3 Replies Latest reply on Dec 9, 2011 11:15 AM by SafeBoot

    Will rootkit removers modify the safeboot MBR code?

    jmcleish

      What will happen to an encrypted machine if you have  a rootkit- eg. TDSS and you run a rootkit remover such as TDSSKILLER (Desktop supports' rootkit remover of choice).

       

      Will it just remove the rootkit code or will it, as a side effect remove/modify the safeboot code in the MBR? Just wondering what options we have if its run on an EEPC machine and what i may have to do to recover.

       

      Also, I've noticed that in Wintech (but not EETech)  you have the option to restore the safeboot MBR. Will this option be available in EETech at all?

       

      It seems to be a handy thing to be able to do.

       

      Thanks

      Jane

        • 1. Re: Will rootkit removers modify the safeboot MBR code?

          most likely your rootkit killer will put a standard MBR back on the disk, which means you'll get a "missing operating system" on next boot, and will have to do a restore SafeBoot MBR (v5), or decrypt (v6).

           

          I expect the restore MBR feature will make it into a release of EETech in the near future though.

          • 2. Re: Will rootkit removers modify the safeboot MBR code?
            jmcleish

            Thanks Simon,

             

            I was thinking but not had a chance to test yet-  if i could use a utility to run (while the user was logged into windows)  to backup the EEPC  MBR and save this on the network, then if i could get this util into something like BartPE along with EETech, would it just be as simple as restoring the appropriate saved MBR back to the machine and hopefully it would recognise everything and boot OK?

             

            Or if i did this - would this cause issues if i had to decrypt anyway- where is the crypt list info stored?

             

            Thanks

            Jane

            • 3. Re: Will rootkit removers modify the safeboot MBR code?

              wintech / eetech will capture the MBR for you - it never changes, well, not unless you repartition, or install some new boot code.

               

              The crypt list is somewhere on the drive - the MBR knows where it is though. There's no fixed location.