Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Rootkit Infection Requires Windows Reinstall, Says Microsoft


28 Jun 2011   #1

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Rootkit Infection Requires Windows Reinstall, Says Microsoft

Quote:
Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.

A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog .

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

A recovery disc returns Windows to its factory settings.

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.
Quote:
The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.

Then it hooks the DriverStartIo routine in the found device’s DRIVER_OBJECT structure

The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
Read More:

Rootkit Infection Requires Windows Reinstall, Says Microsoft | PCWorld


My System SpecsSystem Spec
.

28 Jun 2011   #2

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Good info, Borg. Thanks. But my one remaining brain cell has a question. According to the article, "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state." Additional info is in the Microsoft blog. But when you go to the link System Recovery Options in Windows 7 it merely refers you to this article:

What are the system recovery options in Windows 7?

What is the proper way to fix the MBR prior to using a recovery CD or a recovery partition?
My System SpecsSystem Spec
28 Jun 2011   #3

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Yeah, I noticed that too marsmimar, in that it refers to the article, and that's it.

I added a snippit of the code above.
My System SpecsSystem Spec
.


28 Jun 2011   #4

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Quote:
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
From the same article.

http://support.microsoft.com/kb/927392
My System SpecsSystem Spec
28 Jun 2011   #5

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by kado897 View Post
Quote:
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
From the same article.

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
I saw that reference (to use fixmbr) and even went to the KB927392 article. But my one remaining brain cell became a bit confused when I read:

To run the Bootrec.exe tool ... 1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.

I don't have an installation disc. I have a recovery partition, recovery discs made after I brought my computer home, and a system repair disc that was created when I did my first system image. The system repair disc does have a Command Prompt option but if you need an installation disc to extract a clean MBR ....

Hence, my confusion.
My System SpecsSystem Spec
28 Jun 2011   #6

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Mmm yes. I see.
My System SpecsSystem Spec
28 Jun 2011   #7

Microsoft Community Contributor Award Recipient

Vista x64 / 7 X64
 
 

You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
My System SpecsSystem Spec
28 Jun 2011   #8

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Thanks SIW2.
My System SpecsSystem Spec
28 Jun 2011   #9

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by SIW2 View Post
You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
Sorry for being so dense but ...

I have 4 recovery discs for my Sony VAIO. As soon as I start disc #1 I get a Sony dialog box that says something like the hard drive is going to be erased, backup all important data, when prompted insert disc #2, etc. As soon as I click OK the recovery process begins. No options that I can see to enter any command prompts or access any other repair options.

Under these circumstances would you suggest I buy an OEM install disc just to have on hand in case of emergencies? If yes, would it make any difference if it does or does not have SP1? Again, my apologies.
My System SpecsSystem Spec
28 Jun 2011   #10

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

No need. Just create a repair disk.
System Repair Disc - Create
My System SpecsSystem Spec
Reply

 Rootkit Infection Requires Windows Reinstall, Says Microsoft




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:32 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33