Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Rootkit Infection Requires Windows Reinstall, Says Microsoft

28 Jun 2011   #1
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Rootkit Infection Requires Windows Reinstall, Says Microsoft

Quote:
Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.

A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog .

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

A recovery disc returns Windows to its factory settings.

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.
Quote:
The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.

Then it hooks the DriverStartIo routine in the found device’s DRIVER_OBJECT structure

The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
Read More:

Rootkit Infection Requires Windows Reinstall, Says Microsoft | PCWorld


My System SpecsSystem Spec
.

28 Jun 2011   #2
marsmimar

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Good info, Borg. Thanks. But my one remaining brain cell has a question. According to the article, "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state." Additional info is in the Microsoft blog. But when you go to the link System Recovery Options in Windows 7 it merely refers you to this article:

What are the system recovery options in Windows 7?

What is the proper way to fix the MBR prior to using a recovery CD or a recovery partition?
My System SpecsSystem Spec
28 Jun 2011   #3
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Yeah, I noticed that too marsmimar, in that it refers to the article, and that's it.

I added a snippit of the code above.
My System SpecsSystem Spec
.


28 Jun 2011   #4
kado897

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Quote:
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
From the same article.

http://support.microsoft.com/kb/927392
My System SpecsSystem Spec
28 Jun 2011   #5
marsmimar

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by kado897 View Post
Quote:
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
From the same article.

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
I saw that reference (to use fixmbr) and even went to the KB927392 article. But my one remaining brain cell became a bit confused when I read:

To run the Bootrec.exe tool ... 1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.

I don't have an installation disc. I have a recovery partition, recovery discs made after I brought my computer home, and a system repair disc that was created when I did my first system image. The system repair disc does have a Command Prompt option but if you need an installation disc to extract a clean MBR ....

Hence, my confusion.
My System SpecsSystem Spec
28 Jun 2011   #6
kado897

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Mmm yes. I see.
My System SpecsSystem Spec
28 Jun 2011   #7
SIW2

Microsoft Community Contributor Award Recipient

Vista x64 / 7 X64
 
 

You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
My System SpecsSystem Spec
28 Jun 2011   #8
kado897

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Thanks SIW2.
My System SpecsSystem Spec
28 Jun 2011   #9
marsmimar

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by SIW2 View Post
You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
Sorry for being so dense but ...

I have 4 recovery discs for my Sony VAIO. As soon as I start disc #1 I get a Sony dialog box that says something like the hard drive is going to be erased, backup all important data, when prompted insert disc #2, etc. As soon as I click OK the recovery process begins. No options that I can see to enter any command prompts or access any other repair options.

Under these circumstances would you suggest I buy an OEM install disc just to have on hand in case of emergencies? If yes, would it make any difference if it does or does not have SP1? Again, my apologies.
My System SpecsSystem Spec
28 Jun 2011   #10
kado897

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

No need. Just create a repair disk.
System Repair Disc - Create
My System SpecsSystem Spec
Reply

 Rootkit Infection Requires Windows Reinstall, Says Microsoft




Thread Tools





Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Error Msg:-Program requires that Microsoft Windows Script be installed
Hi, I've got a CAD program called 3D Canvas 7 - I've used it in the past but recently when I try to run the program it refuses to start and I get the error message:- 3D Canvas requires that Microsoft Windows Script be installed As far as I can see Windows Script is installed as part of...
General Discussion
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security
Max payne 2 requires a Microsoft DirectX 9.0 compatible display adapte
Hi I have the Max Payne 2 (original 2 cd ). I install the game. Then i go to run the game and the problem is : I download DirectX 9 and i can't install because : . After that i do right click in Max Payne2.exe Properties --> Compatibility --> Run this program in compatibility mode...
Gaming

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 22:40.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App