# Web searches hijacked by malware - Page 2

•  Subject
• Author
• Posted on

## Re: Web searches hijacked by malware

~BD~ wrote:

http://www.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-you
r-mbr

attracted

I think that many people who have a regular program for scanning also
include a strategy for scanning the boot sector.  An important feature
of the popular free AV Avast is its capabilities to do a bootsector
scan.

When you read articles about how those who provide tech services go
about 'attacking' a sick machine, the bootsector scan is part of the
routine.

There are many different kinds of reasons to be reinstalling, and some
of them include rewriting the mbr.

There's nothing quite like seeing it for yourself.

--
Mike Easter

## Re: Web searches hijacked by malware

On 11/12/2009 12:30, Mike Easter wrote:

I didn't know that! Thanks.

I know a couple of guys in local computer shops who don't, as far as I
know, look at the Boot sector before installing Windows!

Perhaps I should mention this to them!

At the risk of boring you to tears, I tried this on my wife's Acer
Aspire 3000 laptop today (it had XP Home from new)
..... using my retail copy of the XP CD. All happened just as before
*until* I got to the stage of the password requirement.

This time inserting 'nothing' did *not* allow me to proceed! I got a
I did the same twice more and was then told "An invalid password has
been entered 3 times. To restart your computer, press ENTER".

As I have all the re-installation discs supplied when new, I've
subsequently flattened and rebuilt the machine this afternoon!

I first took the laptop apart and cleaned all dust from the fan with a
brush and then gave it a good blow-through with compressed air too!

It seems to have a new lease of life now!

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

~BD~ wrote:

Notice the difference between what I said and what you said.

I made my reference to people who are fixing a sick - implying
infected - machine.

You made your reference simply to guys in computer shops who are
installing windows.  Your referenced guys could certainly be installing
windows on a clean new not-previously-infected hdd.

Or, they could know already know what they are doing while you do not.

as

MS kb 308402 describes a problem encountered with the pw step when the
OS has been installed by an OEM using sysprep.  The wiki and MS describe
sysprep.

Presumably the reinstallation disks are disk images and one might find
that if you tried to use your retail copy XP disk that you /still/
wouldn't be able to access the Recovery Console because of pw problem.

--
Mike Easter

## Re: Web searches hijacked by malware

On 11/12/2009 19:08, Mike Easter wrote:

Once again you are quite correct!  In my *very* limited experience of
what these *Professionals* do, I've a suspicion that one quick and easy
way they have of tackling malware infection is to simply replace a hard
disk and re-install Windows!  ;)

That might well be true - but at least I 'have a go'! <vbg>

How on earth could I have known that?!!!

Thanks for pointing it out though.

OK - so I've been and had a looksee! Your suspicion is correct - I
*still* cannot access the Recovery Console on the laptop!

The disks are Ghost images I believe - I recognised the logo from using
Ghost some years ago.

Now that the machine is clean, I shall take a disk image myself using
Acronis True Image 2009!

Thanks again for sharing your knowledge, Mike Easter!  :)

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

I don't normally worry about the MS media, but I don't believe I've
seen systems delivered recently with real MS media - it's all
manufacturer rescue image CDs/DVDs.

How often does your average user do an install?   Back when you had
two floppy disks to install MS-DOS 3.x, a lot more people were doing
so, and it wasn't anywhere _near_ as complicated as one of the
current versions of windoze.   Installing applications could be (and
often was) complicated, but not the O/S itself.

My (very limited) understanding is that both clear the directory and
the table that translated between file name and physical location on
the disk (the FAT tables in DOS, inodes in many types of *nix). With
the "quick" format, the data remains physically present (recoverable
with a disk editor, or anything else using physical addressing).
This means that if the mal-ware is using physical addressing, it may
still be dangerous.

The MBR is the only "known" location on a disk. The BIOS knows where
it is, and knows that there should be a bit of machine code that
starts the boot loading process. Part of that machine code is the
physical address of the rest of the boot loader and the operating
system.   Thus when you do an install, the MBR will be overwritten
with the necessary data to find the rest of that code.  As the
MBR is a small sector (512 bytes), and the disk system is incapable
of writing/reading individual bytes, the entire block will be
overwritten.

I thought the 'fdisk /mbr' was DOS, win9x and winme, and was replaced
by fixmbr in XP.    My understanding is that these tools are enough
to eradicate a boot sector virus.  Of course, they do nothing with
the rest of the virus (originally pointed to by the MBR), but if
nothing is pointing to it, it's not likely to be runnable.

and how many users can find that document?   More correctly, how many
would even know to _look_ for it?   Most computer operating systems
are built for that 6 year old that microsoft was using to advertise
windoze 7 on US television a month or two ago.  Just click this icon,
or select that menu item, and all will be fine...   trust me''.

Old guy

## Re: Web searches hijacked by malware

I'm somewhat confused by the positions in these discussions.

Moe Trin wrote:

Fugazi sez - one could go either way, flatten/rebuild or just apparent
malware removal.

DHL seems to be arguing against the flatten/rebuild side of the
argument, but that was only one side of Fugazi's position.

MT seems to be arguing with DHL, except to say that the same infected
user can neither make a rational decision about whether to target
malware remove *NOR* be able to flatten/rebuild.

Maybe MT's ultimate argument is that the user should be using an OS less
vulnerable to such problems, which OS has been installed by the
'factory' -- maybe a Mac :-)

--
Mike Easter

## Re: Web searches hijacked by malware

< snip >

| Maybe MT's ultimate argument is that the user should be using an OS less
| vulnerable to such problems, which OS has been installed by the
| 'factory' -- maybe a Mac :-)

| --
| Mike Easter

There 'ya go Mike !  :-)

--
Dave

## Re: Web searches hijacked by malware

On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

True.  The bar'' to using a computer has been lowered substantially
since the IBM PC was introduced in 1981.  Before that, you had mainly
geeks or enthusiasts using the personal computers - such as the Apple
][ and CP/M systems.  Even the first IBMs (probably up to the AT)
were of very limited use.  Data transfer mechanisms evolved from
paper copies to floppy disks to dial-in to a BBS. That was about the
time that mal-ware became more common. Want a trip down Memory Lane?

NEWVIRUS.ARC 02-01-88 BEWARE NEW VIRUS + IMMUNIZATION FROM BIX     1024

VIRUSINF.ARC 02-17-88 ADDTL INFO ON COM/EXE VIRUS                  6528

FILETEST.ARC 04-20-88 VIRUS DETECTOR BY DR. LEVINE                61056

That's from a 1990 directory listing at a BBS.

Now, what has changed in the twenty (plus) years since then?  First
is that personal computers have become pervasive - probably as many
out there (overall) as television sets. In accordance with several
often quoted laws'', the capability of these systems has made
astounding progress.   The system memory has grown from (literally)
hundreds of bytes to multiples of gigabytes. Magnetic media has
grown from kilobytes on a cassette tape to terabytes on a device not
much larger than that tape.  And then we have connectivity to the
world, which started as a 300 BPS modem on dial-up to a fiber
connection limited by how much the provider wants to sell - but
gigabit service is available.

What has not grown is the skill level of the users. It's gone in
exactly the opposite direction. Most users technical skills are
limited to moving a mouse, and pressing the button[s] there-on.
They have no idea what is going on - even in fundamental concepts.
The Internet is one massive web site good for entertaining the user.
It's magic.  And best of all, you don't need to know ANYTHING about
what is happening...  oh, this looks like a pretty icon.

While a less vulnerable operating system might help, it's no panacea.
Snow Leopard and Ubuntu are proof of that.   The O/S have to be
dumbed down to the (complete lack of) skill levels of the user.

At one time, there was talk of an anti-mal-ware capability being
added to windoze such that it would only run trusted'' binaries
that were somehow digitally signed, and the signature could be
verified at a microsoft site (more likely a content provider like
Akamai or similar) before allowing the binary to run. Obviously
this is a bad idea, as it's going to slow the operation down (while
the system checks the signature), won't work when you don't have
connectivity, and is a means of censorship/extortion by microsoft.

No, the solution to the mal-ware problem is education - requiring
the user to actually have some clue about what is going on. You
know the chance of that happening - remember it's a users naturally
given _right_ to be st00pid, and they won't stand for any
restriction of that right.  Instead, if they look for anything at
all, they will look for some "silver bullet" that will prevent
mal-ware infestations, and clean up after one actually does get
installed.

---------------------------------
|  Something Funny Just Happened. |
|         Fix It For Me.          |
|            [ OK ]               |
---------------------------------

Sorry - computers don't work that way.

Old guy

## Re: Web searches hijacked by malware

| On Tue, 8 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

| So how then do you assume that the anti-mal-ware tool will be able
| to remove all of the bad stuff?

| Users are notoriously unable to describe technical problems, and are
| even less able to _notice_ that something is wrong.

| Not everyone is brain-dead and either clicks OK without reading, has
| disabled warning messages, or has enabled "auto-install" because it
| improves their internet experience''.

| You are assuming the user can make a rational technical decision.
| Were that the case, the incidence of mal-ware infestations would be
| much lower.

| Given that the average user has no clue what is happening with the
| computer, the alternative is trying to install something'' else
| that the user hopes (but has no guarantee) will do something useful,
| and isn't another version of mal-ware.  But for the same reason, the
| average user is also quite incapable of a wipe/reinstall.

|         Old guy

Mo Trin:

Using the same logic, the average user would have no clue how to backup their
data, wipe
the PC, reinstall the OS, patch it, install all applications, restore their data
and setup
the PC to the same relative working condition.

--
Dave

## Re: Web searches hijacked by malware

On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

You notice that?   At best, they may know to take the computer to
some store and hope that there is someone there who can fix''
the problem with the computer (it's NEVER a user problem) for not
to much money.  More likely, they'll look for some magic software
that they can install that will stop the computer from getting
sick... or maybe there's a pill or some lotion you can...

Old guy

## Re: Web searches hijacked by malware

| On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

| You notice that?   At best, they may know to take the computer to
| some store and hope that there is someone there who can fix''
| the problem with the computer (it's NEVER a user problem) for not
| to much money.  More likely, they'll look for some magic software
| that they can install that will stop the computer from getting
| sick... or maybe there's a pill or some lotion you can...

|         Old guy

Pill.

Everybody is always searching for that magic pill that cures all ailments.

--
Dave

## Re: Web searches hijacked by malware

It's got her hosts file - just delete everything in there.

I think it's in:

*:/windows/system32/drivers/etc/hosts

Or something like that.