Solved

Will installing Windows 7 or 8 clean or fix a rootkit infected MBR?

Posted on 2013-10-30
6
1,904 Views
Last Modified: 2016-11-23
Will doing a clean install of Windows 7 or 8 clean a pc that might be infected with a MBR rootkit?

The PC is a 2008 Dell Laptop with either XP or Vista. ( I think Vista). The user might have a rootkit and doesn't want to take the time or expense of going through a cleaning which might not work anyway.

Wondering if installing Win 7 cleanly would also write a new MBR or is fdisk /MBR needed?

If only fdisk /MBR will do it, maybe the better option is to do the fdisk and then use the Dell restore partition to get it back to original shipping-condition, perform all updates, reinstalls, etc etc.
0
Comment
Question by:RickNCN
  • 2
  • 2
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
Comment Utility
It depends on whether or not the MBR is cleaned prior to the reinstall.  

Take a look at http://www2.gmer.net/mbr/mbr.exe and http://www2.gmer.net/gmer.zip

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
Comment Utility
Clean install should do it.  

Microsoft's and some others advise that a reinstall is an overkill.  Please read the following informative article about this issue:

< http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice >

And then decide.
0
 

Author Comment

by:RickNCN
Comment Utility
x66_x72_x65_x65, you say, "It depends on whether or not the MBR is cleaned prior to the reinstall.  " But my question is specific in asking whether only a Windows 7 or 8 clean install do that. So, reading into your statement, I'd conclude that a Windows installation by itself won't fix an MBR. In other words, the install/setup process doesn't touch the MBR.


aadih, you say a Windows install "should" do it. The article says this:
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
That indicates specific manual MBR cleaning through the recovery console is needed before installing Windows again.

Am I getting it right?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
Comment Utility
That' what I believe (about reinstall). Although at one time I cleaned a particular rootkit and all was okay. At another time fixing the MBR was sufficient. Without trying, it's difficult to say what will work and what not?
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 400 total points
Comment Utility
@RickNCN

My advise would be to write 0's to your hard drive, reinstall the dell recovery partition (if desired), reinstall your OS from trusted media, install latest updates, and create a backup image at that point, prior to installing any 3rd party software.  Flashing your BIOS and peripheral firmware (prior to OS reinstall) are additional steps which could be considered.

Once your OS is patched to date, I recommend you create a dedicated virtual machine (via VirtualBox, VMware, etc.) which is used for all Internet based interactions, including viewing documents and other Internet based downloads.  Consider this a DMZ for your endpoint, when properly configured to have it's own isolated network.  When a reinfection occurs you can simply snapshot your Internet OS back to a known clean state, without affecting your primary OS.

However, if you want to subscribe to the Pareto principle (also known as the 80–20 rule)--- meaning what 20% effort would wipe out 80% of the threats, then I would suggest you 1) clean the MBR as described above, and 2) reinstall the OS with trusted media, while removing the existing NTFS partition(s) as part of the install process.

My advise is well founded over many years of working with malware.  It's too easy to create a dropper which is not yet detectable by traditional signature based scanners.  Meaning, that while the payload could be detected and removed the dropper could potentially remain and could easily be designed to lay dormant for a period of time in the event disinfection is detected.  This would make it particularly difficult to detect (especially if the dropper lives in compromised firmware).

For the most part, wiping clean and reinstalling actually saves time in the long run.  For many years I didn't like this advice, I would view "format/reinstall" advice as a reflection of inadequate technical savvy.  What's interesting is that paradigm has shifted to reflect the opposite.  As my technical understanding deepens, from a penetration tester/malware developer mindset, this has given way to the advice I present above.
0
 

Author Closing Comment

by:RickNCN
Comment Utility
Very good, I think that answers it fairly definitively. Thanks for the explanation!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now