7 replies to this topic

[~BD~]

Hello!

Some reading here will no doubt have looked at my post regarding IP addresses. I appreciate all the helpful comments and thank everyone who contributed.

I'm pleased to report that I have now successfully installed a second hard drive (rescued from my trashed PC!) on which to move the data I wish to retain. Having spent a great many hours experimenting, I now intend to 'flatten and rebuild' and install my XP Home retail copy of Windows once more.

The main hard disk is a SATA ; the newly installed 'back-up' is an IDE. This data from Belarc Advisor may also be helpful:-

Drives

241.99 Gigabytes Usable Hard Drive Capacity
228.46 Gigabytes Hard Drive Free Space

E-IDE CD-ROM 52X L
RICOH DVD+RW MP5240 [CD-ROM drive]
3.5" format removeable media [Floppy drive]

aMtxro6 1V060E [Hard drive] (160.04 GB) -- drive 1, s/n 3VQ997G5, rev AV119100, SMART Status: Healthy
Maxtor 6L080L0 [Hard drive] (81.96 GB) -- drive 0

What do I need now? Advice!

The following thread (rescued from Google) will explain my concerns:

http://groups.google.co.uk/group/microsoft...9b9aa19ca276a78

I should me most grateful for any recommendations on how best to proceed. TIA

Dave

[DaChew]

the aol malware is quite easy to remove, a simple format of C is enough, running windows as a repair disk I found was a waste of time

now if your router, bios, boot sector and data are infected then a flatten takes on a more complexe operation

[~BD~]

DaChew, on Sep 14 2008, 08:33 PM, said:

the aol malware is quite easy to remove, a simple format of C is enough, running windows as a repair disk I found was a waste of time

now if your router, bios, boot sector and data are infected then a flatten takes on a more complexe operation

Indeed! Thanks for responding DaChew.

This was the advice given to me in the last post of the quoted thread:

He should instead boot from the Recovery Console and type: fixmbr.

Fixmbr Command Syntax:

fixmbr (device_name):

device_name = This is where you designate the exact drive location that
a master boot record will be written to. If no device is specified, the
master boot record will be written to the primary boot drive.
Fixmbr Command Examples:

fixmbr \Device\HardDisk0

In the above example, the master boot record is written to the drive
located at \Device\HardDisk0.

fixmbr:

In this example, the master boot record is written to the device that
your primary system is loaded onto. If you have a single installation of
Windows installed, which is normally the case, running the fixmbr
command in this way is usually the right way to go.
Fixmbr Command Availability:

The fixmbr command is only available from within the Recovery Console in
Windows 2000 and Windows XP.

-jen

Does anyone agree ........ or disagree? Any tips or further guidance? TIA

Dave

[DaChew]

In a true flatten you don't need the recovery console, the object is to wipe the hard drive, not attempt to repair the MBR

malware can rewrite to the mbr

I usually just have the windows disk wipe all partitions, for advanced wipes I would use the manufacturers utility

[~BD~]

DaChew, on Sep 15 2008, 12:25 PM, said:

In a true flatten you don't need the recovery console, the object is to wipe the hard drive, not attempt to repair the MBR

malware can rewrite to the mbr Indeed it can!

I usually just have the windows disk wipe all partitions, for advanced wipes I would use the manufacturers utility

Thank you for your reply DaChew

I'm not sure what you mean by "I would use the manufacturers utility" - this is a home-built machine with a retail copy of Windows XP Home.

Had you read the thread I'd quoted, you would have been aware that a normal format an re-installation does NOT (so I understand) erradicate any malware which may be residing in the MBR. Hence my request for advice on a *really* clean install. HTH

Dave

[DaChew]

the recovery console is installed on the hard drive, so how can that be a safe way to flatten and rebuild, of course a format does not erase the hard drive

We used to use fdisk for that, it deletes the partition information and the MBR with it

your windows cd can delete the partition table and recreate one before a slow format

by utilities I was talking about ones from seagate, western digital and others, this zero fill operation recertifies drive back to factory original condition

I skimmed the thread you quoted, seeing nothing new for me

I haven't kept up with the latest banker trojan that writes to the MBR or even know if it's been prevalent in the wild, but from the symatec article I read several months back it writes to the MBR and reinstals the trojan when you remove it from the hard drive and rewrites the mbr when you remove it from there

[AdvancedSetup]

Step 1.
Backup ALL your data to another drive, tape, ftp, etc.

Step 2.
Insert your Windows XP CD and boot from it. You will be using the XP CD to remove all partitions and do a clean install.
Follow the directions here except that in your case you will first DELETE all partitions (just view the options given on the bottom of the XP screen)
Windows XP Home Install step by step


Items of interest:

• There is no Virus, Trojan, or worm that I'm aware of that can remain present on the system after full partition removal and reinstall. There are some that can remain from just a format as the MBR is not overwritten with a format, but it is with a partition removal and reinstall.
  
• I am not aware of any "good" BIOS infections. There are some written that have been known to hack the BIOS some, but from my understanding none have been done well enough to allow the system to work properly and still present a Virus, Tojan, worm effect on the system.
  If this information is not correct then someone that knows of documented and verifiable proof please provide the links to said information
  
• There are some Router attacks that often occur simply because the user that installed the router did not place a new password on the router and the attacker simply used a known default password to alter it. They basically logon to the home router and set the DNS Server settings to redirect to their control thus they can easily redirect you to any site they wish instead of where you think you're going.
  There are also some Trojan codes that attempt to reimage the firmware of the router but again if it's password protected that would be difficult to accomplish as well. In the first case of a DNS redirect you can simply press your factory reset to remove and go back to default. In the second case if it was succesful you would have to download and update a known good firmware in order to recover as a reset would not remove the code because the firmware is the code running the router.
  Bottom line: ALWAYS setup your router with a password that only you know.
  Again, if anyone knows of documented proof otherwise, please share the URL and we can then make an FAQ about it here.

[~BD~]

AdvancedSetup, on Sep 15 2008, 07:19 PM, said:

There is no Virus, Trojan, or worm that I'm aware of that can remain present on the system after full partition removal and reinstall. There are some that can remain from just a format as the MBR is not overwritten with a format, but it is with a partition removal and reinstall.

That was exactly my suspicion 'AdvancedSetup'! (item in bold above)

I'd like to apologise for my failure to thank you until now for your advice. I went away on my narrowboat for a few weeks Autumn cruise and returned only this Tuesday. Since then, though, I have successfully re-installed XP on both my desktop and on my wife's laptop. All seems to be working well!

Many, many, thanks for taking so much time and trouble to help me! I really appreciate it.

Dave