How to remove Bootsector virus? Trojan:Win32/Popureb.E

How to remove Bootsector virus?

Method 1:

How to Remove a Boot Sector Virus

A boot sector is the part of the hard drive that's accessed when the computer starts. A boot sector virus infects the boot sector, resides
in memory and runs when the computer is booted. Boot sector viruses can prevent the computer from booting or from running Windows. They're
usually spread by infected floppy disks.

Instructions: (Difficulty: Moderate)

Step1: Open the computer. Remove the infected hard drive. Install the hard drive in a computer with virus definitions that are up-to-date.
Run a virus scan on the hard drive.

Step2: Download or purchase an anti-virus software package that includes a boot sector program.

Step3: Put a bootable floppy disk in your floppy drive. Turn on the computer. At the "C:" prompt, type "cd" followed by the name of the
folder where your anti-virus software is installed. Run a scan command from the folder. Follow the instructions to clean the virus. If the
sector is still damaged, you may need to repair it with Windows.

Step4: Start your computer with the Windows CD. At the "Setup" screen, choose "R" to repair. Choose the version of Windows to repair.
Enter the administrator password. At the "C:" prompt, enter "fixmbr."

Step5: Insert a Windows boot disk in the floppy drive. Turn on your computer. At the "A:" prompt, type "fdisk/mbr."

Tips & Warnings
Running Windows utilities to repair your MBR could damage your drive and make it unreadable. Do not run Windows utilities like FDISK or
FIXMBR without trying antivirus software first.

----------------------------------------------------------------------------------------------------------------------------------------

Method 2

How to Remove a Boot Sector Virus in 11 easy steps:

Has your computer been acting strange lately? Has it been running slow, or telling you that your computer needs a certain program? If
so it may have a virus. This article deals with ones called Boot Sector Viruses. These reside in the sectors that are used to start your
Operating System. Some of the viruses that reside here also store themselves in your BIOS so they are booted even if you have just done
a clean install.

Steps
1: Remove any important files and shut down the infected computer. You can not begin to remove the virus if it is in the RAM in your
computer.

2: Download a new BIOS flash utility (must be DOS version) and copy it to the bootable floppy you are about to make. These are found at
your motherboard manufacturer's website, or at your computer manufacturer's website if you have a laptop.

3: Create a bootable floppy from an uninfected computer. Then write-protect the floppy.

4: Remove the HDD (hard disk drive or hard drive) from the infected computer. Be sure to remove all of the static electricity from your
self by touching the metal case.

5: Start up the infected computer with the bootable floppy in the floppy drive.

6: When the BIOS setup page shows, Push the corresponding key to change the Boot Order.

7: Set the Floppy drive to boot first.

8: Flash your BIOS with the utility provided by the manufacturer.
DO NOT TURN OFF YOUR COMPUTER UNTIL THE UTILITY TELLS YOU THAT YOU CAN.
DOING SO BEFORE IT IS FINISHED MAY PERMANENTLY DAMAGE YOUR COMPUTER.

9: Find out which company manufactures your HDD and see if they have a utility that will do a Low-Level format. This part is important
because it deletes everything from your hard drive so that no one can get it back, including the virus. Some common HDD manufacturers'
tools for doing this can be found here.

10: Run the formatting utility provided by your HDD manufacturer.

11: Reinstall your Operating System of choice however you want to.

And most important thing is that use trusted software to remove virus else you will be in more trouble (if that software is infected).

-------------------------------------------------------------------------------------------------------------------------------------

Method 3

Boot sector virus repair

What is a boot sector? All disks and hard drives are divided into small sectors. The first sector is called the boot sector and contains the
Master Boot Record (MBR). The MBR contains the information concerning the location of partitions on the drive and reading of the bootable
operating system partition. During the bootup sequence on a DOS-based PC, the BIOS searches for certain system files, IO.SYS and MS-DOS.SYS.
When those files have been located, the BIOS then searches for the first sector on that disk or drive and loads the needed Master Boot Record
information into memory. The BIOS passes control to a program in the MBR which in turn loads IO.SYS. This latter file is responsible for
loading the remainder of the operating system.

What is a boot sector virus? A boot sector virus is one that infects the first sector, i.e. the boot sector, of a floppy disk or hard drive.
Boot sector viruses can also infect the MBR. The first PC virus in the wild was Brain, a boot sector virus that exhibited stealth techniques
to avoid detection. Brain also changed the volume label of the disk drive.

How to avoid boot sector viruses. Commonly, infected floppies and subsequent boot sector infections result from "shared" diskettes and
pirated software applications. It is relatively easy to avoid boot sector viruses. Most are spread when users inadvertently leave floppy
disks in the drive - which happen to be infected with a boot sector virus. The next time they boot up their PC, the virus infects the
local drive. Most systems allow users to change the boot sequence so that the system always attempts to boot first from the local hard
drive (C:\) or CD-ROM drive.

Disinfecting boot sector viruses. Boot sector repair is best accomplished by the use of anti-virus software. Because some boot sector viruses
encrypt the MBR, improper removal can result in a drive that is inaccessible. However, if you are certain the virus has only affected the
boot sector and is not an encrypting virus, the DOS SYS command can be used to restore the first sector. Additionally, the DOS LABEL
command can be used to restore a damaged volume label and FDISK /MBR will replace the MBR. None of these methods is recommended, however.
Anti-virus software remains the best tool for cleanly and accurately removing boot sector viruses with minimal threat to data and files.

Creating a system disk. When disinfecting a boot sector virus, the system should always be booted from a known clean system disk.
On a DOS -based PC, a bootable system disk can be created on a clean system running the exact same version of DOS as the infected PC.
From a DOS prompt, type:

SYS C:\ A:\
and press enter. This will copy the system files from the local hard drive (C:\) to the floppy drive (A:\).

If the disk has not been formatted, the use of FORMAT /S will format the disk and transfer the necessary system files. On Windows 3.1x
systems, the disk should be created as described above for DOS-based PC's. On Windows 95/98/NT systems, click Start | Settings | Control
Panel | Add/Remove Programs and choose the Startup Disk tab. Then click on "Create Disk". Windows 2000 users should insert the Windows
2000 CD-ROM into the CD-ROM drive, click Start | Run and type the name of the drive followed by bootdisk\makeboot a: and then click OK.

For example:

d:\bootdisk\makeboot a:
Follow the screen prompts to finish creating the bootable system disk. In all cases, after the creation of the bootable system disk, the
disk should be write protected to avoid infection.

This guide will not work on all MBR Infections. ie:
TDL3 TDL4 and TDL5(?) MBR rootkit infect the MBR and make part of it Read Only

Trojan:Win32/Popureb.E

Don�t write it, read it instead!
mmpc2
22 Jun 2011 8:46 AM

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way � by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.
Then it hooks the DriverStartIo routine in the found device's DRIVER_OBJECT structure (see the picture below).

The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

To fix the MBR:

1. Open a Windows Recovery Console
� For Windows XP: Installing and using the Recovery Console in Windows XP
� For Windows Vista: System Recovery Options in Windows Vista
� For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.

If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

-- Chun Feng