Solved

Will installing Windows 7 or 8 clean or fix a rootkit infected MBR?

Posted on 2013-10-30
6
1,943 Views
Last Modified: 2016-11-23
Will doing a clean install of Windows 7 or 8 clean a pc that might be infected with a MBR rootkit?

The PC is a 2008 Dell Laptop with either XP or Vista. ( I think Vista). The user might have a rootkit and doesn't want to take the time or expense of going through a cleaning which might not work anyway.

Wondering if installing Win 7 cleanly would also write a new MBR or is fdisk /MBR needed?

If only fdisk /MBR will do it, maybe the better option is to do the fdisk and then use the Dell restore partition to get it back to original shipping-condition, perform all updates, reinstalls, etc etc.
0
Comment
Question by:RickNCN
  • 2
  • 2
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
ID: 39611910
It depends on whether or not the MBR is cleaned prior to the reinstall.  

Take a look at http://www2.gmer.net/mbr/mbr.exe and http://www2.gmer.net/gmer.zip

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

3. Restart the computer and you can then scan the system to remove any remaining malware.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39611914
Clean install should do it.  

Microsoft's and some others advise that a reinstall is an overkill.  Please read the following informative article about this issue:

http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice >

And then decide.
0
 

Author Comment

by:RickNCN
ID: 39612020
x66_x72_x65_x65, you say, "It depends on whether or not the MBR is cleaned prior to the reinstall.  " But my question is specific in asking whether only a Windows 7 or 8 clean install do that. So, reading into your statement, I'd conclude that a Windows installation by itself won't fix an MBR. In other words, the install/setup process doesn't touch the MBR.


aadih, you say a Windows install "should" do it. The article says this:
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
That indicates specific manual MBR cleaning through the recovery console is needed before installing Windows again.

Am I getting it right?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39612104
That' what I believe (about reinstall). Although at one time I cleaned a particular rootkit and all was okay. At another time fixing the MBR was sufficient. Without trying, it's difficult to say what will work and what not?
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 400 total points
ID: 39612175
@RickNCN

My advise would be to write 0's to your hard drive, reinstall the dell recovery partition (if desired), reinstall your OS from trusted media, install latest updates, and create a backup image at that point, prior to installing any 3rd party software.  Flashing your BIOS and peripheral firmware (prior to OS reinstall) are additional steps which could be considered.

Once your OS is patched to date, I recommend you create a dedicated virtual machine (via VirtualBox, VMware, etc.) which is used for all Internet based interactions, including viewing documents and other Internet based downloads.  Consider this a DMZ for your endpoint, when properly configured to have it's own isolated network.  When a reinfection occurs you can simply snapshot your Internet OS back to a known clean state, without affecting your primary OS.

However, if you want to subscribe to the Pareto principle (also known as the 80–20 rule)--- meaning what 20% effort would wipe out 80% of the threats, then I would suggest you 1) clean the MBR as described above, and 2) reinstall the OS with trusted media, while removing the existing NTFS partition(s) as part of the install process.

My advise is well founded over many years of working with malware.  It's too easy to create a dropper which is not yet detectable by traditional signature based scanners.  Meaning, that while the payload could be detected and removed the dropper could potentially remain and could easily be designed to lay dormant for a period of time in the event disinfection is detected.  This would make it particularly difficult to detect (especially if the dropper lives in compromised firmware).

For the most part, wiping clean and reinstalling actually saves time in the long run.  For many years I didn't like this advice, I would view "format/reinstall" advice as a reflection of inadequate technical savvy.  What's interesting is that paradigm has shifted to reflect the opposite.  As my technical understanding deepens, from a penetration tester/malware developer mindset, this has given way to the advice I present above.
0
 

Author Closing Comment

by:RickNCN
ID: 39612225
Very good, I think that answers it fairly definitively. Thanks for the explanation!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
OfficeMate Freezes on login or does not load after login credentials are input.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question