Extreme rootkit removal advice - The Register

[The_Unbeliever]

http://www.theregister.co.uk/2011/06/28/extreme_rootkit_removal_advice/

Microsoft is advising users to reinstall Windows if they happen to be unfortunate enough to get hit by a particularly vicious rootkit.

The Popureb Trojan sticks its tendrils so deep into the operating system that the best option is to [-]nuke from orbit[/-] return machines to their original configuration. Any files that aren't backed up will be lost in the process.

Drastic measures are needed because a new version of the malware includes a driver component designed to prevent a malicious Master Boot Record and other malicious data dropped by the Trojan from being removed.

"If your system does get infected with Popureb-E Trojan, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR), advises Microsoft security response staffer Chun Feng in a blog post here.

"To fix the MBR, we advise that you use the System Recovery Console, which supports a command called 'fixmbr'."

Microsoft doesn't say so explicitly, but applying a Master Boot Record fix before using a recovery disc is going to strip infected systems of both installed applications and associated data. In those circumstances, you'd need to use computer forensics skills to get anything back, a calamitous situation that illustrates the need to regularly back up important data.

Lovely. Blecch. And it will get worse.

 

[spiderz]

format ... install linux

 

[Ancalagon]

Pass me my tinfoil hat, but I think part of the reason why this stuff is still possible is that MS deliberately leaves some backdoors open for DRM and the like, and one of them (or more) got found out.

 

[The_Unbeliever]

One way to recover 100% from this kind of trojan infection is

1. If you have any MS SQL (or any SQL server) services running, export the data to a text file just to be safe. Same goes to any kind of database. In some instances you might get away with just copying the SQL DB over. But why take chances?
2. Use Magic jellybean/Product key retrieval application to retrieve any product keys if necessary.
3. Boot from a Linux Live CD and copy/backup everything over to external HDD/server/whatever.
4. Format. Reinstall. Install antivirus and update. Run Windowsupdates.
5. Reinstall all applications.
6. Copy data back.
7. Kill the bugger who allowed the trojan to install itself to the server/workstation.

The only comfort is that it cannot spread on its own - but future releases might.

Time to ditch M$ and go Linux

 

[bubbatentoe]

For Microsoft insights follow Mark Russinovich.

and download his rootkit revealer for XP/Server (32) (updated)
http://technet.microsoft.com/en-us/sysinternals/bb897445

He's developed lots of other handy little tools for Windows (search for Sysinternals)