I've done both of these 'silly things'!

  • Thread starter Thread starter ~BD~
  • Start date Start date
B

~BD~

In this article http://www.claymania.com/panic.html it says:-

You have probably come to this page because your computer is not working
properly. You may have heard that things named computer viruses can cause
computers to act abnormally, and now you think you have a virus. Before you
go ahead...

Do NOT panic!!

This is very important. Having a virus basically means that there is a
program on your computer that doesn't belong there. It's this simple, so
really there is no need to panic. In fact, a panicking user can be much more
dangerous than any virus! Users often cause more damage while attempting to
exterminate a virus than the virus itself could ever have caused.

Panic may cause a user to do two very silly things: formatting and using
FDisk.

Formatting
You may have overheard rumors according to which there is an infallible
method to get rid of a virus, namely formatting. Formatting is a process
that effectively removes all data stored on a medium (although that is not
its actual purpose), including any virus.
Well, don't fall for this myth. It's not always true. In fact, it may work,
but formatting is generally a bad idea for several reasons:
a.. Formatting is in most cases absolutely unnecessary. Most viruses can
be removed quite easily.
b.. Formatting and reinstalling the operating system and all applications
is time consuming.
c.. Data loss will occur if you forget to back up your data before wiping
everything.
d.. Format may remove everything except the virus.
FDisk
Some of you may even have heard about a miraculous tool named Fdisk
(generally in connection with so-called "boot sector viruses" or the MBR).
The MBR is a small sector on your hard disk that contains a small program
and partition information. The truth about Fdisk is that it can be useful,
but its use can also result in data loss. If you don't know exactly which
virus you are dealing with, Fdisk can be very destructive!! Fdisk is
definitely not an anti-virus tool, so don't use it.
_____________________________________________________________________________

As I said in the title "I've done both of these 'silly things'!", so
..........

I am particularly interested in /this/ statement therein:-

"Format may remove everything *except* the virus".

I'd be most grateful if someone will explain this to me. TIA
--
Dave
 
~BD~ wrote:
> In this article http://www.claymania.com/panic.html it says:-
>
> You have probably come to this page because your computer is not working
> properly. You may have heard that things named computer viruses can cause
> computers to act abnormally, and now you think you have a virus. Before you
> go ahead...
>
> Do NOT panic!!
>
> This is very important. Having a virus basically means that there is a
> program on your computer that doesn't belong there. It's this simple, so
> really there is no need to panic. In fact, a panicking user can be much more
> dangerous than any virus! Users often cause more damage while attempting to
> exterminate a virus than the virus itself could ever have caused.
>
> Panic may cause a user to do two very silly things: formatting and using
> FDisk.
>
> Formatting
> You may have overheard rumors according to which there is an infallible
> method to get rid of a virus, namely formatting. Formatting is a process
> that effectively removes all data stored on a medium (although that is not
> its actual purpose), including any virus.
> Well, don't fall for this myth. It's not always true. In fact, it may work,
> but formatting is generally a bad idea for several reasons:
> a.. Formatting is in most cases absolutely unnecessary. Most viruses can
> be removed quite easily.
> b.. Formatting and reinstalling the operating system and all applications
> is time consuming.
> c.. Data loss will occur if you forget to back up your data before wiping
> everything.
> d.. Format may remove everything except the virus.
> FDisk
> Some of you may even have heard about a miraculous tool named Fdisk
> (generally in connection with so-called "boot sector viruses" or the MBR).
> The MBR is a small sector on your hard disk that contains a small program
> and partition information. The truth about Fdisk is that it can be useful,
> but its use can also result in data loss. If you don't know exactly which
> virus you are dealing with, Fdisk can be very destructive!! Fdisk is
> definitely not an anti-virus tool, so don't use it.
> _____________________________________________________________________________
>
> As I said in the title "I've done both of these 'silly things'!", so
> .........
>
> I am particularly interested in /this/ statement therein:-
>
> "Format may remove everything *except* the virus".
>
> I'd be most grateful if someone will explain this to me. TIA
> --
> Dave
>
>
>
Simple really, Format doesn't write very much to your disk at all.
It puts a Hexadecimal E5 in the first character of each entry in the
root directory (marks it as empty and available), then reads the rest of
the disk to look for bad sectors. It doesn't touch the Master Boot
record or the partition table, that's fdisk's job.
 
Hello Dave

Please refrain from starting your usual dialogue with this post here. The link claymania
is legitimate and very easy to understand
--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"~BD~" wrote in message news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
> In this article http://www.claymania.com/panic.html it says:-
>
> You have probably come to this page because your computer is not working
> properly. You may have heard that things named computer viruses can cause
> computers to act abnormally, and now you think you have a virus. Before you
> go ahead...
>
> Do NOT panic!!
>
> This is very important. Having a virus basically means that there is a
> program on your computer that doesn't belong there. It's this simple, so
> really there is no need to panic. In fact, a panicking user can be much more
> dangerous than any virus! Users often cause more damage while attempting to
> exterminate a virus than the virus itself could ever have caused.
>
> Panic may cause a user to do two very silly things: formatting and using
> FDisk.
>
> Formatting
> You may have overheard rumors according to which there is an infallible
> method to get rid of a virus, namely formatting. Formatting is a process
> that effectively removes all data stored on a medium (although that is not
> its actual purpose), including any virus.
> Well, don't fall for this myth. It's not always true. In fact, it may work,
> but formatting is generally a bad idea for several reasons:
> a.. Formatting is in most cases absolutely unnecessary. Most viruses can
> be removed quite easily.
> b.. Formatting and reinstalling the operating system and all applications
> is time consuming.
> c.. Data loss will occur if you forget to back up your data before wiping
> everything.
> d.. Format may remove everything except the virus.
> FDisk
> Some of you may even have heard about a miraculous tool named Fdisk
> (generally in connection with so-called "boot sector viruses" or the MBR).
> The MBR is a small sector on your hard disk that contains a small program
> and partition information. The truth about Fdisk is that it can be useful,
> but its use can also result in data loss. If you don't know exactly which
> virus you are dealing with, Fdisk can be very destructive!! Fdisk is
> definitely not an anti-virus tool, so don't use it.
> _____________________________________________________________________________
>
> As I said in the title "I've done both of these 'silly things'!", so
> .........
>
> I am particularly interested in /this/ statement therein:-
>
> "Format may remove everything *except* the virus".
>
> I'd be most grateful if someone will explain this to me. TIA
> --
> Dave
>
>
>
 
"Tom" wrote in message
news:8ZOHj.2114$fq2.1319@trndny03...

> As I said in the title "I've done both of these 'silly things'!", so
>> .........
>>
>> I am particularly interested in /this/ statement therein:-
>>
>> "Format may remove everything *except* the virus".
>>
>> I'd be most grateful if someone will explain this to me. TIA
>> --
>> Dave
>>
>>
>>
> Simple really, Format doesn't write very much to your disk at all.
> It puts a Hexadecimal E5 in the first character of each entry in the root
> directory (marks it as empty and available), then reads the rest of the
> disk to look for bad sectors. It doesn't touch the Master Boot record or
> the partition table, that's fdisk's job.

Thank you for your reply, Tom.

I do not profess to understand all the technicalities but I have learnt much
by trial and error. My understanding from comments made by PA Bear at
AumHa.net was that carrying out a format leaves one's computer in a
virtually 'as new' state. However, I have used a programme from a magazine
CD (Undelete?) which enabled me to recover files from a clean, formatted,
hard drive. I'm fairly certain that I've done so even when I've used FDISK
too.

The Claymania statement seems to infer that even if one uses both FDISK
*and* Format, a virus could remain - and still come back to bite you!

Is this possible?

If so, what would be the solution - other than replacing the hard disk with
a new one? TIA for futher comment.

One other query. When using my retail version XP Home set-up CD to load
Windows, one is given a choice of a 'regular' or 'quick' format procedure.
How do the procedures differ? Thanks for any advice on this.

Dave
 
"~BD~" wrote in message
news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
> In this article http://www.claymania.com/panic.html it says:-

[snip]

> I am particularly interested in /this/ statement therein:-
>
> "Format may remove everything *except* the virus".
>
> I'd be most grateful if someone will explain this to me. TIA

The virus could reside in the boot code, which 'format' wouldn't touch.
You would effectively lose all data stored as files, while format went
about its business sprucing up the underlying structure. Kind of like
tightening up bookshelves to make them ready for some new books.
The boot code isn't stored in a file, so is unaffected by formatting.
 
"FromTheRafters" wrote in message
news:uTueJUqkIHA.484@TK2MSFTNGP04.phx.gbl...
>
> "~BD~" wrote in message
> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...

> The virus could reside in the boot code, which 'format' wouldn't touch.
> You would effectively lose all data stored as files, while format went
> about its business sprucing up the underlying structure. Kind of like
> tightening up bookshelves to make them ready for some new books.
> The boot code isn't stored in a file, so is unaffected by formatting.
>
Thank you for your response. I'm beginning to understand!
smile.gif


Have you any idea how one may remove a virus from the boot code? TIA.
 
Who appointed you moderator of this group?

I'm enjoying this thread (I might learn something) so bug off.

--
Leo

"A liberal is someone who feels a great debt to his fellow man, which
debt he proposes to pay off with your money." - G. Gordon Liddy


"Peter Foldes" wrote in message
news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...
Hello Dave

Please refrain from starting your usual dialogue with this post here. The
link claymania
is legitimate and very easy to understand
--
Peter
 
"Peter Foldes" wrote in message
news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...
Hello Dave

Please refrain from starting your usual dialogue with this post here. The
link claymania
is legitimate and very easy to understand
--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.



Hello Peter - I trust you are well.

You are well aware that I've been 'researching' how bad thing are done
nowadays on the Internet. You also know that I did my best to convince
others of the need to combat Cybercrime which has increased exponentially
over the last 3 years.

'jen' introduced a topic yesterday on annexcafe.general.user2user entitled
Massive IFrame Attack. I'd be interested to learn what you might think of
what has been said in that thread.

Dave
 
"~BD~" wrote in message
news:%23t19DoqkIHA.1680@TK2MSFTNGP06.phx.gbl...
>
> "FromTheRafters" wrote in message
> news:uTueJUqkIHA.484@TK2MSFTNGP04.phx.gbl...
>>
>> "~BD~" wrote in message
>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>
>> The virus could reside in the boot code, which 'format' wouldn't touch.
>> You would effectively lose all data stored as files, while format went
>> about its business sprucing up the underlying structure. Kind of like
>> tightening up bookshelves to make them ready for some new books.
>> The boot code isn't stored in a file, so is unaffected by formatting.
>>
> Thank you for your response. I'm beginning to understand!
smile.gif

>
> Have you any idea how one may remove a virus from the boot code? TIA.

Sure, you overwrite/replace the correct code where it belongs. The trouble
is that sometimes you need part of the malicious code to recover your data
from the malware. Say for instance the virus encrypted some of your files,
and
you decide to overwrite the boot code (stomping on the virus) then reboot
only
to find the algorithm and 'key' to recovering your data was also stomped on.

...also consider that some of your backups may have been affected if the
malware
was there long enough.

The whole Fdisk/MBR thing just illustrates the old saw 'a little knowledge
is a dangerous thing'.
 
"FromTheRafters" wrote in message
news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>
>>> "~BD~" wrote in message
>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>
>> Have you any idea how one may remove a virus from the boot code? TIA.
>
> Sure, you overwrite/replace the correct code where it belongs. The trouble
> is that sometimes you need part of the malicious code to recover your data
> from the malware. Say for instance the virus encrypted some of your files,
> and
> you decide to overwrite the boot code (stomping on the virus) then reboot
> only
> to find the algorithm and 'key' to recovering your data was also stomped
> on.
>
> ..also consider that some of your backups may have been affected if the
> malware
> was there long enough.
>
> The whole Fdisk/MBR thing just illustrates the old saw 'a little knowledge
> is a dangerous thing'.
>
Thanks once again. You say "Sure, you overwrite/replace the correct code
where it belongs". You didn't explain *How*. If you know, please advise. TIA

Data retention is not relevant to this exercise. The object is to have a
'clean sheet' so to speak!
smile.gif

I do take on board, though, your point regarding backups possibly being
contaminated.
 
"Peter Foldes" wrote in message
news:OzD8RiokIHA.1744@TK2MSFTNGP05.phx.gbl...
Hello Dave

Please refrain from starting your usual dialogue with this post here. The
link claymania
is legitimate and very easy to understand
--
Peter
___________________________________________________

I have no doubt at all that information provided by the claymania link is
valid and lgitimate.

You are one of the few folk, Peter, who have followed my multifarious
questions both here and on Annexcafe. Perhaps you could/would help me with a
small connundrum.

Annexcafe had (maybe still has) a 'back-up' facility with another
server-owner for use in the event of server problems - I believe it was a
reciprocal arrangement. The site ........ www.dogagent.com. I used to be
able to read newsgroup messages there too, by using 'news.dogagent.com' but
that facility seems no longer available (at least here on *my* PC).

Should you have the time, I wonder if you could investigate/suggest the
possible cause and report back in due course. TIA

Dave
 
"~BD~" wrote in message
news:uZa1ZSwkIHA.4244@TK2MSFTNGP06.phx.gbl...
> Annexcafe had (maybe still has) a 'back-up' facility with another
> server-owner for use in the event of server problems - I believe it was a
> reciprocal arrangement. The site ........ www.dogagent.com. I used to be
> able to read newsgroup messages there too, by using 'news.dogagent.com'
> but that facility seems no longer available (at least here on *my* PC).
>
> Should you have the time, I wonder if you could investigate/suggest the
> possible cause and report back in due course. TIA
>

Answer from server owner-
You are blocked because I considered you a nutter, with conspiracy theories
filling your mind.
Never was there anything you contributed of value, just meanderings of an
old befuddled mind.
Heaps of patience and reasoning were used upon you, all wasted.

In short, I considered you an old fool who got on my nerves.
The things keeping you out are considerable, and still there are things in
reserve I could use.

You knew all this, so why bother going where you are not wanted?
Don't want an answer to that of course.

So long, thanks for all the fish.
--
Dave
 
"~BD~" wrote in message
news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>
> "FromTheRafters" wrote in message
> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>
>>>> "~BD~" wrote in message
>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>
>>> Have you any idea how one may remove a virus from the boot code? TIA.
>>
>> Sure, you overwrite/replace the correct code where it belongs. The
>> trouble
>> is that sometimes you need part of the malicious code to recover your
>> data
>> from the malware. Say for instance the virus encrypted some of your
>> files, and
>> you decide to overwrite the boot code (stomping on the virus) then reboot
>> only
>> to find the algorithm and 'key' to recovering your data was also stomped
>> on.
>>
>> ..also consider that some of your backups may have been affected if the
>> malware
>> was there long enough.
>>
>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>> knowledge is a dangerous thing'.
>>
> Thanks once again. You say "Sure, you overwrite/replace the correct code
> where it belongs". You didn't explain *How*. If you know, please advise.
> TIA

http://support.microsoft.com/kb/69013

After reading this, you should see how it could be dangerous if the user
doesn't know what he or she is doing. I used to have a dual boot box
Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
messed things up considerably on that box for instance.

> Data retention is not relevant to this exercise. The object is to have a
> 'clean sheet' so to speak!
smile.gif


I can't tell you how to do it correctly for your system, because I don't
know
what correct is for your system.

> I do take on board, though, your point regarding backups possibly being
> contaminated.

The chances of you having the specific kind of virus that attaches to boot
code is extremely small.

Formatting the drive will likely be sufficient for your purposes.
 
FromTheRafters wrote:
> "~BD~" wrote in message
> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
[snip]
>> I do take on board, though, your point regarding backups possibly
>> being contaminated.
>
> The chances of you having the specific kind of virus that attaches to
> boot code is extremely small.

true for viruses, less true for malware in general... specifically,
there's mbr malware being deployed via drive-by downloads from
compromised websites as we speak... i believe you can get more
information by searching for the keyword "mebroot"...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 
Indeed, Kurt. Thank you for your response.

A quote from Computer Active
http://www.computeractive.co.uk/computerac...-takes-security

"Mebroot, which is designed to steal personal information and bank details,
is embedded in legitimate websites.
If the latest updates and patches for browsers or the XP operating system
have been applied, then anti-virus software can stop the rootkit and the
associate malware such as keystroke loggers and others it downloads.

But if patches have not been applied the malware downloads to a PC and then
hides from security software. It can be removed quite simply, according to
Hypponen, but currently only by the user rewriting the MBR".

My question remains. HOW does a user rewrite the MBR.

Many thanks to anyone who can provide the answer!

--

Dave
 
"FromTheRafters" wrote in message
news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...
>
> "~BD~" wrote in message
> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>
>> "FromTheRafters" wrote in message
>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>
>>>>> "~BD~" wrote in message
>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>>
>>>> Have you any idea how one may remove a virus from the boot code? TIA.
>>>
>>> Sure, you overwrite/replace the correct code where it belongs. The
>>> trouble
>>> is that sometimes you need part of the malicious code to recover your
>>> data
>>> from the malware. Say for instance the virus encrypted some of your
>>> files, and
>>> you decide to overwrite the boot code (stomping on the virus) then
>>> reboot only
>>> to find the algorithm and 'key' to recovering your data was also stomped
>>> on.
>>>
>>> ..also consider that some of your backups may have been affected if the
>>> malware
>>> was there long enough.
>>>
>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>> knowledge is a dangerous thing'.
>>>
>> Thanks once again. You say "Sure, you overwrite/replace the correct code
>> where it belongs". You didn't explain *How*. If you know, please advise.
>> TIA
>
> http://support.microsoft.com/kb/69013
>
> After reading this, you should see how it could be dangerous if the user
> doesn't know what he or she is doing. I used to have a dual boot box
> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
> messed things up considerably on that box for instance.
>
>> Data retention is not relevant to this exercise. The object is to have a
>> 'clean sheet' so to speak!
smile.gif

>
> I can't tell you how to do it correctly for your system, because I don't
> know
> what correct is for your system.
>
>> I do take on board, though, your point regarding backups possibly being
>> contaminated.
>
> The chances of you having the specific kind of virus that attaches to boot
> code is extremely small.
>
> Formatting the drive will likely be sufficient for your purposes.
>
Thank you so much for your helpful comments. I have read all the information
at the page to which your link carried me and then went on to explore
Article ID : 255867 regarding 'How to Use the Fdisk Tool .........'

All this information relates to systems before Windows XP. If one has been
using a hard disk - and let us assume that (although unlikely, in your view)
it *has* been infected by a Mebroot virus - if one simply boots from a
retail copy of XP (Home in my case) with a view to reinstalling Windows XP,
is the 'Format procedure' incorporated in the set-up programme sufficient to
erradicate a virus attached to the code in the MBR?

My intuition tells me that the virus will remain - ready to act again as
soon as the machine is reconnected to the Internet.

Maybe I am completely wrong about this, but it is why I wish to know how to
ensure that everything is wiped off a disc before reinstalling Windows. FYI,
I have also used a facility called Darik's Boot and Nuke to destroy all data
on a disk - but remain uncertain if even this procedure will destroy MBR
malware. I wonder if anyone reading here will know.
--
Dave
 
"Dave H" wrote in message
news:8591BB24-1483-4532-9B92-42F00A0228D6@microsoft.com...
> "~BD~" wrote in message
> news:uZa1ZSwkIHA.4244@TK2MSFTNGP06.phx.gbl...
>> Annexcafe had (maybe still has) a 'back-up' facility with another
>> server-owner for use in the event of server problems - I believe it was a
>> reciprocal arrangement. The site ........ www.dogagent.com. I used to be
>> able to read newsgroup messages there too, by using 'news.dogagent.com'
>> but that facility seems no longer available (at least here on *my* PC).
>>
>> Should you have the time, I wonder if you could investigate/suggest the
>> possible cause and report back in due course. TIA
>>
>
> Answer from server owner-
> You are blocked because I considered you a nutter, with conspiracy
> theories
> filling your mind.
> Never was there anything you contributed of value, just meanderings of an
> old befuddled mind.
> Heaps of patience and reasoning were used upon you, all wasted.
>
> In short, I considered you an old fool who got on my nerves.
> The things keeping you out are considerable, and still there are things in
> reserve I could use.
>
> You knew all this, so why bother going where you are not wanted?
> Don't want an answer to that of course.
>
> So long, thanks for all the fish.
> --
> Dave
>
>
I hope you liked the video clip, Dave (but there again, I don't suppose you
followed the link!)

It was good of you to confirm that it is action which *you* have taken as
the server owner which prevents me from reviewing your newsgroups, even
though (as far as I know) I did nothing to provoke such action. AFAICR I
don't think I ever posted in your newsgroups, just enjoyed some of the
hundreds of photographs posted there (many of them of excellent quality).

I'd like to refer you to this item, Dave. Taken from here
http://www.theregister.co.uk/2008/03/31/co...ments/#c_188544
The attacks are getting more sophisticated, too
By Franklin
Posted Monday 31st March 2008 21:18 GMT

There's an entire underground network of computers and servers behind these
attacks in my experience, a poisoned Web site doesn't usually drop malware
itself. Rather, it redirects the hapless visitor to another server, which
makes extensive and detailed logs about where the visitor came from, before
then choosing one of a list of payload sites to further redirect the user
to.

I've made a fairly detailed map of part of this underground network at

http://tacit.livejournal.com/238112.html

And, not surprisingly, iPower, Inc. is still leading the world in the number
of compromised, poisoned Web sites being hosted by a single Web host. In
fact, almost four months after a major security breach which saw thousands
of sites hosted by iPower compromised, the breach has not yet been fixed and
hackers can compromise and poison any site hosted on iPower servers at will.

--

It's not a game, Dave. This is REAL!

Which side are you on?

BD
 
"kurt wismer" wrote in message
news:fssbus$hah$1@registered.motzarella.org...
> FromTheRafters wrote:
>> "~BD~" wrote in message
>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
> [snip]
>>> I do take on board, though, your point regarding backups possibly being
>>> contaminated.
>>
>> The chances of you having the specific kind of virus that attaches to
>> boot code is extremely small.
>
> true for viruses, less true for malware in general... specifically,
> there's mbr malware being deployed via drive-by downloads from compromised
> websites as we speak... i believe you can get more information by
> searching for the keyword "mebroot"...

Thanks kurt, I'll check that out.
ohmy.gif
)
 
"~BD~" wrote in message
news:%23SC2F8%23kIHA.1212@TK2MSFTNGP05.phx.gbl...
>
> "FromTheRafters" wrote in message
> news:eyTQU$2kIHA.5088@TK2MSFTNGP02.phx.gbl...
>>
>> "~BD~" wrote in message
>> news:%23RzxTUrkIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>
>>> "FromTheRafters" wrote in message
>>> news:OK6Sf$qkIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>>
>>>>>> "~BD~" wrote in message
>>>>>> news:uY7fSHmkIHA.2396@TK2MSFTNGP02.phx.gbl...
>>>>>
>>>>> Have you any idea how one may remove a virus from the boot code? TIA.
>>>>
>>>> Sure, you overwrite/replace the correct code where it belongs. The
>>>> trouble
>>>> is that sometimes you need part of the malicious code to recover your
>>>> data
>>>> from the malware. Say for instance the virus encrypted some of your
>>>> files, and
>>>> you decide to overwrite the boot code (stomping on the virus) then
>>>> reboot only
>>>> to find the algorithm and 'key' to recovering your data was also
>>>> stomped on.
>>>>
>>>> ..also consider that some of your backups may have been affected if the
>>>> malware
>>>> was there long enough.
>>>>
>>>> The whole Fdisk/MBR thing just illustrates the old saw 'a little
>>>> knowledge is a dangerous thing'.
>>>>
>>> Thanks once again. You say "Sure, you overwrite/replace the correct code
>>> where it belongs". You didn't explain *How*. If you know, please advise.
>>> TIA
>>
>> http://support.microsoft.com/kb/69013
>>
>> After reading this, you should see how it could be dangerous if the user
>> doesn't know what he or she is doing. I used to have a dual boot box
>> Linux/Win98 using 'grub' as the OS chooser. Fdisk/mbr would have
>> messed things up considerably on that box for instance.
>>
>>> Data retention is not relevant to this exercise. The object is to have a
>>> 'clean sheet' so to speak!
smile.gif

>>
>> I can't tell you how to do it correctly for your system, because I don't
>> know
>> what correct is for your system.
>>
>>> I do take on board, though, your point regarding backups possibly being
>>> contaminated.
>>
>> The chances of you having the specific kind of virus that attaches to
>> boot code is extremely small.
>>
>> Formatting the drive will likely be sufficient for your purposes.
>>
> Thank you so much for your helpful comments. I have read all the
> information at the page to which your link carried me and then went on to
> explore Article ID : 255867 regarding 'How to Use the Fdisk Tool
> .........'
>
> All this information relates to systems before Windows XP. If one has been
> using a hard disk - and let us assume that (although unlikely, in your
> view) it *has* been infected by a Mebroot virus - if one simply boots from
> a retail copy of XP (Home in my case) with a view to reinstalling Windows
> XP, is the 'Format procedure' incorporated in the set-up programme
> sufficient to erradicate a virus attached to the code in the MBR?
>
> My intuition tells me that the virus will remain - ready to act again as
> soon as the machine is reconnected to the Internet.
>
> Maybe I am completely wrong about this, but it is why I wish to know how
> to ensure that everything is wiped off a disc before reinstalling Windows.
> FYI, I have also used a facility called Darik's Boot and Nuke to destroy
> all data on a disk - but remain uncertain if even this procedure will
> destroy MBR malware. I wonder if anyone reading here will know.

Vista http://support.microsoft.com/kb/927392

Some others
http://www.datarecovery.com.sg/data_recove..._corruption.htm
Wanted to post a KB article - but this came to me first.

HTH
 
Back
Top