Removing RootKits

If your formatting just to remove the rootkit you may try this freeware first:

http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0

It worked for me in finding and removing a Sony Music rootkit that Sony was
kind enough to install with Connect software, I guess to ensure I wasn't
passing on music to the Communist or something.

"Jerry" wrote:

> Reformatting the drive removes everything. FDISK /MBR is redundant if you
> just formatted.
>
> The only other option is a manufacturer's low-level format and that program
> is probably not available for a user.
>
> "cyranodesade" <cyranodesade.TakeThisOut@gmail.com> wrote in message
> news:1186350724.255616.20280@r34g2000hsd.googlegroups.com...
> > All,
> > I hope this is a simple question does Formatting a Hard Drive and then
> > FDisk /MBR remove any rootkits or hidden files on a hard drive??
> > If the answer is no then could you please point me to a good resource
> > for formatting the boot sector/MBR? Thanks in advance. - CES
> >
>
>
>

You can also use this application

Rootkit revealer
http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

thanks


--
Milo
MSPSS


"cyranodesade" wrote:

> All,
> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden files on a hard drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES
>
>

"cyranodesade" <cyranodesade RemoveThis @gmail.com> wrote in message
news:1186350724.255616.20280@r34g2000hsd.googlegroups.com...
> All,
> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden files on a hard drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES
>


Yes it will remove the rootkit. You should figure how the rootkit got
installed and alter your computing habits so it doesn't happen again. One of
the reasons people ask this question is because they have done this then
become infected again because they didn't change their habits and the
rootkit got installed again by the same method it was the first time.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca

"Jerry" <ChiefZekeNoSpam DeleteThis @MSN.com> wrote in message
news:%23nVlIu61HHA.5380@TK2MSFTNGP04.phx.gbl...
> Reformatting the drive removes everything. FDISK /MBR is redundant if you
> just formatted.

Format does not clear the mbr. If it did then Linux Grub or Lilo wouldn't be
left behind after a format, but it is and to get rid of it you run fdisk
/mbr. HDD manufacturers still provide what they call low level format
utilities but all they really are is a zero wipe utility which does
overwrite every sector on a HDD and is the best method to ensure you are
virus free. Or you can simply use Dban's quick wipe, same thing. Dban is
available as a separate download or on The Ultimate Boot Disk.

Noddy wrote:
> "Jerry" <ChiefZekeNoSpam.DeleteThis@MSN.com> wrote in message
> news:%23nVlIu61HHA.5380@TK2MSFTNGP04.phx.gbl...
>> Reformatting the drive removes everything. FDISK /MBR is redundant if
>> you just formatted.
>
> Format does not clear the mbr. If it did then Linux Grub or Lilo
> wouldn't be left behind after a format, but it is and to get rid of it
> you run fdisk /mbr. HDD manufacturers still provide what they call low
> level format utilities but all they really are is a zero wipe utility
> which does overwrite every sector on a HDD and is the best method to
> ensure you are virus free. Or you can simply use Dban's quick wipe, same
> thing. Dban is available as a separate download or on The Ultimate Boot
> Disk.

The MBR is stored on sector 0, whereas partitions start at sector 1
(specifically to avoid overwriting the boot sector (MBR)). Therefore,
nothing you can do to the partition will affect the boot sector.
However, in the process of reinstalling windows, you'll automatically
write a new boot sector, since that's what SETUP does.

"cyranodesade" wrote:

> All,
> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden files on a hard drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES

It will remove the root kit. However, it is not the best first thing to
try, as there are better and easier ways to both remove root kits and to
reduce the risk of re-infection.

Most root kits in use nowadays have little to nothing to do with the MBR.
In old days, some people suggested running FDISK /MBR was recommended as a
virus removal method, but antivirus experts said this was a bad idea, and I
still agree.

Besides the other suggestions you received... if you have two computers that
are networked, using one known clean computer to virus scan the hard drive of
the suspect computer will allow you to detect the root kits commonly used
today. Root kits only hide objects from the infected local OS, not remote
connections to that OS.

--

kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Security FAQ:
http://www.securityadmin.info

Hello

Also by deleting all partitions and recreating new partitions will wipe the
MBR, albeit extreme unless you with to start from scratch. What ever
replaced the ‘Fdisk /MBR’ command?

May

"Tyler Larson" <tylerl DeleteThis @discussions.microsoft.com> wrote in message
news:eToTfjj2HHA.5796@TK2MSFTNGP05.phx.gbl...
> The MBR is stored on sector 0, whereas partitions start at sector 1
> (specifically to avoid overwriting the boot sector (MBR)). Therefore,
> nothing you can do to the partition will affect the boot sector. However,
> in the process of reinstalling windows, you'll automatically write a new
> boot sector, since that's what SETUP does.


Then why are boot managers left behind when installing XP if the mbr is
overwrote completely? Because it obviously doesn't. You either have to
destroy the partition or use fdisk /mbr. Install Linux with a boot manager
and then go format it with XP and start setup, afterwards you will see that
Linux boot manager is still there. If XP setup overwrote the mbr then the
Linux boot manager wouldn't still be there. Same thing will happen if you do
a XP/Vista dual boot and you want to go back to just XP. The Vista boot
manager will still be there and you have to edit it with BCDedit.

"Karl Levinson, mvp" <levinson_k DeleteThis @securityadmin.info> wrote in message
news:4A06D8AA-A00D-449B-9518-090A0E68DBCA@microsoft.com...
> Most root kits in use nowadays have little to nothing to do with the MBR.
> In old days, some people suggested running FDISK /MBR was recommended as a
> virus removal method, but antivirus experts said this was a bad idea, and
> I
> still agree.

Why did they say it is a bad idea and why do you agree?

"May" <May.J.Court DeleteThis @Blueyonder.co.uk> wrote in message
news:%23yGGW2x3HHA.1208@TK2MSFTNGP05.phx.gbl...
>What ever replaced the ‘Fdisk /MBR’ command?
>
> May


fixboot and fixmbr

http://support.microsoft.com/kb/314058

Crazy

Many of the old XP Recovery Console commands have been changed in Vista. The
following website has these changes documented.

Windows RE Notes : Where are recovery console commands?:
http://blogs.msdn.com/winre/archive/2006/10/20/where-are-recovery-cons...-comman


--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"Crazy Noddy" <SPAM.RemoveThis@BLOCKER.ACTIVE> wrote in message
news:BUGwi.218652$ss3.90690@fe01.news.easynews.com...
> "May" <May.J.Court.RemoveThis@Blueyonder.co.uk> wrote in message
> news:%23yGGW2x3HHA.1208@TK2MSFTNGP05.phx.gbl...
>>What ever replaced the ‘Fdisk /MBR’ command?
>>
>> May
>
>
> fixboot and fixmbr
>
> http://support.microsoft.com/kb/314058

"Ronnie Vernon MVP" <rv.TakeThisOut@invalid.org> wrote in message
news:OPZngd43HHA.536@TK2MSFTNGP06.phx.gbl...
> Crazy
>
> Many of the old XP Recovery Console commands have been changed in Vista.
> The following website has these changes documented.
>
> Windows RE Notes : Where are recovery console commands?:
> http://blogs.msdn.com/winre/archive/2006/10/20/where-are-recovery-cons...-comman
>
>
> --
>
> Ronnie Vernon
> Microsoft MVP
> Windows Shell/User

Ok, thanks. And it is "Crazy Noddy" and not just "Crazy".

cyranodesade wrote:
> All,
> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden files on a hard drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES

Yes, it'll remove the rootkit - IF the rootkit lets you format the
drive. There would be nothing to stop somebody from writing a rootkit
that just made it look like the drive had been formatted.

You could delete and recreate the partition when you're booted from CD
(eg. installing Windows)

Alun Harford