Apostolos wrote:Dickevans,
Thank you for your comments.
If reinstalling from the installation disc is not a 100% solution as you mentioned what are the options left?
Throw the pc or deal with a removalist like Quads?
Any alternatives? If there are some, could you please explain in detail? (other than Norton removal tools).
Many thanks.
Best,
Hi, Apostolos. Some things to know about how rootkits/bootkits work:
1. All Windows installations done with "conventional" (IOW "non-EFI" BIOS) use a piece of code embedded in the Master Boot Record (MBR) to start-up the machine.
2. Rootkits/Bootkits modify this Boot Code for their own nefarious purposes. If the Boot Code is not properly replaced as part of a reinstall (or a removal process such as Quads performs) - the modified Boot Code will run again each time the machine is rebooted. This starts the whole cycle-of-infection over again from scratch.
3. The way to avoid this is to ensure that the Boot Code is properly replaced as part of a reinstall (or a removal process). If the Boot Code is not replaced - a reinstall is absolutely useless as a means of removing an infection.
4. This is why it is sometimes necessary to do a complete "reinstall from scratch" - to a disk that has been "zero filled" - as a final-resort method of killing a rootkit/bootkit. Completely destroying and then forcing a rebuild of the Partition Table and the MBR is the only sure-fire way to ensure the Master Boot Record is nuked and rebuilt as part of an OS installation.
Things that won't work - unless the MBR is cleared as well:
1. Reinstalling applications.
2. Reinstalling the OS over top of an existing infection.
2. Reinstalling an infected Service File of any kind.
The reason those things won't work is because even if the infection is successfully halted - the code in the MBR will start the cycle-of-infection all over again - and eventually you'll be right back where you started. This is why so many people who don't understand how rootkits/bootkits work end up temporarily removing an infection - only to have it recur shortly after removal.
Thus we have Quads' description of the only effective way to remove a rootkit/bootkit::
1. Find
2. Break
3. Destroy
4. Cleanup
Most people who don't understand the process think that all they have to do is "Find" - and somehow or other the Anti-Malware's removal tools are going to be able to wave a magic wand and things will magically go away. Nope - it doesn't work that way.
Rootkit/bootkit code morphs weekly, sometimes as often as every 3 days. And because undoing a rootkit is a non-trivial process - coding in sufficient "smarts" to automatically uninstall a rootkit/bootkit in a short-enough timeframe to provide an automated fix for the general public is an exercise in FAIL.
Note: This may improve if a lot of time and effort is put into coding and building a rootkit/bootkit eradicator engine - but there is no public evidence for the existence of same.
People who understand they also have to break the infection after they find it fall into the trap of assuming that once they have broken the infection - they're done. Nope - it doesn't work that way either. Rootkit/bootkit infections are "self-healing". That piece of Malware in the MBR jumps to a fixit-routine if it doesn't find an active infection - and thus a "Break" in the infection chain doesn't stay broken.
What is required is to "Break" the infection - and then immediately "Destroy" the fixit-routine - before the "self healing" process can occur/recur. At that point, you've actually removed the infection.
However, it is very common to have "mortal remains" sticking around after removal - such as pieces of the fixit-routine files that are stuck in an Anti-Malware application's quarantine folders. "Cleanup" must occur so that all this trash is properly deleted - and then the Anti-Malware will not trigger on old fixit-routine files left behind as part of the "Destroy" process.
OK, now you understand how an infection can be maintained-in-place and rebuilt-as-required - even after a supposedly-complete reinstallation of the OS. However, there are other ways to pull your butt out of the glue than just a full-pull reinstall. Recovering from a rootkit/bootkit infection is not an automatic sentence to reinstall hell. Please see the following caveats. wrinkles and gotchas...
1. Some things to know about reinstalls from Reinstall Partitions on Laptops:
The Laptop manufacturers are getting smart to the need to replace the MBR Boot Code as part of a complete OS reinstall process. It is now common for the Reinstall option on a Laptop to be a "Nuke-'n-Pave" - such that all existing partitions and the MBR are destroyed and rebuilt as part of the Reinstall process. This is why the Laptop manufacturers warn that you will lose all your data when doing a complete Reinstall-from-Scratch on a modern Laptop.
2. Some things to know about OS Reinstalls from CD/DVD:
There is a routine on the Boot CD/DVD which wipes the MBR code and replaces it with a known-good copy. In Windows, this routine is called FixMBR. IMO, this is the very first task that needs to be done before installing an OS on a machine which had a rootkit/bootkit infection. If the MBR is properly replaced and the disk partition(s) are formatted as part of an OS Reinstall-from-Scratch, the reinstall should be "clean".
3. There is a far better way to recover from a rootkit/bootkit than a "Nuke-'n-Pave". Disk Imaging Software is your friend. 
However, all is not sweetness-and-light in the land of Ghost or TrueImage (or whatever). It is not immediately obvious - when using Imaging Software to Restore a known-good backup - whether or not that Restore is going to rebuild the MBR as part of the Restore process. If that MBR does not get properly overwritten with known-good Boot Code as part of the Restore process - then the cycle-of-infection has a way to recur - and thus the infection will "self-heal" and come back to life.
It is vitally important when restoring a known-good backup to a Hard Disk which has been infected by a bootkit/rootkit to ensure the MBR is rebuilt as well. Failing to ensure this part of the Restore process has been selected in the Restore options - is the main reason why people say their "infection" survived a Restore and lived to annoy them even after using the so-called-foolproof Restore-from-Image option.
Hope this helps your understanding.
Kelly wrote:Twixt,
Thanks for taking the time to post your detailed and easy-to-understand explanation of what rootkits do. And more importantly, why they're a bear to remove - even more importantly, why one should not try removing these things without expert malware removal help.
Regards,
Kelly
Hi, Kelly. You're welcome. I'm glad that post gave you some clarity as to how, what and why...
- �1995 - 2013 Symantec Corporation Legal Notice License Agreement Privacy Policy Cookies Site Map RSS
