back to article MS advises drastic measures to fight hellish Trojan

Microsoft is advising users to roll-back Windows if they happen to be unfortunate enough to get hit by a particularly vicious rootkit. The Popureb Trojan sticks its tendrils so deep into the operating system that the best option is to nuke from orbit return machines to their pre-infected state and change the Master Boot Record …

COMMENTS

This topic is closed for new posts.
  1. Alain Moran
    FAIL

    Master Book Record?

    Erm...

  2. Anonymous Coward
    Facepalm

    Shome mishtake shurely?

    s/book/boot/g

  3. John Savard Silver badge

    Master Boot Record

    Fixing the master boot record and then re-installing Windows would not necessarily erase all data on the computer, although with a fresh registry you would have to re-install all applications. If data files are also lost, which could well happen in some cases, that would be because of limitations of the recovery CD that came with the computer.

    1. banjomike
      Stop

      Sometimes ...

      Quote from Technet

      "Note: Care must be used since certain viruses overwrite the sector between the MBR and the boot sector, redirecting boot to a secondary location. If this has occurred, replacing the MBR can cause permanent loss of the partition information. When unable to boot from a drive always use a virus scanner prior to using the FixMBR command."

      1. Anonymous Coward
        FAIL

        Do you know why they say this?

        If you are going to quote a source , you have to understand why they say this. Just throwing crap out there isn't going to help anyone.

        Microsoft won't bash 3rd party developers and some 3rd party partitioning software didn't really partition the drives correctly and would store info in the MBR as a work around. GoBack a horrible backup system would also write info to the MBR.

        Since you cannot tell either one of these are on the computer from a recovery console and if you overwrite the MBR you will screw up your hard drive, that is why they have that warning. If cannot boot and need the data and are scared to run the MBR then just put the hard drive as a slave in another computer and pull the data.

        Just because you see something written down doesn't mean you understand what it is saying. Maybe if you aren't sure you shouldn't post.

    2. JaimieV

      "Use a recovery CD to restore your system to a pre-infected state"

      You're correct, but MS are clearly advocating scorched earth policy here.

      All recovery CD/DVD/partitions offer a blitz and reinstall, a few offer "repair". If the infection is as bad as it sounds, then fixmbr and blitz would work, while repair certainly wouldn't.

      And kudos to the Windows security model once again. Slow clap.

  4. Xander
    Unhappy

    Come on

    It's really hard for a tech website to maintain it's credibility when it's journo's don't even know what the MBR is.

    Hint: It's what'll be used to kick you out the door.

    1. Nigel 11
      Boffin

      LInux to the rescue

      If the user's data wasn't properly backed up in such a situation I'd reach for a Linux rescue CD such as RIP (Recovery Is Possible) Linux.

      Boot. Mount the NTFS partitions readonly. Connect to a network share or plug in a USB drive. Copy the user's files. Finally nuke the disk by writing /dev/zero to the whole shebang, MBR and all before doing a Windows reinstall or restoring a disk image.

      However devious a root kit, it can pose absolutely no threat to a Linux-based rescue system resident in RAM, because nothing on the compromised disk ever gets executed by the rescue system.

      1. Tom Chiverton 1
        Black Helicopters

        Cough

        "However devious a root kit, it can pose absolutely no threat to a Linux-based rescue system resident in RAM"

        You should look at what you can store in the Flash-able ROM's of network cards these days, which have read/write access over the PCI bus to everywhere...

  5. LDS Silver badge

    Master *Book* Record?

    Guess spell checker got in the way...

  6. Anonymous Coward
    FAIL

    Erm...

    A Master Book Record? Can I get one from the library?

  7. Captain Underpants
    Joke

    Ah, the Master Book Record

    Clearly the most important book/record of 'em all! (Delete as appropriate for local book/vinyl preferences)

  8. teknopaul Silver badge

    wot no recover

    replacing the mbr is not that redical surely?

    1. Anonymous Coward
      Boffin

      Hmmm, let me think

      Who to believe on this one? Numbnuts commentard or the OS author?

      Answers on a postcard to the usual address.

    2. This post has been deleted by a moderator

    3. Anonymous Coward
      Anonymous Coward

      Only if you can get past

      the MCP.

  9. Locky Silver badge
    Holmes

    Don't worry John

    I'm sure the readers of the site will not point and laugh at the number of references to your Master Book Record.

    After all, the we're known for our sympathetic outlook at people making mistakes

    ....

    Oh

    1. Sarah Bee (Written by Reg staff)

      Re: Don't worry John

      Fixed now.

      It's truly staggering how much lollage you lot get out of typos. It's like jingling keys in front of a baby...

      1. This post has been deleted by a moderator

      2. This post has been deleted by a moderator

      3. Anonymous Coward
        Happy

        keys, what keys

        I heard keys? Where? Where?

  10. banjomike
    Stop

    Make a Recovery Disc

    Having just had to show a neighbour how to make a Recovery CD I thought I would just mention that the option is in:

    <Control Panel><Backup and Restore>.

    Load a blank CD and let it get on with it. Label it (the program tells you what to write). Add the date (the program does NOT tell you that).

    Keep it safe. Make a new one every few months or if you change partition sizes.

  11. lansalot
    Unhappy

    Well

    If it's that bad, I think it becomes MS to provide a bootable ISO/USB that will fix it in a one-er, without the need to reinstall everything.

    Ker-ching for those fixing PCs as homers in the meantime!

  12. Robert Carnegie Silver badge

    Got a backup?

    If you have a back up of a clean MBR then you should be able to use that, and also restore the Windows partiition to a previous clean state. A Linux live CD with partimage provided will do it, for instance - although partimage didn't seem to be getting updated when I looked !ast. Fiddly, too.

    I wonder what happens if you've got GPT. There is an MBR but it's a dummy copy, and your GPT might be untouched. You won't get anywhere with partimage, though.

  13. nichomach
    FAIL

    Next, John Leyden

    exclusively covers the Olympic Torch virus.

    1. John Smith 19 Gold badge
      Thumb Up

      @banjomike

      "Keep it safe. Make a new one every few months or if you change partition sizes."

      I'd say whenever you install a new application *outside* of backing up your data folders regularly of course.

    2. Anonymous Coward
      Anonymous Coward

      GPT

      As I understand it, with GPT, the MBR isn't really a dummy, rather it points to the GPT. If you remove the MBR with a GPT partitioning scheme, it will still knacker the GPT, unless the MBR is replaced with a replacement which points to the GPT.

      1. Robert Carnegie Silver badge

        MBR and GPT

        Besides more than enough multiple partitions (which according to documentation Microsoft seems to want to exhaust anyway), the notable driver of GPT adoption is MBR failing to describe hard drives above 2.19 terabytes (2 TiB minus 1 sector) in size, although it may be possible to cheat.

        If I correctly understand the situation after reading Wikipedia's GPT article, the drive boot sector or MBR that exists on a GPT disk mainly may contain two things: some of the system boot executable code (probably requiring EFI/UEFI "BIOS" to work), and an partition table that says, "All of this disk is used by one partition type that your partition tool doesn't know about. Leave it alone." The size of that partition will be ~2 TiB or the actual disk size, whichever is less. GPT or dual tools will (maybe) recognise this special MBR and (probably*) ignore it, going straight to the GPT starting on the next sector. MBR tools will probably balk in a way that reminds you that you should use a GPT tool instead. So in that way, the MBR points to the GPT, but only by being a special recognisable non-valid MBR.

        I've just viewed http://wiki.onmac.net/index.php/Triple_Boot_via_BootCamp#Disk_Partitions_and_their_Limitations

        which appears to describe successfully fiddling with this arrangement to get both a GPT and an MBR that accurately represent working hard disk partitions, but presumably below the 2 TiB limit.

        As for Linux-based backup of a GPT Windows installation, here may be where we favour ntfsclone or even dd over partimage, at least, and also separately back up the GPT. partimage scores for me a bit by having compressing and file-splitting your backup built-in instead of apparently requiring a pipeline of statements, as well as grabbing the MBR with no effort (although with so-slow bzip2 compression this is buggy). I reckon that a backup compressed file segment size of 315 MB benefits by packing nicely, if necessary, onto CDs as well as DVDs, which probably makes me a genius in 2005, maybe not now.

        I haven't seen it, but, as I say, I gather that Windows sprinkles a baffling selection of strange, tiny, vital partitions onto your GPT disk. As for dd, it'll back up the empty space on your disk, so a Windows procedure or program that fills that empty space with nicely compressible zeroes or something similar before a backup attempt is a good idea.

        * Since the false MBR is part of the GPT specification, a smart GPT tool may offer to fix the MBR contents if they're not present and correct.

  14. Tasogare

    Huh.

    It's not directly related, but I seem to remember that about fifteen years back BIOSes had an option to prevent a disk's MBR from being modified. It was a virus fighting measure or somesuch.

    I may be wrong -- that dates back to when I was first learning to use computers. But I'm curious if anyone else here remembers what it was about and why manufacturers stopped including the option.

  15. Why Me
    FAIL

    FOTW

    WTF

  16. Uncle Slacky Silver badge
    Linux

    Obligatory "Linux is better" post

    As per title...

    1. TeeCee Gold badge
      Thumb Up

      Re: Huh.

      Actually most BIOSes still do this, the one on my MSI mainboard does and it is set. Does what it says on the tin, when enabled anything trying to write to the primary disk's boot sector gets told to sod off by the hardware.

    2. Frumious Bandersnatch Silver badge
      Linux

      not necessarily

      If I understand this correctly, there's no reason to assume linux is any more secure here.

      Let's start with there being an infected MBR and this gets run before the operating system. In the old days of boot sector/MBR viruses, the virus would allocate some memory for itself using the BIOS, then patch in some entries into the interrupt table, say int 13h, which does low-level disk I/O. The classic sneaky viruses would intercept calls to access the disk and if it was already infected it would return a "cleaned" version so that virus scanners couldn't detect it (hence the need to boot off clean floppies if you wanted to be sure the scanner was working). If the disk (or file) wasn't infected, the virus would usually take that opportunity to do so at the time it's being accessed. The DIR-II virus worked quite like that.

      Fast forward to more modern OSs and some things have changed, but not everything. In general, once linux has booted up, it doesn't use the BIOS for anything any more, so even if an MBR virus did manage to install itself before the OS, it would be stranded since int 13H would never get called and the virus would never execute. Apparently (from a quick search) windows still does use the BIOS for disk I/O, so maybe you'd chalk that up as a "linux is better" point. Actually, it's no reason to celebrate just yet... because Linux does use the BIOS at one key stage--when it's booting up, ie loading the kernel.

      So actually, if you wrote an MBR virus that was aware of modern operating systems, you could actually hook into the BIOS entries for disk access and when Linux is booting the kernel you return an infected version on the fly. So in theory at least, neither OS is better on this score.

      1. Charles Manning

        But you miss something

        "So actually, if you wrote an MBR virus that was aware of modern operating systems, you could actually hook into the BIOS entries for disk access and when Linux is booting the kernel you return an infected version on the fly."

        That would require the virus load up a whole kernel and make sure that works with the modules in your rootfs. Theoretically possible, but hugely challenging.

        The cop out clause is that if the virus loads a complete kernel then you can hardly say it is "running Linux".

  17. Anonymous Coward
    WTF?

    You don't loose you data.

    WTF!,

    Back up your data and then reinstall after running the fixmbr.

    If you cannot boot into Windows and your are infected then boot off the Windows CD into the recovery console then run the fixmbr command. Then do a parallel install of Windows to another directory and pull your data off.

    The person who wrote this article and most of the comments are plain wrong. You never have to loose your data. It is always better to make a backup, but if there isn't one then you still have options.

  18. Mechman
    WTF?

    ...recovery

    Since when is using the recovery "restoring to a pre-infected state" mean reinstalling? Using the repair function from the recovery disc fixes it without wiping all your data. I've done it half a dozen times on my personal machines, and I've never lost anything more than a couple days worth of program installs.

  19. Destroy All Monsters Silver badge
    Facepalm

    "users shall reinstall Windows"

    Now, where is the install DVD .... oh wait ...

    WAY TO GO MICROSOFT.

    1. Anonymous Coward
      Paris Hilton

      If you don't have your install DVD that is yoru fault.

      Microsoft, makes the operating system. The company who built your computer has chosen not to include a install DVD. This has nothing to do with Microsoft. If you are going to bitch and I think you should then direct it to the right party.

      Paris - because she always knows what party to go to be a bitch.

      1. Anteaus

        Not sure what Trading Standards thinks...

        "Microsoft makes the operating system. The company who built your computer has chosen not to include a install DVD. "

        Except, the buyer is not told that they are getting a functionality-limited copy of Windows with their new computer. Everything on the computer suggests thay are being supplied with the full product. If that isn't misrepresentation, then I dunno what is.

        Maybe there should be a requirement for such versions to include the legend "OEM" on the splash screen, along with the wording, "One-time preinstall" or suchlike. Then, at least the nontech buyer would not be misled into thinking they have a full, reinstallable copy.

        IMHO it is also steering very close to misrepresentation to describe an install as "Microsoft Windows" when it has a million items of trialware embedded into the OEM image, and no way is provided of actually installing Windows alone, minus junk.

        Parallel example, can I mix Grouse, water and lemonade with Talisker, and sell that as Talisker (with bundled add-ons) -and also fail to provide a stopper for the bottle? I think that would soon get me in trouble, would it not?

        Fundamental question; at what extent of adulteration does a brandname cease to legitimately apply to a product?

        1. The Alpha Klutz

          "I think that would soon get me in trouble, would it not?"

          Probably not. The fine folks at trading standards will just sit on their thumbs. Which is easy for them because they have 5 on each hand.

        2. Tom 13

          If they don't include the DVD with the PC,

          they [b]do[/b] include an ISO, along with instructions to make one from the ISO after you finish the initial registration. Still your own FAIL for not having one.

      2. Old Handle

        IS M$ blameless in this?

        I'm not convinced M$ doesn't have a hand in this. Clearly it's against Microsoft's interests to have alot of Windows install CDs floating around. That might give people the idea that they could *gasp* buy a computer without an OS and install from Windows CD they already have. (Perfectly legal if the last computer it was used on has been retired.) And considering they pull enough weight with hardware manufactures to dictate details as trivial as having Windows Logo slightly inset on the keyboard, I think it's a pretty safe bet that they have a say in exactly how Windows is distributed with a new computer.

        1. Goat Jam
          Headmaster

          Perfectly Legal?

          Well, yes, maybe, or maybe not.

          It is certainly written in the Windows OEM eula that you are NOT permitted to reinstall the preinstalled copy windows on any other hardware. It is expressly forbidden.

          Whether that is enforceable if anyone were to challenge it in court is another matter.

          I don't believe this has ever happened so at this point the best we can say it is a legal grey area.

        2. Peter Gathercole Silver badge

          @Old Handle

          "(Perfectly legal if the last computer it was used on has been retired.)"

          This really depends on the type of Windows licence provided with the old computer. If it's a full retail version, you are completely correct. If it's an OEM version, then the licence restricts you to the system that it was purchased on, and some OEM licence keys cannot be used for hardware from a different manufacturer (the installation process can check the BIOS identification string to check that the machine was made by the manufacturer who bought the OEM license).

          MS will sometimes grant an activation string if you have to replace the motherboard as a result of a system failure, but I've found that recovery CDs in this scenario do not always work with different motherboards, at least for systems from large suppliers who use custom BIOSes. Simple answer is, if you can get a copy of a retail disk, guard it like it is gold.

          I recently found this out when trying to license XP for a VirtualBox on my laptop, which runs Ubuntu (VirtualBox loads a specific BIOS in the VM which is completely unrelated to the actual system BIOS). I could not get it to accept the IBM OEM WinXP Pro key printed on the COA on the bottom of the machine until I cloned the BIOS identification strings in VirtualBox.

          Of course, to a system integrator, providing a full retail licence will cost either them or their customer a lot more money than the heavily discounted OEM licence that Microsoft will sell them. This would put the supplier at a significant competitive disadvantage (I believe in the UK it is in the order of £50 per system) to their competitors who just use OEM licences, and as a side effect, ties them almost irrevocably to Microsoft, who will threaten to withdraw the OEM licence if they do anything that Microsoft don't like (like pre-installing Netscape Navigator or Lotus Notes/Symphony [old Symphony, not current], or shippping systems without an OS, or even with Linux pre-installed).

          And of course, this also means that MS have a continual revenue stream as people replace their PC, and MS counts another Windows sale, even if it is an OEM one.

      3. Destroy All Monsters Silver badge
        Pint

        "nothing to do with Microsoft"

        It's actually unfortunate I can't even make fun with that.

    2. Anonymous Coward
      Coat

      You lose your sanity instead

      Or at least the part of the brain that makes it possible to distinguish between two very similar words with the only difference being the absence of a double 'o'.

      Sorry, I'll show myself out.

  20. Anonymous Coward
    Anonymous Coward

    Ubunty on CD

    Last time I needed to "recover" a windows installation that would no longer start, I used one of the Ubuntu live CDs to start the machine connect to a network and transfer all data off the hard disk before wiping the system.

  21. a53
    Pint

    Er

    Now, for all those who recently were comparing Windows to Apple, which is the equivalent attack for us OSX users to have to worry about? Oh that's right, there isn't one!

    1. phlashbios
      FAIL

      @a53

      Yet....

      You seem to have missed that word off the end of your statement. Oh, I am forgetting, OSX is invulnerable isn't it.

      1. Stuart Duel
        FAIL

        And yet...

        It has been over 10 years since OS X was launched and we are YET to see a real, self replicating in-the-wild (not theoretical, proof of concept in-the-lab) virus.

        Who is the failure again?

  22. Mage Silver badge
    Alert

    More important questions

    How common is this root kit?

    Does Gmer detect it?

    What is the likely infection vector (Autorun, javascript, vulnerable application or what)?

    1. Charles 9 Silver badge

      Answers

      It's new, so its infection rate can't be measured accurately.

      Detecting it is a moot point since you can't remove it while it's online. Though I have to wonder if the hook can't itself be unhooked or otherwise mitigated so it can't alter the commands.

      As for vector, that's up to the people who use the malware. It's classed as a Trojan, so we can expect the usual avenues for a trojan, from programs to drive-bys.

      Anyway, I would suspect that the next step for these malware authors would be to go back to another classic MBR technique (Stoning) and booby-trap the MBR so that tools like fixmbr won't work anymore (perhaps by encrypting the partition table and preventing it from being restored). Then it probably really WILL be nuke-from-orbit time since an encrypted partition table will make it exceedingly difficult for recovery programs to figure out what it's trying to restore.

    2. .thalamus

      TDSSKiller

      Kasperskys TDSSKiller will detect and get rid of it apparently.

      http://www.dshield.org/diary.html?storyid=11146

  23. Hi, I'm Bob!

    Kill it with fire

    Trojans of unusual size^w horror.

  24. J. Cook Silver badge
    Go

    M$ finally gets the clue...

    I've been doing this since some of the nastier trojans and rootkits came out a good three-four years ago. Image the machine using Ghost or TrueImage to backup the data files and apps, Nuke and rebuild the machine, and copy back the files from the image backup.

    In all honesty, it's usually faster and a sure bet that you've fixed the problem for most cases. It does require the owner of the machine to have at least product keys and media if it's something that is not a download from the 'net, but in this instance, it's a commercial shop, and that's something that was usually required anyhow.

    There are instances where this would not be a good idea, such as if there is a huge amount of crap on the machine that would take a day and a half to reload, or servers, or other circumstances.

    1. Goat Jam

      Image the machine with Ghost

      Does ghost not copy the boot sector? I don't use it myself but I thought it did a lowlevel bitcopy?

      If so, wouldn't you be just copying the rootkit as well?

      1. Dave Lawton

        Re: Image the machine with Ghost

        Yes, & Yes.

        Yes.

        Having used Ghost to produce an image, then on a different machine, use Ghost Explorer to extract the data files you forgot to back up.

        HTH

  25. Anonymous Coward
    Coat

    I don't understand

    How is it even possible that the operating system (if it is written properly) would allow ANYONE to write crap to the MBR?.

    going now....

  26. Anonymous Coward
    Anonymous Coward

    Oh noes!

    Another nasty virus for PCs.

    ...meanwhile everyone else can just point and laugh!

  27. Anonymous Coward
    Anonymous Coward

    Re. Windows preinstalls

    This is especially nasty on some newer machines where the Windows rebuild partition resides on the hard disk, as even if you restore that the MBR typically gets left alone.

    End result is a nice new install with preinstalled rootkit, and no antivirus at all.

    Even worse, the first thing the latest malware does is unblocks Autorun so it ends up infecting the external hard disk etc with all the user's files on it.

    This was done to avoid the need for restore disks and save the manufacturers money, its about one step ahead of those systems that ask you to "create a restore set" that promptly fails when you really need them.

    Maybe there is a market for an antivirus pendrive, that can not only back up the user files but can also restore the original MBR for the various flavours of Windows so that the malware can't load.

    AC/DC

  28. Dropper
    Mushroom

    Nope

    Safer just to shoot your pc then set it on fire. Always have two or three spare PCs, you never know when you'll need to burn one to the ground.

  29. Anonymous Coward
    Linux

    "allow ANYONE to write crap to the MBR?"

    Indeed so. What kind of iriot downvotes a perfectly fair question like that ? One with my kind of mouse skillz, maybe? Anyway...

    I have a vague recollection that at some time in the last fifteen years or so one of the half dozen AV packages I've used (on NT-derived OSes) was able to detect writes to the MBR and ask for confirmation before continuing. Something along the lines of:

    "Virus-like activity detected, attempting to update MBR. If you are not repartitioning please click Cancel, and run a full virus scan in Safe Mode" [or something like that]

    I guess expecting people to know that they were repartitioning their disk was a bit much.

  30. Anonymous Coward
    Anonymous Coward

    FixMBR and loss of data

    I assume the author has not had to fix an infected PC and is just believing the manual. (Or is a secret Apple-Linux man)

    This would be easy to fix if you have a second PC. Just pull the drive, whack it in that PC, then fixmbr in there. Backup and clean infection while you are at it.

    Even their suggested fix using the Vista\Win7 boot disk and fixmbr will not loose files in the majority of cases. (Have done this myself many times)

    Or, as being mentioned a lot here, using Unbuntu will also get you there. (I use an external USB drive to backup to instead of the network)

    Backup is just as simple using the above methods. (And who seriously tries to fix an infected PC without doing a backup first?)

    I am expecting that ac@16:04 is on the money here. FixMBR will work fine on any "normal" PCs. But those with strange, non-standard setups with old partition layouts will be in trouble. (And GoBack is just evil...)

  31. b166er

    It would help

    if you mentioned the ATTACK VECTOR for chrissakes!

    The lollage, Sarah, is the basic lack of attention to detail in some of Reg's articles, you ARE journalists aren't you?

    It's a requirement of being in the OEM programme, that you provide a recovery option. The physical disk is not required. Press F11 during boot and attend to the MBR, then restore the factory OS from the recovery partition.

  32. R 16

    ADDITION TO THE STORY!

    You said:

    Any files that aren't backed up will be lost in the process.

    I say:

    If you are restoring files that were backed up every so often. Pray you don't backup the virus. I mean, it got past you once Pele (soccer)

  33. DF118

    Programs and data

    Ah, Microsoft, you are your own worst enemy. Why do you still insist on forcing your users to have the OS, programs and data all on one big partition?

    1. Robert Carnegie Silver badge

      Not exactly forced... but

      My latest PC came with MBR partitioned disk containing Windows 7 "system partition" (which boots the PC), "boot partition" (which contains the operating system) that was nearly all of the hard disk, recovery partition, and EFI diagnostics. Four partitions is as many as you're allowed in MBR, and you can't update-in-place to GPT.

      I discovered that I could download an updated EFI diagnostic program and install and use it on SD card, so I killed the EFI partition (now dead space, fairly small), shrank the Windows volume, and created a new partition for data.

      While we're discussing it, putting a large swap file and (compulsorily if used) large hibernation file on the operating system volume, makes it that much harder to back up the volume for an all-or-nothing restore.

      1. DF118
        Pint

        Indeed

        My gripe is mainly the fact that the %HOMEPATH% environment variable (in the case of XP: "c:\Documents and Settings\<User>") is not easily configurable. Fair enough, you can move your My Documents or whatever, but what about all your application settings, add-ins etc? You can get around this using some Microsoft enterprise distribution tools, or for consumers there is nLite which allows you to specify a different home path, but last time I checked that was not a function of vLite (the Vista-oriented successor to nLite which also works with W7) and if you want to use a different partition (or indeed physical drive) for your data, you're pretty much stuck with doing a half-job and moving all the preset file storage directories to where you want them (but leaving everything else under C:\User) or attempting to implement some frankly scary kludge with the repair console and building in NTFS junction points where the OS expects to find all its pretty little folders.

        Not nice.

        Re: backing up for an all-or-nothing restore - if you're stuck with a swap and hiberfil on your system partition, UBCD4Win combined with DriveImageXML can be handy in that you can delete these hulking great files and create a backup image while the system is offline.

  34. Rich 3
    Pint

    Just reinstall

    I'd advise exposing your machine to chlorine trifluoride for at least 5 hours. Only way to ensure true sterility.

    1. Ru
      Flame

      Congratulations

      I think you win a prize for the Alarming Chemical of the Week.

  35. Anonymous Coward
    Anonymous Coward

    PC Kindergarten

    But first, we'll do PC Playschool... try to keep your data on a different disk.

    Now back to the kindergarten. Drive-Image XML. It is free and it works.

    So, (as they say on the internet)... You boot into Windows from a CD and use Drive-Image XML to restore the C-drive image you made to another/external disk.

    What? You're telling me that MS no longer allow booting to a working system from an installation CD? Bastards. That's why you need to have made a Bart-PE boot disk.

    Really, this is computing for six year olds.

    Even if a complete reformat/install should turn out to be necessary, you still do the above to restore your entire environment, loaded programs, etc etc etc.

    Is there a pro here that doesn't know about imaging, for goodness sake?

  36. ColonelClaw

    Techy people help me

    If it's possible to infect the MBR, then why isn't it possible to clean it, and restore it to it's previous working state? Can someone techy please explain.

    1. Anteaus
      Holmes

      @ColonelClaw

      It is possible to do an MBR repair if you have a proper Windows disc. But, most computers come minus that one vital item. That is the problem, and it's basically down to penny-pinching rather than any technical reason.

  37. Anonymous Coward
    WTF?

    He doesn't say reinstall from scratch

    He says fix the MBR then roll back to a previous save point with System Restore, which is the obvious and sensible thing to do. Where did anyone get the idea that MS is telling people to reinstall from scratch?

  38. Socrates
    FAIL

    Complete nonsense - check your facts next time

    "...applying a Master Boot Record fix before using a recovery disc is going to strip infected systems of both installed applications and associated data."

    What complete and total nonsense! Maybe the author should read the Wikipedia article (http://en.wikipedia.org/wiki/Master_boot_record) next time before writing fiction like this.

    To be precise, the FixMbr command overrides the MBR *code* in bytes 0 to 440, and not the partition table information at offset 01BE as the author incorrectly assumes.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019