Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says Reinstall Overkill In Removing Rootkit

timothy posted more than 2 years ago | from the try-this-handy-therapeutic-coma dept.

Security 203

CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."

cancel ×

203 comments

Sorry! There are no comments related to the filter you selected.

When in doubt... (1)

Anonymous Coward | more than 2 years ago | (#36628058)

format.

Re:When in doubt... (1)

Z00L00K (682162) | more than 2 years ago | (#36628126)

It's starting to get time for the yearly reinstall anyway. My Windows is getting slow, and a reinstall really clears things up.

Re:When in doubt... (-1, Redundant)

nmb3000 (741169) | more than 2 years ago | (#36628750)

It's starting to get time for the yearly reinstall anyway. My Windows is getting slow, and a reinstall really clears things up.

If you need a "yearly reinstall" of any Windows since XP, it's a problem with you, not Windows.

The benefit of regular reinstalls ended with Windows ME.

Re:When in doubt... (1)

scrib (1277042) | more than 2 years ago | (#36628966)

You know, I talk a good game about Linux, but I do an install of Ubuntu just about every 6 months...

Alright, to be fair, it's closer to annual. I think they know they have to deal with the LTS releases longer and they have seemed more stable to me. That's why they did Unity right AFTER the last LTS, to give them several tries to get it right before 12.04...

Re:When in doubt... (0)

Anonymous Coward | more than 2 years ago | (#36629296)

Okay I'm not a Ubuntu user, but a Debian one, is there any reason you can't just do an apt-get dist-upgrade between releases on Ubuntu instead of a full reinstall?

Re:When in doubt... (2)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36629022)

The benefit of regular reinstalls ended with Windows ME.

No, it didn't. Windows 7 is definitely working better for me, but XP required the yearly reinstall just like all the previous Win OS's.

Re:When in doubt... (1)

Yunzil (181064) | more than 2 years ago | (#36629182)

but XP required the yearly reinstall just like all the previous Win OS's.

No, it didn't. I ran XP for years without a reinstall. For that matter, I ran 98 for years without a reinstall. You're doing it wrong.

Re:When in doubt... (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36629252)

Okay, what am I doing wrong?

Re:When in doubt... (1)

starofale (1976650) | more than 3 years ago | (#36629514)

Installing programs! Windows doesn't like that.

Re:When in doubt... (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36629596)

I think you're right. Registry rot....

I've noticed my Windows installs last a lot longer when I use portable apps. (i.e. apps that don't require an install.)

Re:When in doubt... (0)

Anonymous Coward | more than 3 years ago | (#36629598)

Licking butts?

Re:When in doubt... (1)

wiedzmin (1269816) | more than 3 years ago | (#36629394)

To be fair I had to do a semi-annual reinstall on my g/f's Macbook Air recently to get it to stop crawling. It's all about the user.

Re:When in doubt... (1)

jweller13 (1148823) | more than 2 years ago | (#36629192)

Getting a router, never loging in under admin credentials, passwording all accounts, running my virus/malware software on Max security, regularly clearing out all browser history, blocking ads using the HOSTS file all seemed to have greatly reduced the need for re-installs. See, that's all ya have to do.

Re:When in doubt... (0)

hairyfeet (841228) | more than 3 years ago | (#36629566)

Then to use a popular meme "ur doin it wrong" my friend. If you install a lot of software then a simple registry cleaning will keep your Windows running well (I recommend Tuneup Utilities, but for those wanting a free alternative WinUtilities works decently but isn't as nice or full featured as tuneup) and Avast Free with its default sandboxing and JavaScript scan before load will keep all but the most herp derp PEBKAC caused infections away.

Honestly despite all the jokes and FUD passed around here by certain fanboys it really is pretty simple to keep Windows running quite well for the life of a machine. Don't load up the taskbar with tons of always running bullshit, don't be clicking on email attachments, keep the machine up to date with Windows Update, a decent registry cleaner to get rid of dead reg links left by crap third party software, just basic common sense.

The machine I'm typing this on has been running Win 7 HP since RTM which is 2 years, my netbox has been running XP since it came out in 04, same install, and I have several customers with XP boxes that are more than 8 years old, again same install. It really ain't that hard folks, just a teeny tiny bit of TLC and common sense.

Re:When in doubt... (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36628286)

Give us Windows users credit, we are trained to back up our data!

Re:When in doubt... (0)

Anonymous Coward | more than 2 years ago | (#36628398)

Basic advice: Clean and lubricate as needed, back-up frequently.
Seeking diversity and those with other skills can bring a refreshing change when getting help - don't pass up that RIM expert.

I agree (2)

itchythebear (2198688) | more than 2 years ago | (#36628072)

Uninstalling is all thats needed.

*ducks*

Edit this shit timothy! (5, Insightful)

Lunix Nutcase (1092239) | more than 2 years ago | (#36628116)

Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.

Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?

Re:Edit this shit timothy! (2)

Ant P. (974313) | more than 2 years ago | (#36628172)

Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?

Challenge Accepted?

Re:Edit this shit timothy! (0)

Anonymous Coward | more than 2 years ago | (#36628288)

For real. A couple of grammatical errors here and there are one thing... but entire nearly-repeated clauses? Maybe someone can write a /. article on the declining quality of /. editors. Given how much they seem to be reading them, they might just let it through.

Re:Edit this shit timothy! (1)

Tarlus (1000874) | more than 2 years ago | (#36628254)

Not to mention the "Popereb" and "Popureb" inconsistency.

Re:Edit this shit timothy! (0)

Anonymous Coward | more than 2 years ago | (#36628500)

You know what's even more annoying than a redundant sentence? The asshats that act like the editor punched their newborn child in the face every time there's a grammatical error in a summary.

I'm sick of wading through your piles of shit to get to the on topic comments everyone else makes.

Re:Edit this shit timothy! (1)

Lunix Nutcase (1092239) | more than 2 years ago | (#36628558)

So then maybe the editors should actually "edit" the articles so they don't look so lazy and stupid?

Re:Edit this shit timothy! (2)

Rary (566291) | more than 2 years ago | (#36628760)

Maybe what he's trying to say is this:

1. Several researchers agree with Microsoft.
2. A noted botnet expert disagrees with Microsoft.
3. A (different) internationally-known botnet expert disagrees with the noted botnet expert, thereby agreeing with Microsoft.

Okay, not likely. I should know better than to try to defend Slashdot "editors", who are only marginally more useful than the Slashdot programmers, who I noticed have changed the header and footer of the comment section, and in doing so broke the "post anonymously" button (again), and also all links in the thread (which were partly broken before, but now they're completely broken). Morans.

Re:Edit this shit timothy! (0)

aztracker1 (702135) | more than 3 years ago | (#36629396)

More like...
  1. Microsoft revised it's advise to short of a nuke/repave path for handling a bootkit virus
  2. Several security researchers agree with MS
  3. A noted researcher doubts the trust that this will allow for a detectably clean PC
  4. Another noted researcher also disagrees with MS, prefering the nuke/repave path for handling bootkits

a 'gotcha,' when it was misreported to begin with (5, Informative)

jcombel (1557059) | more than 2 years ago | (#36628146)

ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:

"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").

EXACT series of steps to kill this rootkit... apk (-1)

Anonymous Coward | more than 2 years ago | (#36628922)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

I first posted on it here 2 days ago in fact:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272 [slashdot.org]

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

Re:EXACT series of steps to kill this rootkit... a (-1)

Anonymous Coward | more than 2 years ago | (#36629102)

The Windows registry has nothing to do with the master boot record. You're a fucking idiot. But of course, we all knew that already.

PROOF it does (how/when/where/why)... apk (-1)

Anonymous Coward | more than 2 years ago | (#36629266)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (0)

Anonymous Coward | more than 3 years ago | (#36629474)

ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - that's simply because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

Re:a 'gotcha,' when it was misreported to begin wi (2)

0123456 (636235) | more than 2 years ago | (#36629138)

"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.

If your recovery CD is pre-infected, then surely you're screwed anyway?

Re:a 'gotcha,' when it was misreported to begin wi (1)

PNutts (199112) | more than 2 years ago | (#36629284)

If your recovery CD is pre-infected, then surely you're screwed anyway?

Does that mean the plastic they make a CD from is infected?

Yesterday (1)

blair1q (305137) | more than 2 years ago | (#36628156)

Yesterday it was Poperub. Now it's either Popereb or Popureb.

You think a computer is going to find the thing when nobody can even decide what string matches its name in the 'sploit DB?

Re:Yesterday (1)

blai (1380673) | more than 2 years ago | (#36628504)

Viruses mutate. Get over it.

Good practice anyway (0)

cpu6502 (1960974) | more than 2 years ago | (#36628158)

I reinstall both my Windows desktop and Linux laptop every year. Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).

Re:Good practice anyway (1)

ctrimm (1955430) | more than 2 years ago | (#36628466)

If you're running Linux, you probably don't have any viruses. It seems to me that uninstalling programs you don't use every couple months would be a lot easier than re-installing the OS... ever.

Despite that, I've been running my install of Win7 for over a year now, practice general maintenance, and it's still running as smooth as ever. Having to re-install an OS every year is either the sign of a poorly designed OS or just plain laziness.

Re:Good practice anyway (1)

cheater512 (783349) | more than 2 years ago | (#36628468)

I have to say I've never actually reinstalled Linux on a computer. Once it goes on, it stays for years.

Re:Good practice anyway (1)

Riceballsan (816702) | more than 2 years ago | (#36628708)

True, though in some cases some do, particularly those with distributions like ubuntu that tend to encourage their users to do a full install to upgrade from version to version every 6 months or so. (admitted I think the current updater will move you up a version, but I recall a time when they didn't). Of course in linux a re-install is extremely painless considering your configurations of just about everything is stored on your home directory, which you shouldn't be formatting, rather then in a complicated registry in which half of your settings will carry over, half will be lost.

Re:Good practice anyway (1)

EvanED (569694) | more than 2 years ago | (#36629328)

I haven't used Linux on my home machine much at all for a couple years, but when I used it more I used Gentoo. A bit less than 5 years ago I managed to mess up Portage enough that I couldn't get Emerge to do anything (except complain a lot), so I gave up and reinstalled. It can definitely happen, even if you know your way around pretty well.

Re:Good practice anyway (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36629056)

Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).

I use Portable Apps wherever possible. (I think the address is portableapps.com, I am not affiliated.) Basically they're just apps that are compressed into a self extracting file. You extract them and they just run, no installation needed. This means after a reinstall (or new computer) I still have my browsers with bookmarks, text/script editors, and a handful of other things I use a lot. When I get a laptop or something I just copy the files over to that machine and I'm running over there, too.

This post is off-topic, but it may help extend the life of your OS's.

Flawed Logic (0)

Anonymous Coward | more than 2 years ago | (#36628188)

Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.'

This statement could be true of any type of malware (MBR rootkit or otherwise). Any kind of malware could theoretically download any other malware; is he advising a complete reinstall in every case of malware infection?

Re:Flawed Logic (1)

Vegemeister (1259976) | more than 2 years ago | (#36628778)

If he isn't, he should be.

BIOS protection (0)

Anonymous Coward | more than 2 years ago | (#36628198)

Am I mistaking, or did the BIOS once (let's say 10 years ago) offer some form of protection against MBR virusses?

Do modern BIOSes not support that anymore?

Time for EFI... (mmm... my mac has it like 5 years now).

Re:BIOS protection (0)

Anonymous Coward | more than 2 years ago | (#36628260)

Nice reminder. I don't remember seeing this option in BIOS of recent (at least 4-5 years old) motherboards. I think BIOS developers decided to replace that options with some useless thing.

Re:BIOS protection (1)

Truekaiser (724672) | more than 2 years ago | (#36628642)

No not that i remember. i DO remember the old bios viruses that would rewrite the bios or otherwise brick the machine. The difficulty of doing so made them not very wide spread. efi on the contrary makes it very easy to have a virus/trojan etc embed it's self in the efi. if efi becomes wide spread then you will not only have to have a windows anti-virus if you run windows. but also a efi anti-virus for all os's.

Re:BIOS protection (1)

Score Whore (32328) | more than 2 years ago | (#36629016)

I think that's only effective when you are calling the BIOS for disk access (int 19 or int 13, i forget specifically.) If you have your own device driver that accesses the hardware directly that kind of protection doesn't work.

Eyeroll (5, Informative)

goodmanj (234846) | more than 2 years ago | (#36628206)

MBR rootkit malware is among the most advanced of all threats.

So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.

http://www.f-secure.com/v-descs/brain.shtml [f-secure.com]

Re:Eyeroll (2)

Lunix Nutcase (1092239) | more than 2 years ago | (#36628262)

So advanced, it's been around for 25 years.

Non sequitur. Just because something is old does not precluded it from being advanced or the "most advanced" of whatever category you are talking about.

Re:Eyeroll (2)

goodmanj (234846) | more than 2 years ago | (#36628574)

Your average Clovis point arrowhead is a pretty advanced bit of stoneworking too: see what I did there? But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.

Re:Eyeroll (1)

lennier (44736) | more than 2 years ago | (#36628698)

But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.

Yes, and in both cases, the best defence is still generally 'don't get hit with one'.

Never underestimate the power of primitive attacks to overcome sophisticated defences.

Re:Eyeroll (0)

Anonymous Coward | more than 2 years ago | (#36629036)

Is that why those stupid spear chuckers keep downing my Stealth Bombers???

Re:Eyeroll (1)

Hsien-Ko (1090623) | more than 2 years ago | (#36628524)

I know. Michelangelo'd floppies are probably deadlier than conficker... :( Today's viruses act so much like 90's hollywood viruses enough to bury the old school boot sector virus concept.

EXACT series of steps to KILL THIS ROOTKIT (-1)

Anonymous Coward | more than 2 years ago | (#36628948)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

I first posted on it, here, 2 days ago, in fact:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272 [slashdot.org]

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (-1)

Anonymous Coward | more than 2 years ago | (#36629048)

ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

... apk

Why listsvc & disable too vs. this rootkit... (-1)

Anonymous Coward | more than 2 years ago | (#36629310)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Why use listsvc & disable too, vs. this rootki (-1)

Anonymous Coward | more than 2 years ago | (#36629380)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

The only way to be sure... (1, Insightful)

Announcer (816755) | more than 2 years ago | (#36628228)

Like someone said, "Nuke 'em from orbit."

In that case, I'd only save whatever key files I had (pics, MP3's) scanning them as they go, then completely FDISK /mbr , delete and recreate the partition(s), and reformat the drive. Reinstall Winder from a slipstreamed CD, and let 'er rip. I've only had to do this a handful of times for others. So far, so good in practicing SAFE HEX, I haven't had a machine I've owned get infected, yet.

Obligatory response, but I cannot help myself (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36628328)

I haven't had a machine I've owned get infected, yet, that I know about.

There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.

Another Obligatory response, can't help but say... (0)

Anonymous Coward | more than 2 years ago | (#36628544)

You mean I don't really have to nuke it from orbit to be sure, after all?

EXACT series of steps 2 NUKE this rootkit (-1)

Anonymous Coward | more than 2 years ago | (#36629216)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design (no need to "NUKE", yet - this "masterpiece of system death" in this rootkit? It isn't PERFECTED... yet! See for more below & Read on):

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

---

* Be sure NOT to use Windows 2k/XP/Server 2003 Recovery Console on VISTA, Windows 7, or Server 2008 though (diff. bootsector format)!

However, theoretically @ least?

Listsvc & Disable WILL still work, as they only query the registry & write it, respectively, to find the offending protective driver, first & stop it from loading (reboot & then do fixmbr) - the registry structure remains the same essentially for them all, & in THIS case on drivers? It is.

Also - Since the NTFS5 filesystem is in place on them all so... in theory? You can use Win2000/XP/Server 2003 for the listsvc/disable portion to "knock-the-chocolate" outta the protective driver! ... &, there you go!

APK

P.S.=> To quote Sean Connery from "The Untouchables": Well... 'Here endeth the lesson'...

... apk

Why listsvc & disable too, vs. this rootkit? (-1)

Anonymous Coward | more than 2 years ago | (#36629330)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (-1)

Anonymous Coward | more than 2 years ago | (#36629356)

ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

Sort of off-topic but I could use some advice (1)

newcastlejon (1483695) | more than 2 years ago | (#36628246)

How does one do a repair install if Windows 7 won't boot?

It seems silly to restrict repair installs to cases where the OS can boot anyway.

Re:Sort of off-topic but I could use some advice (0)

Anonymous Coward | more than 2 years ago | (#36628644)

You boot from the Setup CD to do the repair, not from your hard disk.

Re:Sort of off-topic but I could use some advice (0)

newcastlejon (1483695) | more than 2 years ago | (#36628674)

Windows 7 won't allow repair installs without running setup.exe from within the installation that needs repairing.

Re:Sort of off-topic but I could use some advice (1)

shutdown -p now (807394) | more than 3 years ago | (#36629446)

You don't need a repair install to fix the MBR. You only need the recovery console.

Re:Sort of off-topic but I could use some advice (1)

lennier (44736) | more than 2 years ago | (#36628726)

How does one do a repair install if Windows 7 won't boot?

Boot off your recovery DVD? You did make one, right?

Actually I have no idea if 'recovery media' these days are even bootable. Back in the day, we used to get real Windows install disks with our computers. No lie! They just handed 'em out in the box like they were candy, or at least not radioactive contraband which mere users couldn't be trusted to touch.

after rootkit infection, don't trust your system (1)

Anonymous Coward | more than 2 years ago | (#36628252)

standard security practice after a rootkit infection to NOT trust your system anymore. You never know what kind of shit is installed.
Virusscanners are nice, but work mostly on signatures and will not likely detect virusses which aren't in the signature database. Heuristics is still not good enough.
You cannot garantee that the system is 100% clean.
Reinstallation is therefore a necessary step in the proces.

Is the MBR really clean? (3, Informative)

Skapare (16644) | more than 2 years ago | (#36628292)

The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.

Re:Is the MBR really clean? (1)

Nimey (114278) | more than 2 years ago | (#36628774)

Psst: the Windows recovery console is run from a CD or USB stick.

Re:Is the MBR really clean? (0)

Anonymous Coward | more than 2 years ago | (#36628880)

Go read the article and the how to's. The examples they give have you are booting from the hard disk. And assume that you have the recovery console preinstalled on windows XP. The vista link is funny! Windows 7 recovery just gets stuck in a loop from my experience.

Personally, it is faster to nuke and reinstall. You will feel safer too. He'll, upgrade to that new 1TB drive for $49.99 that should be clean.

Re:Is the MBR really clean? (0)

Anonymous Coward | more than 3 years ago | (#36629386)

Not necessarily, you can install it by running "winnt32.exe /cmdcons" from the installation dir.

EXACT series of steps to KILL this rootkit (-1)

Anonymous Coward | more than 2 years ago | (#36628974)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

I first posted on it here, 2 days ago in fact:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272 [slashdot.org]

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (-1)

Anonymous Coward | more than 2 years ago | (#36629034)

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

... apk

Why use listsvc & disable, vs. this rootkit? (0)

Anonymous Coward | more than 3 years ago | (#36629402)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Dual Booters (0)

Anonymous Coward | more than 2 years ago | (#36628342)

Will this cause me trouble on my machine where I'm dual booting Debian and Windows Vista? Or would it just blow up grub and make itself really obvious?

re-install will not fix infected MBR (1)

Anonymous Coward | more than 2 years ago | (#36628352)

My understanding is a re-install will not do anything if your MBR is infected. you need re-write the MBR and or do a low level format.

Re:re-install will not fix infected MBR (1)

Riceballsan (816702) | more than 2 years ago | (#36628730)

I believe most installs involve creating the MBR to inform it where the current OS and/or boot loader is.

This series of steps I put up 2 days ago will (-1)

Anonymous Coward | more than 2 years ago | (#36628906)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

I first posted on it here 2 days ago in fact:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272 [slashdot.org]

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (-1)

Anonymous Coward | more than 2 years ago | (#36629070)

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been really essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

... apk

Why use listsvc & disable, vs. this rootkit? (0)

Anonymous Coward | more than 3 years ago | (#36629414)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx [technet.com]

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

So can an AV actually fix something?.... (1)

Sir_Sri (199544) | more than 2 years ago | (#36628454)

It's and interesting problem. Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.

Lots of people do a windows reinstall every year, I tend to ask: If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.

Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).

Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.

Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that stuff on, unless you get a virus you don't clean out, but enabling all of those features and devices does tend to both slow down some things and speed up/enable others. An no, linux is not fundamentally much different in that regard, if you want features you have to install the drivers and applications for them, and that may or may not improve performance of the system overall.

If windows (or linux) is slow, you can usually hunt down the culprit and fix it, which is both more useful and more productive than a reinstall which may not solve the problem in the long run, alas most people don't read /. and don't know that.That goes to the root of the matter. Can viruses and rootkits actually be removed, or not? If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.

Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).

Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.

Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that stuff on, unless you get a virus you don't clean out, but enabling all of those features and devices does tend to both slow down some things and speed up/enable others. An no, linux is not fundamentally much different in that regard, if you want features you have to install the drivers and applications for them, and that may or may not improve performance of the system overall.

If windows (or linux) is slow, you can usually hunt down the culprit and fix it, which is both more useful and more productive than a reinstall which may not solve the problem in the long run, alas most people don't read /. and don't know that.

Re:So can an AV actually fix something?.... (2)

Sancho (17056) | more than 2 years ago | (#36628762)

Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.

Viruses have the upper hand because they come first. Although heuristic-driven antivirus has been around for a while, it's never been fully effective. So once the virus gets on the system, you can never know for sure that it's gone. The virus could simply be very effective at hiding itself from the virus scanner. It could be causing the virus scanner to report a status of "Updated" when, to the contrary, updates have not been applied in some time. Ultimately, if the virus is running at the highest privilege level, you just can't trust your system tools to be telling the truth.

That said, a bootable antivirus CD which can update from the Internet eliminates this issue, and could probably definitively tell you that your system is clean of viruses of which it is aware. Even so, if I thought I had a virus, I would reformat and reinstall.

Re:So can an AV actually fix something?.... (1)

Vegemeister (1259976) | more than 2 years ago | (#36628858)

No. It is impossible to verify that a machine is virus-free. The presence of any malware indicates that the machine has been used in an insecure manner at some time in the past. The particular piece of malware that was discovered may have been used as a back door to install other malware on the machine (keyloggers, etc.), or may have been installed in that way itself. The purpose of antivirus software is to alert the user that at least one virus is present on the machine, and that it is time to backup critical data and reformat.

Re:So can an AV actually fix something?.... (1)

Anonymous Coward | more than 2 years ago | (#36629224)

The purpose of antivirus software is to alert the user that at least one virus is present on the machine, and that it is time to reformat, and restore critical data from backup

There, fixed that for you

Re:So can an AV actually fix something?.... (1)

PNutts (199112) | more than 2 years ago | (#36629368)

The presence of any malware indicates that the machine has been used in an insecure manner at some time in the past.

I disagree. A co-worker was bit on his corporate PC when he visited The Drudge Report and I assume got nailed by a rouge ad server. Like everyone else have defenses at the firewall and Symantec on the PC. I'll also add that zero-day or an exploit doesn't necessarily mean it was used insecurely, it's just not protected for that particular attack.

Three letters: (1)

Alex Belits (437) | more than 2 years ago | (#36628604)

SMI

(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).

Re:Three letters: (1)

lennier (44736) | more than 2 years ago | (#36628752)

SMI

(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).

What! Next you will be saying that the USB standard shouldn't auto-install random device drivers and that we should have some kind of removable media devices that would always be perfectly safe to plug in and read because they'd only be a filesystem, even if you found them in the bathroom stall at a LulzSec convention. That'd be madness!

Offline AV scan and repair? (1)

pidge-nz (603614) | more than 2 years ago | (#36628672)

At first glance, to me this seems straight forward to fix. 1. Go into the BIOS, confirm the boot order is Optical Drive first (very important!). Perhaps even go to the extend not including the HDD in the boot order, if possible. 2. Boot from Windows Recovery CD, clean the MBR 3. Boot from a AV Boot CD (plenty of free ones avaible) to run an offline scan to, um, root out the infection. The AV CD may also be able to fix the MBR. 4. Profit? Problems with above are sourcing clean Recovery CD and AV CD, and that not all machines have an Optical drive to use (e.g. netbook), so you may need to rely on boot from USB, but again that needs the boot order setting correctly to boot from USB. Hardware write protected USB drives are useful here. And "Joe Six-pack" may not have the resources to be able to do the above for himself.

Re:Offline AV scan and repair? (1)

Kittenman (971447) | more than 2 years ago | (#36629346)

Good to see it's not just me having problems with the /. psuedo-code for newlines and such ...

Microsoft says nuke it. (0)

Anonymous Coward | more than 2 years ago | (#36628736)

http://technet.microsoft.com/en-us/library/cc512587.aspx [microsoft.com]

Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

You can't clean a compromised system by patching it.

You can't clean a compromised system by removing the back doors.

You can't clean a compromised system by using some âoevulnerability remover.

You can't clean a compromised system by using a virus scanner.

You can't clean a compromised system by reinstalling the operating system over the existing installation.

You can't trust any data copied from a compromised system.

You can't trust the event logs on a compromised system.

You may not be able to trust your latest backup.

The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Is reinstall ever overkill? (0)

DrBuzzo (913503) | more than 2 years ago | (#36628766)

Reinstalling windows is probably the number 1 general purpose repair option for most software-based problems. As someone who has been fixing computers for a long time, I can tell you that if there is a problem with windows and it's not obvious at first glance, more often than not, it will save a lot of time to just back up the data you want to keep and reinstall windows. Whether or not you need to do a full-blown reformat is another thing, which of course, takes a bit longer.

Reinstalling windows is the equivalent of "try moving the antennas around" was on an old tv with bad reception - it's the first thing you try and it usually solves the problem.

Re:Is reinstall ever overkill? (1)

misexistentialist (1537887) | more than 2 years ago | (#36629092)

Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".

Re:Is reinstall ever overkill? (1)

PNutts (199112) | more than 3 years ago | (#36629388)

Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".

That doesn't make sense and distressing to see on (I guess what used to be) a technical forum. If the OEM doesn't supply recovery discs then they provide a means for you to create them yourself, and yes they are all genuine. If the OEM doesn't do either then you should be concerned about the legitimacy of the OEM. But... One of the things I love about the Internet is that I expect there will be a number of examples posted to prove me wrong. :)

Dos boot disk (usb) (1)

Paracelcus (151056) | more than 2 years ago | (#36628852)

fdisk /mbr

Or use the mbr utility on the XP install CD.

Or just use something other than Windows.

I really am just stating the obvious!

EXACT steps 2 KILL this rootkit... apk (-1)

Anonymous Coward | more than 2 years ago | (#36629170)

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

---

* Be sure NOT to use Windows 2k/XP/Server 2003 Recovery Console on VISTA, Windows 7, or Server 2008 though (diff. bootsector format)!

However, theoretically @ least?

Listsvc & Disable WILL still work, as they only query the registry & write it, respectively, to find the offending protective driver, first & stop it from loading (reboot & then do fixmbr) - the registry structure remains the same essentially for them all, & in THIS case on drivers? It is.

Also - Since the NTFS5 filesystem is in place on them all so... in theory? You can use Win2000/XP/Server 2003 for the listsvc/disable portion to "knock-the-chocolate" outta the protective driver! ... &, there you go!

APK

P.S.=> To quote Sean Connery from "The Untouchables": Well... 'Here endeth the lesson'...

... apk

Why use listsvc & disable vs. this rootkit? (0)

Anonymous Coward | more than 3 years ago | (#36629458)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way â" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR (0)

Anonymous Coward | more than 3 years ago | (#36629466)

ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."

get a UEFI Motheboard ! (0)

Anonymous Coward | more than 3 years ago | (#36629620)

simple

That's rich (-1)

Anonymous Coward | more than 3 years ago | (#36629640)

So let me get this straight.. a CHINESE guy is giving you advice on how to REMOVE malware from your computer?

Okay....

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>