by nolovelust
22. June 2011 21:13
UPDATE: BitDefender just published their free removal tool called BitDefender TDSS/TDL4 Removal Tool, you can download 32bit or 64bit from MalwareCity.com
* * *
Just saw post this post at Microsoft Malware Protection Center about a rootkit that is not possible to remove unless you do image restore!
Trojan:Win32/Popureb.E's variant Trojan:Win32/Popureb.B intercepts certain write commands to MBR record and converts it to read commands!
In non technical terms this means when your antivirus software try to remove that virus, your computer will report that it has been deleted but in reality it will be still there!
Microsoft advices that if you are infected "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr"."
How to remove it?
There are couple of ways. I believe main defence against viruses is to prevent your computer getting infected at first place.
Get an antivirus and create a recovery cd with it. Kaspersky is my personal favourite and have boot/recovery cd option to boot and scanyour computer with.
Get a disk imaging software. I use Acronis True Image Home. It can create image of your hard disk so if something goes wrong you can go back. Acronis also have boot/recovery disk to boot your computer. It is important to remember that incase of infection by Trojan:Win32/Popureb.E you should always boot with a boot/recovery cd. I have set Acronis to do full disk image every 7 days.
You can also try free disk imaging software CloneZilla
If you prefer to play with Windows recovery options you can follow simple steps below to fix MBR and then scan your computer against viruses
Open a Windows Recovery Console. Check these links for how to that on XP, Vista, Windows 7. Then use the tool BOOTREC.exe to fix the MBR with command bootrec.exe /fixmbr
Subscribe