RUPERT-TECH - Computer & Laser Printer Services

A new variant of the Trojan Popureb burrows deep enough into the Windows operating system that users are recommended to reinstall the OS in order to remove it, or by fixing the master boot record, Microsoft said.

The "Popureb" Trojan corrupts the hard drive's master boot record to such an extent that the only way to remove it is to run Windows Recovery Console to rewrite the sectors to a clean state, Microsoft Malware Protection Center engineer Chun Feng wrote in an advisory posted on the Threat Research and Reponse blog June 22.

The Trojan was updated recently with the driver component that makes sure the malware can never be modified by an external process, according to Feng. The component accesses the DriverStartIO routine in the device driver to execute itself.

Trojan:Win32/Popureb.E overwrites the first sector on the hard drive so that it triggers at boot time. MBR is generally invisible to both the operating system and security software. To ensure it can't easily be removed, Popureb can intercept all commands to overwrite the MBR or any other part of the hard drive where the malware is installed and replace those commands with a read command. The operation appears to succeed and no errors are thrown, but no new data is actually written to the disk. This means that if a security software attempts to remove the malware, it fails automatically because it can't overwrite the MBR or the infected sector.

Most members of this particular malware family are fake antivirus software, but this variant "might be a little more severe, Symantec said, but pointed out that this Trojan doesn't do anything that "Trojan.Tidserv doesn't already do." The company has asked Microsoft for the sample to analyze further, according to the statement.

"How to Recover a Deleted File in Windows 7"

Windows 7 has a built-in tool called Previous Version that allows users to recover files they mistakenly delete. In order to recover deleted files you have to first make sure that System Restore is enabled so that Windows can automatically create restore points. These restore points are what you can revert a folder to in order to recover the files that existed at that time and date.

Step 1 - Making Sure System Restore Is Enabled

You can verify that System Restore is turned on by right-clicking Computer and selecting Properties. Next, you'll want to click the System Protection tab and then click the drive you wish to turn on System Restore. The C: drive is usually the drive selected. After selecting the desired drive and clicking OK, System Restore will be turned on if it was previously off.

Step 2 - Recovering a Changed Document in Windows 7

1. Open the folder where the file was located.
2. Right-click in the white space within that folder.
3. Select Properties and click OK.
4. The Properties screen will then pop-up. In this screen, select the Previous Versions tab.
5. The Previous Versions tab will then display various versions of changed or deleted files in that folder. These versions are based on automatic restore points created by System Restore.
6. Choose the version time and date you wish to revert back to.
7. Then click Open.
8. You will then see all of the previous versions of files in that folder according to the time and date you selected.
9. To recover one of those files, rick-click the file and select Send to and then choose the folder you wish to save the file to.

That's it! Now you know how to recover lost files. It's a handy, useful tool that Microsoft built into Windows 7. We recommend you take full advantage of the Previous Versions tool as it will save you headaches down the road.