Boot.Mebroot

1. Start the computer using Windows Recovery Console:
- Insert the Windows XP CD-ROM into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
- Select the installation that you want to access from the Recovery Console.
- Enter the administrator password and press Enter.
- Type “fixmbr” command and press Enter:
(Following the onscreen instructions to restore the Master Boot Record)

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

3. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.

4. Update the virus definitions.

5. Reboot computer in SafeMode
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears
- Use Arrow Up+Down to select SafeMode on the selections menu.

6. Run a full system scan and clean/delete all infected file(s)

hi,
My system files are not infected with Boot.Mebroot but i downloaded a file which had it. I had suspicion on that file so before i even click it i scanned it with Norton Antivirus. The updates were up to date. it showed that the file contain virus. It was not resolving the issue. I deleted the file. But when again i scan my system with Norton it still it shows there and do not remove it. And yes… when ever i install the windows i turn off the System Restore point and its off from the beginning thats why i believe there are no infected files. Could you please help me with this ? And is any information going out from my system ?
I have Norton 2007 and ‘Outpost firewall’ installed on my system.

Sorry i forgot to mention that it shows Boot.Mebroot virus.

I have the same problem as Mackerz and I tried what precisesecurity suggested. However, when I typed in “fixmbr” - it came back with this:
Non-Standard or Invalid Master Boot Record.
Fixmbr may damage your partition table if you proceed.
This could cause all the partitions on the current hard drive to become inaccessible.
If you are not having problems accessing your hard drive - DO NOT CONTINUE.

What do I do now.

Please help - I’m desparate.
Thank you
Tinamarie

I had the virus, and did as described. the warning about the partitions i think is a possibillity. Cause i have no problems accessing all my hdd’s and partitions after fixing my mbr this way.
I hope i helped a little bit. Greetz from Holland

Hello. Clean Format, Clean Install of XPMCE and Norton. Install Zone Alarm, Finally connect net cable and go to Norton’s Live Update, then boom it finds it? I am on third attempt to fix/remove it. Already did the fixmbr thing and I still get this threat. Could it be in my Motherboard? Bios? I’m using all factory install discs that should be safe? This is so frustrating :(

I have a long thread going on Symantec’s Norton forum about how I cannot remove this virus from my computer. Symantec’s Virus Removal Support that costs $99.99 couldn’t remove it. 30 HP techs from their paid support can not remove it. I have done everything including erasing the hard drive, deleting all partitions, writing zero’s to the hard drive and reformatting using HP disks. Norton’s virus removal tool that is specific to this virus does nothing. What next? I asked the service department at Fry’s about installing another hard drive and they said that they could try, but that the virus might be in the memory. Is that possible?

That’s just stupid. Memory is volatile, turn it off and theres nothing left.
You HAVE to low level format the hard drive not just quick format it
Done properly NOTHING survives a low level format

A low level format doesn’t work either. I’ve tried everything as above and deleting partitions and full low level format, reinstalled Windows XP and the virus is still there. I’m also coming to a deadend with this one. Anyone actually managed to remove it?

Download the free 15 day trial Norton Anti-Virus 2009. It found Trojan.Mebroot and removed it. Sophos and the other forums gave all kinds of fancy, complex, lengthy repair steps.

And it didnt cost anything-and no long list of programs you dont know about That can tie up your registry and just be a pain. Safe and inexpensive.

Try to check the “Documents and Settings” file. The old installation files were still there when I thought a clean install would remove them. I deleted the old files then restored them to get my old address book file. When I restored them I got the alert and that Norton cleaned it up.

Be very careful if you do try to delete the old Documents and Settings subfiles- dont get the current ones!! Check some of the files for what Favorites or Cookies are and compare them to what you recently have done on the Net. Also check the created date- they will be the older ones.

Now Ill buy Norton- one virus was worth it. Plus it’s on sale at Office Max!

You can fdisk>Delete partitions then shut down the pc. Then after you start back up you can format. This wipes the memory and the disk. Theres no place for the code to live. Make sure there are no other removable drives/storage that could be an underground railroad for our little friend.

pita I know but what are you gonna do?

this freakin mebrrot….I have thrown ll I can at this,followed all these suggestions and keeps showing up on the next reboot,I’m at the end of my rope….

yea! me too! format. low level, delete partition, restore MBR, ……reload XP…??? still housing boot.mebroot. what if i dont remove it……… is there life after mebroot?

I just spent 10 hours cleaning a system of Mebroot. The fix was actually not that bad in retrospect.

Use MBR.EXE from gmer.net to monitor your infection and cleaning. It is the only tool that can detect the infection plus the location of the actual virus executable code on the end of your hard disk sectors. The main goal is to eliminate it from your MBR.

I had to do a fresh boot (from power off) into a Windows XP CD for Recovery Console and then issue FIXMBR. The trick is to issue MAP to learn the name of your HD and then issue “FIXMBR \Device0\Harddisk0\” or whatever is appropriate. It should ask you Y/N to replace the MBR.

Then issue FIXBOOT.

I had a scare where it said Invalid Partition Table and would not boot like I lost my C drive. I knew the data was still there so I remained calm and did a FIXBOOT in Recovery Console and that fixed things.

Now the system seems OK where before it was thrashing the disk and copying furiously into HelpAssist profile.

Hope this helps someone.

Got this bitch on my netbook. Symptoms are: my computer completely freezes except for cursor, some process called “services.exe” sucks all the CPU. I’m actually browsing these forums on my iPod touch. :( also norton tells me it’s resolved the problem, but this couldn’t be farther from the truth. my pc still freezes and A virus scan reveals the virus every time. I just ran their stupid tool and it told me that the virus wasn’t active on my pc. As my netbook doesn’t have a disk drive - is there a way to reload windows from a USB drive?

We got to the part where it says to enter admin password, but we don’t have one, and it wants one and if we don’t enter one or type one like admin because there isn’t one, after 3 times, it makes you restart, any suggestions?

Warning - there is a version that creates a large “unallocated space” from which it seems that it copies things into the HelpAssistant directory, using a javascript HTM file with a random name. I formatted and reinstalled, and it was back along with other users that should have been wiped. The only way to clean it was to reassign the unallocated space as a partition, fixmbr on both partitions then reinstall clean. If you miss the unallocated space (mine was 23GB) it appears to survive formatting…. it is completely evil.

I have this friend living on my 2 computers, a netbook with vista 32 bits, and a desktop win xp. I formatted, scan, system recovery, pray, i mean, did everything above, but nothing, it still there. I starting to think i need a new hard drive, but the thing is that, i have a lot of data that i need, if it let me burn on dvd there is the huge possibility of the files get infected? or it infects only the boot system files?

according to my friend who hasn’t finished his computer repair man degree yet, one of our teachers says yes no viruses can infect RAM too. i told my friend that sounds crazy. how does it hold data when there’s no voltage going to the RAM? he was rather insistant though that RAM CAN hold viruses that stay inside and “activate” when the RAM once again gets voltage. i want to do more research but i tend to believe him. our teachers are usually right at my college.

p.s. I’ll add this link to my favorites because looks like a good long thread. i’ll let you know if i can remove the boot.mebroot but i get the feeling this is one of those leftover annoyances. as in, the real threat is gone and this little annoying file is still in BOTH MBR’s for my physical disks. apparently this thing doesn’t hit USB drives (at least not normally) because my external USB was attached and turned on at the time i acquired this virus. STAY AWAY FROM ONLINE VERSIONS OF NERO FOR A WHILE! hint hint

step 1: clean with symmantec or other anti-virus, i used a free symmantec from school
step 2: it’ll fail to clean the Boot.Mebroot so get your Windows CD, and sorry I use XP if it’s different in other versions but: run recovery console, then just do a FIXMBR in there. Now if you only got 1 physical drive, you’re all set right here. Your virus cleaner is going to say you’re free of Boot.Mebroot when you reboot and scan.
step 3: if you have a 2nd physical drive that happens to have a windows install on it, you repeat the process. but most likely you only have windows on one of your physical hard disk. so for that drive you have to repartition it. this virus hangs by changing your physical disk attributes and it puts some little partition on there. For those who haven’t done it: you repartition by starting up and going to the safe mode w/command prompt and typing FDISK, but for people who don’t know how to do this, you should use the Windows CD and do a new install of Windows on the drive. Make sure you don’t accidentally install it over your current Windows install! Then let Windows format your drive (needless to say you have to backup ALL your data before you do this but I’m saying it) and NOW finally both your drives will be clean of Boot.Mebroot

Who made this? What does it do? Why do they make it so hard to remove since it’s not doing ANYTHING for ANYONE once you already clean off the associated trojans. At least I think that’s the case. I have a theory it just makes your Hard Disk access randomly when there’s nothing going on.

Ok that’s the end of the chapter in my book on this virus. Good luck. If what I said doesn’t work, then you aren’t doing it right!

and DO NOT reformat anything or do anything beyond the FIXMBR if you a) only have 1 physical disk (i.e. disk that’s permanent in your computer not optical drives too) b) if your scanner shows you only got Boot.Mebroot on the Windows drive. Unfortunately if you have a physical drive that doesn’t have Windows installed, it’s infected and you have to back it up then do the FDISK. So if you got 1 100 GB drive that has Windows installed on it, and you don’t have any other hard disk in your system, you’re done after the FIXMBR. This is as of 1-28-2010 with current Windows Update and using offcially Symmantec Endpoint Manager, which is a simple version that has scanning on it.

too bad you can’t edit this. it’s not even called FDISK in XP. you have to use DISKPART from command prompt. and i just scanned and the non-boot drive still did come up as having Boot.Mebroot

I don’t know why it would still have the virus unless something late in the install process of Windows takes care of the bootblock. So just using Windows setup to auto partition that drive did not remove the problem. I probably would’ve had to completely install Windows on it and do FIXMBR in recovery console, because that DID work on the other drive. So go print out the instructions for DISKPART from microsoft support before you try this though. And again this method you will have to backup all your files after you clean because you’re going to lose all that’s on your disk. I’ll write again if it does not work.