×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Windows RootKit that requires re-install

Windows RootKit that requires re-install

RE: Windows RootKit that requires re-install

Aside from the assumption that if you have this malware you have others, too, why reinstall?

Why not boot Linux from a CD or write-protected flash drive and fix the MBR from there?


Want to ask the best questions?  Read Eric S. Raymond's essay "How To Ask Questions The Smart Way".  TANSTAAFL!

RE: Windows RootKit that requires re-install

Nobody provides a description of the symptoms when you have this rootki  AND/OR  how you know you've got it?!

RE: Windows RootKit that requires re-install

(OP)
It appears that this was in reference to the Trojan:Win32/Popureb.E

Here is a link to an updated article, where apparently MS is at least partially reversing their initial position on reformatting.

Here is another, blog, entry from one of their people.  

Lastly, here is the slashdot reference.   

RE: Windows RootKit that requires re-install

Didn't anyone mention something like a BartPE CD with Mcafee plug-in that should be able to look at the MBR and identify the infection?

Or are they just giving the simple advice (reload or fix MBR) to non-technical users as an over-simplified solution?

RE: Windows RootKit that requires re-install

(OP)

Quote:

Or are they just giving the simple advice (reload or fix MBR) to non-technical users as an over-simplified solution?/

I think you may be right.  I think that the actual advice was to replace / repair the MBR and then restore the system to a pre-infection state.  IIRC, there was a comment about using system restore or something like that returning the system to the initial state.  

The big difficulty, as I see it, is that for the average user, finding a means of starting the system without using the MBR could be tricky.  This malware takes advantage of the fact that most systems have a "restore" partition rather than bootable write-only media.  Unless the access of the restore is before the MBR, it will be impossible to restore it.  

In my opinion, writing to the MBR definitely falls into the "root level" compromise category.  With any root level compromise, it is impossible to guarantee that you have cleaned the system and removed the infection.  Consequently, a restore to a pre-infection state that completely overwrites the system is necessary.
 

RE: Windows RootKit that requires re-install

But booting from some other type of bootable device is enough to allow full removal, right?!

RE: Windows RootKit that requires re-install

(OP)
Theoretically, I guess so.  But if they had access to the MBR what other presents did they hide?

RE: Windows RootKit that requires re-install

I don't know, but I guess I'm not as worried about wiping out other stuff as long as the MBR is clean.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close