[ale] Replaceing The MBR

Jeremy T. Bouse undrgrid at undergrid.net
Tue Jan 5 19:51:24 EST 1999


-----BEGIN PGP SIGNED MESSAGE-----


	If you boot'd into 95B DOS mode... I am guessin you didn't boot it
from a bootdisk but rather the harddrive... since it's a MBR virus it is
prolly load'd into memory when the MBR is read... so even though you ran
fdisk /mbr it still had the virus into memory... try either bootin from a
bootdisk or use the debian /boot/boot.<Major><Minor> MBR backup using the
dd command... The debian backup should remove it provided the backup was
done before the virus infect'd your harddrive...

	Respectfully,
	Jeremy T. Bouse
	Sr. System Administrator

On Tue, 5 Jan 1999, Daniel S Cox wrote:

> Date: Tue, 05 Jan 1999 12:24:58 -0500
> From: Daniel S Cox <danny at ecweb.com>
> To: ale at ale.org
> Subject: [ale] Replaceing The MBR
> 
> Greetings all!
> 
> 	Well, the Empire Monkey C virus rears it hoary head again....  Norton
> Antivirus (NAV) says my MBR is infected with this virus, but can't repair
> it.  Last night, I booted into the Win 95B DOS (which M$ says doesn't exist
> any more), and performed a "FDISK /MBR".  It changed it alright, lilo was
> gone, and all that was left was the Windoze 95 loader, but NAV still says
> the virus is there.  I do have a boot diskett from DOS 6.22, but I'm afraid
> that if I perform the FDISK /MBR from that, I'll be unable to boot up Win
> {mumble}, and my wife will have my hide!
> 
> 	Now: why doesn't FDISK /MBR completely overwrite whereever the MBR lives?
> I have found a MBR that seems to be part of Debian, and I might try that,
> just to see if it'll overwrite the nasty virus.
> 
> 	Ideas?  Thanks in advance!
> 
> Danny
> 
> 

,-----------------------------------------------------------------------------,
|  Jeremy T. Bouse   -   SouthNet TeleComm Services, Inc.   -   www.STSI.net  |
|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9     |
|   Public PGP key available via email at pgp-public-keys at pgp.UnderGrid.net   |
|  sysadmin at STSI.net   -   NIC Whois: JB5713    -    undrgrid at UnderGrid.net   |
|      promotion, n.: New title, new salary, new office, same old crap.       |
`-----------------------------------------------------------------------------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNpKzj+ak13roPZrlAQGL8QP/VxwH/ESfNh3scF3qHu+4/pQrQwSnzgMV
Cl2Rf54VayMRQYCavCQQelE0VlviJNUqUNrDqT3RHBZscKvPWJgwDlXmqQQAIis0
/iDBTRXftJDQGbT/nQRGLGv30pi3dFZ1DdimlNkEoM7f9Wkwfl89LA+/0I4b79FS
5SmUPuYjerg=
=5FLp
-----END PGP SIGNATURE-----






More information about the Ale mailing list