| By Woody Leonhard |
I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.
This week, I’ll concentrate on the best available techniques to try to remove the offender, if you’re one of the unfortunates who’ve already been hit.
My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC’s got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I’ll simply call the threat Mebroot in the remainder of this article.)
Mebroot infects a PC’s Master Boot Record (MBR), the first sector on a hard drive, where it’s invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia’s free Personal Software Inspector (get it from Secunia’s download page).
Ideally, you should run a PSI scan right after you install Microsoft’s Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it’s vital to keep your players up-to-date.
Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit “celebrity video” sites and leave their PCs’ third-party applications unpatched for months or years at a time.