MBR rootkits don’t mean you have to wipe the drive

Last Updated on November 30, 2015 by Dave Farquhar

There’s a nasty rumor going around that if your computer gets infected with the Popureb rootkit, your only recourse is to wipe your MBR, reformat your hard drive, and reinstall (or run your factory recovery disk, which is essentially the same thing).

Not so fast.


Boot with a live CD, such as Bit Defender, to clean the rest of the system and lessen the chances of immediate reinfection. Then boot a Live CD that contains TestDisk (such as Recovery Is Possible, Parted Magic, or Knoppix). Open a terminal window. Run FDISK to view your partition table one last time, and make note of what partitions are there. Wipe out your MBR (the command dd if=/dev/zero of=/dev/sda1 bs=512 count=1 will do the trick), then run TestDisk to recover your partitions and rebuild a clean MBR.

There may be no way to do the recovery using Microsoft’s own tools–though I suspect the Standalone System Sweeper will be capable of doing it, if you can get it to give you a command prompt so you can run fixmbr–but recovering from an infected MBR isn’t terribly difficult, as long as you don’t mind resorting to Linux-based tools. And even if you are averse to Linux, if you don’t mind DOS, you can use MBRWork instead. Have it back up the first sector, then have it delete the boot record. Then it gives you an option to recover partitions. Run that, then run the option that installs the standard MBR code.

But I prefer Linux these days for this kind of work, since there are so many first-rate disk tools available for it now.

If you need a more thorough walk-through explaining how to clean the MBR and recover partitions, I cover that in more detail here.

If you found this post informative or helpful, please share it!

One thought on “MBR rootkits don’t mean you have to wipe the drive

  • June 29, 2011 at 10:27 pm
    Permalink

    Dave-
    I sure do appreciate all the useful information you provide, saved me a lot of trouble more than once.

Comments are closed.