Solved

Will installing Windows 7 or 8 clean or fix a rootkit infected MBR?

Posted on 2013-10-30
6
1,923 Views
Last Modified: 2016-11-23
Will doing a clean install of Windows 7 or 8 clean a pc that might be infected with a MBR rootkit?

The PC is a 2008 Dell Laptop with either XP or Vista. ( I think Vista). The user might have a rootkit and doesn't want to take the time or expense of going through a cleaning which might not work anyway.

Wondering if installing Win 7 cleanly would also write a new MBR or is fdisk /MBR needed?

If only fdisk /MBR will do it, maybe the better option is to do the fdisk and then use the Dell restore partition to get it back to original shipping-condition, perform all updates, reinstalls, etc etc.
0
Comment
Question by:RickNCN
  • 2
  • 2
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
ID: 39611910
It depends on whether or not the MBR is cleaned prior to the reinstall.  

Take a look at http://www2.gmer.net/mbr/mbr.exe and http://www2.gmer.net/gmer.zip

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39611914
Clean install should do it.  

Microsoft's and some others advise that a reinstall is an overkill.  Please read the following informative article about this issue:

http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice >

And then decide.
0
 

Author Comment

by:RickNCN
ID: 39612020
x66_x72_x65_x65, you say, "It depends on whether or not the MBR is cleaned prior to the reinstall.  " But my question is specific in asking whether only a Windows 7 or 8 clean install do that. So, reading into your statement, I'd conclude that a Windows installation by itself won't fix an MBR. In other words, the install/setup process doesn't touch the MBR.


aadih, you say a Windows install "should" do it. The article says this:
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
That indicates specific manual MBR cleaning through the recovery console is needed before installing Windows again.

Am I getting it right?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39612104
That' what I believe (about reinstall). Although at one time I cleaned a particular rootkit and all was okay. At another time fixing the MBR was sufficient. Without trying, it's difficult to say what will work and what not?
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 400 total points
ID: 39612175
@RickNCN

My advise would be to write 0's to your hard drive, reinstall the dell recovery partition (if desired), reinstall your OS from trusted media, install latest updates, and create a backup image at that point, prior to installing any 3rd party software.  Flashing your BIOS and peripheral firmware (prior to OS reinstall) are additional steps which could be considered.

Once your OS is patched to date, I recommend you create a dedicated virtual machine (via VirtualBox, VMware, etc.) which is used for all Internet based interactions, including viewing documents and other Internet based downloads.  Consider this a DMZ for your endpoint, when properly configured to have it's own isolated network.  When a reinfection occurs you can simply snapshot your Internet OS back to a known clean state, without affecting your primary OS.

However, if you want to subscribe to the Pareto principle (also known as the 80–20 rule)--- meaning what 20% effort would wipe out 80% of the threats, then I would suggest you 1) clean the MBR as described above, and 2) reinstall the OS with trusted media, while removing the existing NTFS partition(s) as part of the install process.

My advise is well founded over many years of working with malware.  It's too easy to create a dropper which is not yet detectable by traditional signature based scanners.  Meaning, that while the payload could be detected and removed the dropper could potentially remain and could easily be designed to lay dormant for a period of time in the event disinfection is detected.  This would make it particularly difficult to detect (especially if the dropper lives in compromised firmware).

For the most part, wiping clean and reinstalling actually saves time in the long run.  For many years I didn't like this advice, I would view "format/reinstall" advice as a reflection of inadequate technical savvy.  What's interesting is that paradigm has shifted to reflect the opposite.  As my technical understanding deepens, from a penetration tester/malware developer mindset, this has given way to the advice I present above.
0
 

Author Closing Comment

by:RickNCN
ID: 39612225
Very good, I think that answers it fairly definitively. Thanks for the explanation!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EaseUS Todo back-up doing multiple versions? 8 36
Performance Issue Dell / HP Vmware SAP 18 64
Missing Restore Points on Windows 7 9 84
Error in script 11 45
First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now