>
>>>>> I can't tell you how to do it correctly for your system, because I
>>>>> don't know
>>>>> what correct is for your system.
>>>>>
>>>>>> I do take on board, though, your point regarding backups possibly
>>>>>> being contaminated.
>>>>>
>>>>> The chances of you having the specific kind of virus that attaches to
>>>>> boot code is extremely small.
>>>>>
>>>>> Formatting the drive will likely be sufficient for your purposes.
>>>>>
>>>> Thank you so much for your helpful comments. I have read all the
>>>> information at the page to which your link carried me and then went on
>>>> to explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
>>>> .........'
>>>>
>>>> All this information relates to systems before Windows XP. If one has
>>>> been using a hard disk - and let us assume that (although unlikely, in
>>>> your view) it *has* been infected by a Mebroot virus - if one simply
>>>> boots from a retail copy of XP (Home in my case) with a view to
>>>> reinstalling Windows XP, is the 'Format procedure' incorporated in the
>>>> set-up programme sufficient to erradicate a virus attached to the code
>>>> in the MBR?
>>>>
>>>> My intuition tells me that the virus will remain - ready to act again
>>>> as soon as the machine is reconnected to the Internet.
>>>>
>>>> Maybe I am completely wrong about this, but it is why I wish to know
>>>> how to ensure that everything is wiped off a disc before reinstalling
>>>> Windows. FYI, I have also used a facility called Darik's Boot and Nuke
>>>> to destroy all data on a disk - but remain uncertain if even this
>>>> procedure will destroy MBR malware. I wonder if anyone reading here
>>>> will know.
>>>
>>> Vista http://support.microsoft.com/kb/927392
>>>
>>> Some others
>>>
http://www.datarecovery.com.sg/data_recovery/troubleshoot_master_boot_record_corruption.htm
>>> Wanted to post a KB article - but this came to me first.
>>>
>>> HTH
>>>
>>>
>> More very helpful and interesting information. Thank you.
>>
>> It would seem that the rootkit cannot be removed while the OS is running,
>> as it must be removed while the rootkit code itself is not running. So
>> says Symantec, which goes on to say "During our tests, running the
>> "fixmbr" command from within the Windows Recovery Console successfully
>> removed the malicious MBR entry. To help prevent similar attacks in the
>> future, and if your system BIOS includes the Master Boot Record
>> write-protection feature, now is a good time to enable it"!
>>
>> The implication, to me, is that if one *does* become infected with such
>> malware, a straight-forward re-installation will fail to erradicate the
>> problem.
>>
>> Other views welcomed!
>
> My guess is that any re-installation that leaves the MBR alone
> while losing the rest of the malware installation would result in
> the "problem" being replaced with a merely corrupted MBR.
>
> Just a guess though.
Many thanks for your contributions in this thread. It is appreciated! :)
--
Dave
| 
XML site map