Rootkit infection requires Windows reinstall, says Microsoft

The article seriously exaggerates it. Microsoft never said a full reinstall was even necessary.

Are you positive that it is removed? It seems that at least fixing the bmr would be necessary.

 

Thanks for the update Ron!

TH

 

Figures -- the article made it sound scary but Microsoft only ever said to repair the Boot Manager

 

News articles always exaggerate in order to attract attention.

 

Removing Popureb Doesn’t Require a Windows Reinstall

by Marco Giuliani (EraserHW)

http://blog.webroot.com/2011/06/30/removing-popureb-doesnt-require-a-windows-reinstall/

TH

 

thank you

 

We just released a BETA version of Hitman Pro 3.5.9 build 126 that is able to detect and clean Trojan Popureb.E.

Early this week Microsoft advised Windows users to reinstall the operating system to get rid of the trojan.The new build of Hitman Pro allows to remove the trojan withing a few minutes.

We also wrote a blog post upon the matter here.

The BETA can be download here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

 

Just uploaded a YouTube video showing Hitman Pro 3.5.9 build 126 successfully detecting and removing the Popureb.E rootkit:
http://www.youtube.com/watch?v=MBP9luBLz9I

 

Thanks Erik!

TH

 

Well done to both Marco Giuliani (EraserHW) & erikloman for providing solutions that do NOT require a Full install etc

So it's ROT 73 is it Makes a change from ROT 13

 

Easy to clean offline.
(Windows XP Pro SP3 test box)

 

What are some examples of a non-standard MBR that may result in a PC not booting if a standard MBR is used to replace a non-standard MBR?

Does the standard MBR used by the new beta of Hitman Pro work for all recent versions of Windows (XP, XP Pro, Vista 32 bit, Vista 64 bit, 7 32 bit, 7 64 bit)?

Thanks in Advance.

 

Also to add to what TheKid7 said how about duel boot or triple boot?

TH

 

If you had a custom bootloader (like Acronis) you must reinstall that using Acronis.

The standard MBR that is being written by Hitman Pro is using standard MBR code from XP, Vista and Win7 (the x86 and x64 versions write the same MBR).

Hitman Pro has all those MBRs on board. It takes the partition table information from infected MBR and merges that with the standard MBR. This way the partition table is kept in tact and all your partitions are accessible.

What might cause trouble if you run software like Sophos SafeGuard or other full disk encryption software. The MBR of this kind of software contains code to decrypt the disk. Overwriting the MBR with standard MBR will result in a non booting computer as the sectors of the disk are encrypted.

To sum things up: Hitman Pro does the same thing as fixmbr. But it does so by writing around the Popureb hooks so that you can replace the MBR from within Windows. Also Hitman Pro protects the MBR once it has written the MBR until reboot. This to counteract watchdogs that might re-write the infected MBR.

I hope I make sense. Please feel free to ask additional questions.

@Triple Helix thanks for pointing out the post.

 

Thank you.

For "typical" store purchased PC's like Dell, HP, etc., are boot options like "Crtl F11" (Restore from a hidden partition), diagnostics, etc. affected by replacing the existing MBR with a standard MBR or is that done separately from the MBR in the BIOS?

On very rare occasion, I help someone with Malware removal from their Home PC's. My concern is that replacing a "typical" Home PC's existing MBR with a standard MBR may make the PC not boot. As a precaution, I would back up any critical files using a Live Linux Distro before replacing the MBR.

Thanks again for your help.

 

I did find this article about the Dell's Windows XP Restore Partition:

http://www.goodells.net/dellrestore/fixes.shtml

 

erikloman,

Will over-writing the MBR with a standard MBR (using Hitman Pro) leave a PC's "Restore from Hidden Partition" boot feature intact (functional) in the newly modified MBR?

Thank you.

 

This depends whether that functionality is implemented on MBR or VBR (Volume Boot Record).

Hitman Pro writes (just as /fixmbr) a standard MBR. You will not loose the restore partition, only the option to choose at boot.

 

No Reinstall Needed for Trojan Popureb

Microsoft wants to emphasize that in the case of the complex Trojan:Win32/Popureb.E bug, that a full

system wipe and reinstall is really "not necessary" as has been suggested by earlier media reports and

"play-it-totally-safe" IT security pundits -- some of whom provide background for this blog.

continued:

Code:

http://mcpmag.com/articles/2011/07/05/no-reinstall-needed-for-trojan-popureb.aspx

more:
Microsoft Clarifies Stance on 'Killer Trojan' Removal

Code:

http://www.infopackets.com/news/business/microsoft/2011/20110706_microsoft_clarifies_stance_on_killer_t
rojan_removal.htm

 

Yup. Even the original article cites microsoft saying "reimage" not "reinstall"