Vista - Removing Rootkits from Boot Sector.

08-05-2007

All,
I hope this is a simple question does Formatting a Hard Drive and then
FDisk /MBR remove any rootkits or hidden unwanted files on a hard
drive??
If the answer is no then could you please point me to a good resource
for formatting the boot sector/MBR? Thanks in advance. - CES

08-05-2007

If you delete all partitions on a hard drive, and then create and format new
partitions, a new MBR is created. The old one is gone. I do not know of any
malware that will survive this action but there "may" be some out there that
can.

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

"cyranodesade" <cyranodesade@gmail.com> wrote in message
news:1186350638.153572.257410@q75g2000hsh.googlegroups.com...
> All,
> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden unwanted files on a hard
> drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES
>

08-05-2007

> I hope this is a simple question does Formatting a Hard Drive and then
> FDisk /MBR remove any rootkits or hidden unwanted files on a hard
> drive??
> If the answer is no then could you please point me to a good resource
> for formatting the boot sector/MBR? Thanks in advance. - CES

FDISK is a DOS/Windows 9x command ... there is no FDISK in Vista (or XP, or
Windows 2000).

The steps to recreate the MBR on Vista are described in Microsoft
KnowledgeBase article 927392:
http://support.microsoft.com/kb/927392
Basically, you boot up from the Vista DVD, go to the Repair option, and run
"bootrec /fixmbr". You can also format the hard disk, using the Repair
console.

As to whether this will reliably remove any rootkits ... well, disinfection
is not the stated or tested purpose of this "bootrec /fixmbr" command,
although that might be a side-effect. /fixmbr will rewrite the MBR. If you
have a virus in your MBR, I expect it will be over-written. Rootkits per se
(as opposed to viruses) usually live in the filesystem, disguising
themselves as legitimate operating system components. Formatting would
likely remove these; but again - formatting wasn't designed as an anti-virus
measure, as such. It's a good start. If you suspect you have a virus or
rootkit, the only reliable way to tackle it is to get a current version of a
reputable anti-virus program, with current signatures, and run a full scan
on your system. Rootkits by definition, are difficult to detect; but most of
the main, current anti-virus apps know how to detect the known rootkits.

Hope it helps,
--
Andrew McLaren
amclar (at) optusnet dot com dot au

08-05-2007	#1 (permalink)
cyranodesade n/a posts	Removing Rootkits from Boot Sector. All, I hope this is a simple question does Formatting a Hard Drive and then FDisk /MBR remove any rootkits or hidden unwanted files on a hard drive?? If the answer is no then could you please point me to a good resource for formatting the boot sector/MBR? Thanks in advance. - CES
My System Specs

08-05-2007	#2 (permalink)
Richard Urban n/a posts	Re: Removing Rootkits from Boot Sector. If you delete all partitions on a hard drive, and then create and format new partitions, a new MBR is created. The old one is gone. I do not know of any malware that will survive this action but there "may" be some out there that can. -- Regards, Richard Urban Microsoft MVP Windows Shell/User (For email, remove the obvious from my address) "cyranodesade" <cyranodesade@gmail.com> wrote in message news:1186350638.153572.257410@q75g2000hsh.googlegroups.com... > All, > I hope this is a simple question does Formatting a Hard Drive and then > FDisk /MBR remove any rootkits or hidden unwanted files on a hard > drive?? > If the answer is no then could you please point me to a good resource > for formatting the boot sector/MBR? Thanks in advance. - CES >
My System Specs

08-05-2007	#3 (permalink)
Andrew McLaren n/a posts	Re: Removing Rootkits from Boot Sector. > I hope this is a simple question does Formatting a Hard Drive and then > FDisk /MBR remove any rootkits or hidden unwanted files on a hard > drive?? > If the answer is no then could you please point me to a good resource > for formatting the boot sector/MBR? Thanks in advance. - CES FDISK is a DOS/Windows 9x command ... there is no FDISK in Vista (or XP, or Windows 2000). The steps to recreate the MBR on Vista are described in Microsoft KnowledgeBase article 927392: http://support.microsoft.com/kb/927392 Basically, you boot up from the Vista DVD, go to the Repair option, and run "bootrec /fixmbr". You can also format the hard disk, using the Repair console. As to whether this will reliably remove any rootkits ... well, disinfection is not the stated or tested purpose of this "bootrec /fixmbr" command, although that might be a side-effect. /fixmbr will rewrite the MBR. If you have a virus in your MBR, I expect it will be over-written. Rootkits per se (as opposed to viruses) usually live in the filesystem, disguising themselves as legitimate operating system components. Formatting would likely remove these; but again - formatting wasn't designed as an anti-virus measure, as such. It's a good start. If you suspect you have a virus or rootkit, the only reliable way to tackle it is to get a current version of a reputable anti-virus program, with current signatures, and run a full scan on your system. Rootkits by definition, are difficult to detect; but most of the main, current anti-virus apps know how to detect the known rootkits. Hope it helps, -- Andrew McLaren amclar (at) optusnet dot com dot au
My System Specs

Similar Threads
Thread	Forum
Windows 7 ISO boot - code 5 - boot sector might be incorrect	Vista General
Removing RootKits	Vista security
Removing RootKits	Vista file management
Dual Boot Problem - Misplaced Boot Sector	Vista General
Dual Boot Problem - Misplaced boot sector	Vista General