Skip the navigation

Microsoft clarifies MBR rootkit removal advice

June 30, 2011 02:07 PM ET

"When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications," said Thakur. "They can then pick up on the threat, and delete it."

Other researchers with Webroot and CA agreed with Thakur that Popureb could be removed without reinstalling Windows.

But an internationally-known botnet expert disagreed.

Joe Stewart, director of malware research at Dell SecureWorks, said that reinstalling Windows was the only way to insure that MBR rootkits and the additional malware they install are completely removed.

"Once you're infected, the best advice is to [reinstall] Windows and start over," said Stewart. "[MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position."

Marco Giuliani, the Webroot threat research analyst who published his own analysis of Popureb, cautioned that users may end up having to reinstall Windows after all.

"What is really a nightmare is that [Popureb] looks like it has bugs and sometimes it hangs the system during the reboot stage," Giuliani wrote on the Webroot blog. "This could become a problem that would require you to perform a full system reinstall."

In a follow-up statement today, Microsoft seemed to acknowledge that users could encounter problems with the MMPC advice, and may need to restore their PC from a recent backup.

"Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems," said Jerry Bryant, general manager of with Microsoft's Trustworthy Computing group, in an e-mailed statement. "While using the recovery console to address Master Boot Record (MBR) issues is not designed to affect personal files, we continue to recommend customers practice reasonable back-up processes."

PCSafety is a toll-free telephone support line that Microsoft operates for customers with malware-infection problems. The number in the U.S. is: 866-727-2338.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is

Read more about Security in Computerworld's Security Topic Center.

Our Commenting Policies