Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Will installing Windows 7 or 8 clean or fix a rootkit infected MBR?

Posted on 2013-10-30
6
1,955 Views
Last Modified: 2016-11-23
Will doing a clean install of Windows 7 or 8 clean a pc that might be infected with a MBR rootkit?

The PC is a 2008 Dell Laptop with either XP or Vista. ( I think Vista). The user might have a rootkit and doesn't want to take the time or expense of going through a cleaning which might not work anyway.

Wondering if installing Win 7 cleanly would also write a new MBR or is fdisk /MBR needed?

If only fdisk /MBR will do it, maybe the better option is to do the fdisk and then use the Dell restore partition to get it back to original shipping-condition, perform all updates, reinstalls, etc etc.
0
Comment
Question by:RickNCN
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
ID: 39611910
It depends on whether or not the MBR is cleaned prior to the reinstall.  

Take a look at http://www2.gmer.net/mbr/mbr.exe and http://www2.gmer.net/gmer.zip

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39611914
Clean install should do it.  

Microsoft's and some others advise that a reinstall is an overkill.  Please read the following informative article about this issue:

http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice >

And then decide.
0
 

Author Comment

by:RickNCN
ID: 39612020
x66_x72_x65_x65, you say, "It depends on whether or not the MBR is cleaned prior to the reinstall.  " But my question is specific in asking whether only a Windows 7 or 8 clean install do that. So, reading into your statement, I'd conclude that a Windows installation by itself won't fix an MBR. In other words, the install/setup process doesn't touch the MBR.


aadih, you say a Windows install "should" do it. The article says this:
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
That indicates specific manual MBR cleaning through the recovery console is needed before installing Windows again.

Am I getting it right?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39612104
That' what I believe (about reinstall). Although at one time I cleaned a particular rootkit and all was okay. At another time fixing the MBR was sufficient. Without trying, it's difficult to say what will work and what not?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 400 total points
ID: 39612175
@RickNCN

My advise would be to write 0's to your hard drive, reinstall the dell recovery partition (if desired), reinstall your OS from trusted media, install latest updates, and create a backup image at that point, prior to installing any 3rd party software.  Flashing your BIOS and peripheral firmware (prior to OS reinstall) are additional steps which could be considered.

Once your OS is patched to date, I recommend you create a dedicated virtual machine (via VirtualBox, VMware, etc.) which is used for all Internet based interactions, including viewing documents and other Internet based downloads.  Consider this a DMZ for your endpoint, when properly configured to have it's own isolated network.  When a reinfection occurs you can simply snapshot your Internet OS back to a known clean state, without affecting your primary OS.

However, if you want to subscribe to the Pareto principle (also known as the 80–20 rule)--- meaning what 20% effort would wipe out 80% of the threats, then I would suggest you 1) clean the MBR as described above, and 2) reinstall the OS with trusted media, while removing the existing NTFS partition(s) as part of the install process.

My advise is well founded over many years of working with malware.  It's too easy to create a dropper which is not yet detectable by traditional signature based scanners.  Meaning, that while the payload could be detected and removed the dropper could potentially remain and could easily be designed to lay dormant for a period of time in the event disinfection is detected.  This would make it particularly difficult to detect (especially if the dropper lives in compromised firmware).

For the most part, wiping clean and reinstalling actually saves time in the long run.  For many years I didn't like this advice, I would view "format/reinstall" advice as a reflection of inadequate technical savvy.  What's interesting is that paradigm has shifted to reflect the opposite.  As my technical understanding deepens, from a penetration tester/malware developer mindset, this has given way to the advice I present above.
0
 

Author Closing Comment

by:RickNCN
ID: 39612225
Very good, I think that answers it fairly definitively. Thanks for the explanation!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question