Microsoft clarifies MBR rootkit removal advice
There is a follow up to the above post. While some malware researchers believe that it may be possible to remove this rootkit infection by overwriting the MBR and then running an AV scan, one researcher at least is not so sure. And Microsoft have changed their earlier postion slightly.
Joe Stewart, director of malware research at Dell SecureWorks, said that reinstalling Windows was the only way to insure that MBR rootkits and the additional malware they install are completely removed.
"Once you're infected, the best advice is to [reinstall] Windows and start over," said Stewart. "[MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position."
Marco Giuliani, the Webroot threat research analyst who published his own analysis of Popureb, cautioned that users may end up having to reinstall Windows after all.
"What is really a nightmare is that [Popureb] looks like it has bugs and sometimes it hangs the system during the reboot stage," Giuliani wrote on the Webroot blog. "This could become a problem that would require you to perform a full system reinstall."
In a follow-up statement today, Microsoft seemed to acknowledge that users could encounter problems with the MMPC advice, and may need to restore their PC from a recent backup.
"Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems," said Jerry Bryant, general manager of with Microsoft's Trustworthy Computing group, in an e-mailed statement. "While using the recovery console to address Master Boot Record (MBR) issues is not designed to affect personal files, we continue to recommend customers practice reasonable back-up processes."