Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Will installing Windows 7 or 8 clean or fix a rootkit infected MBR?

Posted on 2013-10-30
6
Medium Priority
?
2,049 Views
Last Modified: 2016-11-23
Will doing a clean install of Windows 7 or 8 clean a pc that might be infected with a MBR rootkit?

The PC is a 2008 Dell Laptop with either XP or Vista. ( I think Vista). The user might have a rootkit and doesn't want to take the time or expense of going through a cleaning which might not work anyway.

Wondering if installing Win 7 cleanly would also write a new MBR or is fdisk /MBR needed?

If only fdisk /MBR will do it, maybe the better option is to do the fdisk and then use the Dell restore partition to get it back to original shipping-condition, perform all updates, reinstalls, etc etc.
0
Comment
Question by:RickNCN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 1600 total points
ID: 39611910
It depends on whether or not the MBR is cleaned prior to the reinstall.  

Take a look at http://www2.gmer.net/mbr/mbr.exe and http://www2.gmer.net/gmer.zip

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 400 total points
ID: 39611914
Clean install should do it.  

Microsoft's and some others advise that a reinstall is an overkill.  Please read the following informative article about this issue:

http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice >

And then decide.
0
 

Author Comment

by:RickNCN
ID: 39612020
x66_x72_x65_x65, you say, "It depends on whether or not the MBR is cleaned prior to the reinstall.  " But my question is specific in asking whether only a Windows 7 or 8 clean install do that. So, reading into your statement, I'd conclude that a Windows installation by itself won't fix an MBR. In other words, the install/setup process doesn't touch the MBR.


aadih, you say a Windows install "should" do it. The article says this:
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
That indicates specific manual MBR cleaning through the recovery console is needed before installing Windows again.

Am I getting it right?
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 24

Assisted Solution

by:aadih
aadih earned 400 total points
ID: 39612104
That' what I believe (about reinstall). Although at one time I cleaned a particular rootkit and all was okay. At another time fixing the MBR was sufficient. Without trying, it's difficult to say what will work and what not?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 1600 total points
ID: 39612175
@RickNCN

My advise would be to write 0's to your hard drive, reinstall the dell recovery partition (if desired), reinstall your OS from trusted media, install latest updates, and create a backup image at that point, prior to installing any 3rd party software.  Flashing your BIOS and peripheral firmware (prior to OS reinstall) are additional steps which could be considered.

Once your OS is patched to date, I recommend you create a dedicated virtual machine (via VirtualBox, VMware, etc.) which is used for all Internet based interactions, including viewing documents and other Internet based downloads.  Consider this a DMZ for your endpoint, when properly configured to have it's own isolated network.  When a reinfection occurs you can simply snapshot your Internet OS back to a known clean state, without affecting your primary OS.

However, if you want to subscribe to the Pareto principle (also known as the 80–20 rule)--- meaning what 20% effort would wipe out 80% of the threats, then I would suggest you 1) clean the MBR as described above, and 2) reinstall the OS with trusted media, while removing the existing NTFS partition(s) as part of the install process.

My advise is well founded over many years of working with malware.  It's too easy to create a dropper which is not yet detectable by traditional signature based scanners.  Meaning, that while the payload could be detected and removed the dropper could potentially remain and could easily be designed to lay dormant for a period of time in the event disinfection is detected.  This would make it particularly difficult to detect (especially if the dropper lives in compromised firmware).

For the most part, wiping clean and reinstalling actually saves time in the long run.  For many years I didn't like this advice, I would view "format/reinstall" advice as a reflection of inadequate technical savvy.  What's interesting is that paradigm has shifted to reflect the opposite.  As my technical understanding deepens, from a penetration tester/malware developer mindset, this has given way to the advice I present above.
0
 

Author Closing Comment

by:RickNCN
ID: 39612225
Very good, I think that answers it fairly definitively. Thanks for the explanation!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question