Removing RootKits

[cyranodesade]

All,
I hope this is a simple question does Formatting a Hard Drive and then
FDisk /MBR remove any rootkits or hidden files on a hard drive??
If the answer is no then could you please point me to a good resource
for formatting the boot sector/MBR? Thanks in advance. - CES

 

[Jerry]

Reformatting the drive removes everything. FDISK /MBR is redundant if you
just formatted.

The only other option is a manufacturer's low-level format and that program
is probably not available for a user.

 

[Guest]

If your formatting just to remove the rootkit you may try this freeware first:

http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0

It worked for me in finding and removing a Sony Music rootkit that Sony was
kind enough to install with Connect software, I guess to ensure I wasn't
passing on music to the Communist or something.

 

[Guest]

You can also use this application

Rootkit revealer
http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

thanks

 

[Kerry Brown]

All,
I hope this is a simple question does Formatting a Hard Drive and then
FDisk /MBR remove any rootkits or hidden files on a hard drive??
If the answer is no then could you please point me to a good resource
for formatting the boot sector/MBR? Thanks in advance. - CES

Yes it will remove the rootkit. You should figure how the rootkit got
installed and alter your computing habits so it doesn't happen again. One of
the reasons people ask this question is because they have done this then
become infected again because they didn't change their habits and the
rootkit got installed again by the same method it was the first time.

 

[Noddy]

Reformatting the drive removes everything. FDISK /MBR is redundant if you
just formatted.

Format does not clear the mbr. If it did then Linux Grub or Lilo wouldn't be
left behind after a format, but it is and to get rid of it you run fdisk
/mbr. HDD manufacturers still provide what they call low level format
utilities but all they really are is a zero wipe utility which does
overwrite every sector on a HDD and is the best method to ensure you are
virus free. Or you can simply use Dban's quick wipe, same thing. Dban is
available as a separate download or on The Ultimate Boot Disk.

 

[Tyler Larson]

Format does not clear the mbr. If it did then Linux Grub or Lilo
wouldn't be left behind after a format, but it is and to get rid of it
you run fdisk /mbr. HDD manufacturers still provide what they call low
level format utilities but all they really are is a zero wipe utility
which does overwrite every sector on a HDD and is the best method to
ensure you are virus free. Or you can simply use Dban's quick wipe, same
thing. Dban is available as a separate download or on The Ultimate Boot
Disk.

The MBR is stored on sector 0, whereas partitions start at sector 1
(specifically to avoid overwriting the boot sector (MBR)). Therefore,
nothing you can do to the partition will affect the boot sector.
However, in the process of reinstalling windows, you'll automatically
write a new boot sector, since that's what SETUP does.

 

[Guest]

All,
I hope this is a simple question does Formatting a Hard Drive and then
FDisk /MBR remove any rootkits or hidden files on a hard drive??
If the answer is no then could you please point me to a good resource
for formatting the boot sector/MBR? Thanks in advance. - CES

It will remove the root kit. However, it is not the best first thing to
try, as there are better and easier ways to both remove root kits and to
reduce the risk of re-infection.

Most root kits in use nowadays have little to nothing to do with the MBR.
In old days, some people suggested running FDISK /MBR was recommended as a
virus removal method, but antivirus experts said this was a bad idea, and I
still agree.

Besides the other suggestions you received... if you have two computers that
are networked, using one known clean computer to virus scan the hard drive of
the suspect computer will allow you to detect the root kits commonly used
today. Root kits only hide objects from the infected local OS, not remote
connections to that OS.

 

[May]

Hello

Also by deleting all partitions and recreating new partitions will wipe the
MBR, albeit extreme unless you with to start from scratch. What ever
replaced the ‘Fdisk /MBR’ command?

May

 

[Crazy Noddy]

The MBR is stored on sector 0, whereas partitions start at sector 1
(specifically to avoid overwriting the boot sector (MBR)). Therefore,
nothing you can do to the partition will affect the boot sector. However,
in the process of reinstalling windows, you'll automatically write a new
boot sector, since that's what SETUP does.

Then why are boot managers left behind when installing XP if the mbr is
overwrote completely? Because it obviously doesn't. You either have to
destroy the partition or use fdisk /mbr. Install Linux with a boot manager
and then go format it with XP and start setup, afterwards you will see that
Linux boot manager is still there. If XP setup overwrote the mbr then the
Linux boot manager wouldn't still be there. Same thing will happen if you do
a XP/Vista dual boot and you want to go back to just XP. The Vista boot
manager will still be there and you have to edit it with BCDedit.

 

[Crazy Noddy]

Most root kits in use nowadays have little to nothing to do with the MBR.
In old days, some people suggested running FDISK /MBR was recommended as a
virus removal method, but antivirus experts said this was a bad idea, and
I
still agree.

Why did they say it is a bad idea and why do you agree?

 

[Crazy Noddy]

What ever replaced the ‘Fdisk /MBR’ command?

May

fixboot and fixmbr

http://support.microsoft.com/kb/314058

 

[Ronnie Vernon MVP]

Crazy

Many of the old XP Recovery Console commands have been changed in Vista. The
following website has these changes documented.

Windows RE Notes : Where are recovery console commands?:
http://blogs.msdn.com/winre/archive/2006/10/20/where-are-recovery-console-commands.aspx

 

[Crazy Noddy]

Crazy

Many of the old XP Recovery Console commands have been changed in Vista.
The following website has these changes documented.

Windows RE Notes : Where are recovery console commands?:
http://blogs.msdn.com/winre/archive/2006/10/20/where-are-recovery-console-commands.aspx


--

Ronnie Vernon
Microsoft MVP
Windows Shell/User

Ok, thanks. And it is "Crazy Noddy" and not just "Crazy".

 

[Alun Harford]

All,
I hope this is a simple question does Formatting a Hard Drive and then
FDisk /MBR remove any rootkits or hidden files on a hard drive??
If the answer is no then could you please point me to a good resource
for formatting the boot sector/MBR? Thanks in advance. - CES

Yes, it'll remove the rootkit - IF the rootkit lets you format the
drive. There would be nothing to stop somebody from writing a rootkit
that just made it look like the drive had been formatted.

You could delete and recreate the partition when you're booted from CD
(eg. installing Windows)

Alun Harford