Comments on: Boot.Mebroot http://www.precisesecurity.com/trojan/bootmebroot Thu, 24 May 2012 12:56:45 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Henryhttp://www.precisesecurity.com/trojan/bootmebroot#comment-6568 Henry Sun, 04 Jul 2010 09:36:38 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-6568 The best way to remove this particular piece of malware is to have a second computer available (make sure that it is fully updated and that the anti-virus is fully updated also), remove each hard drive from the infected computer, place the drive in an external hard drive case, connect the external drive (using USB or firewire - whichever your computer and external drive supports) to your computer and scan the drive (also run the removal tool(s) on the external drive). In this way you are using a confirmed clean computer to scan the infected drive(s). This method has worked for me with no issues. The best way to remove this particular piece of malware is to have a second computer available (make sure that it is fully updated and that the anti-virus is fully updated also), remove each hard drive from the infected computer, place the drive in an external hard drive case, connect the external drive (using USB or firewire – whichever your computer and external drive supports) to your computer and scan the drive (also run the removal tool(s) on the external drive). In this way you are using a confirmed clean computer to scan the infected drive(s). This method has worked for me with no issues.

]]> By: Danqhttp://www.precisesecurity.com/trojan/bootmebroot#comment-6382 Danq Thu, 10 Jun 2010 23:34:08 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-6382 Hi, has anyone (except for me :) experienced this Trojan on a windows 7 machine? I tried Burnt's method above but it did not fix the problem. I have a machine running windows 7 pro with 2 internal HDD. I have Norton IS 2010 running and every time I boot up it finds boot.mebroot and removes it (so it says). I just recently reinstalled windows and that did not do the trick eithere. I did a clean install and format the partition that windows was installed on. Maybe I should delete the partition table and reformat next? Any other suggestions? Thanks Hi, has anyone (except for me :) experienced this Trojan on a windows 7 machine? I tried Burnt’s method above but it did not fix the problem. I have a machine running windows 7 pro with 2 internal HDD. I have Norton IS 2010 running and every time I boot up it finds boot.mebroot and removes it (so it says). I just recently reinstalled windows and that did not do the trick eithere. I did a clean install and format the partition that windows was installed on. Maybe I should delete the partition table and reformat next? Any other suggestions? Thanks

]]> By: Donhttp://www.precisesecurity.com/trojan/bootmebroot#comment-6379 Don Thu, 10 Jun 2010 03:48:24 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-6379 This is a nice long thread and Symantec says that it is a low level threat and it states removal is EASY. If it's so easy, why can't Symantec Anti-Virus remove it? Once again a software company taking our money and giving us nothing in return. This is a nice long thread and Symantec says that it is a low level threat and it states removal is EASY. If it’s so easy, why can’t Symantec Anti-Virus remove it? Once again a software company taking our money and giving us nothing in return.

]]> By: Rayhttp://www.precisesecurity.com/trojan/bootmebroot#comment-6375 Ray Wed, 09 Jun 2010 16:19:46 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-6375 I got this sink hole of a virus on my PC a little ways back, and am having all the problem listed above. I'm not the greatest with computers so I'm pretty hesitant about doing the recovery console bit as I don't really know what I'm doing and don't want to make things worse. to that end, does anybody know if just straight up getting rid of the old hard drive and having a new one installed works? Sure I have files, but nothing I cant live without so if anybody knows if just shelling out the money for a new hard drive would work I'm all ears I got this sink hole of a virus on my PC a little ways back, and am having all the problem listed above. I’m not the greatest with computers so I’m pretty hesitant about doing the recovery console bit as I don’t really know what I’m doing and don’t want to make things worse. to that end, does anybody know if just straight up getting rid of the old hard drive and having a new one installed works? Sure I have files, but nothing I cant live without so if anybody knows if just shelling out the money for a new hard drive would work I’m all ears

]]> By: johnhttp://www.precisesecurity.com/trojan/bootmebroot#comment-6283 john Mon, 31 May 2010 07:25:04 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-6283 I cant believe I am reading this! about the 2 years ago a hard drive antivirus built into the motherboard (asus p4pe) began making noise on start up. i disabled it after doing some searching, I'm using Norton right? Norton never found this until today, I am losing control of my computer after a long idle time, a window pops up telling me my computer is in use enter a password. when I re-enter windows Norton is busy doing an idle time scan, doing battle with this virus. funny Norton now says it has found the virus before. I have never seen it in the history before? Norton doesn't seem to remember after a restart. I don't know where to begin. I don't have a recovery disk I cant believe I am reading this! about the 2 years ago a hard drive antivirus built into the motherboard (asus p4pe)
began making noise on start up. i disabled it after doing some searching, I’m using Norton right? Norton never found this until today, I am losing control of my computer after a long idle time, a window pops up telling me my computer is in use enter a password. when I re-enter windows Norton is busy doing an idle time scan, doing battle with this virus. funny Norton now says it has found the virus before. I have never seen it in the history before? Norton doesn’t seem to remember after a restart. I don’t know where to begin. I don’t have a recovery disk

]]> By: Removerhttp://www.precisesecurity.com/trojan/bootmebroot#comment-5643 Remover Sat, 03 Apr 2010 04:25:32 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-5643 I have Boot.Mebroot on my 2nd physical drive - 1tb (not on the boot drive). Try all the method above, none work. even formatting the drive no luck. I had it resolved by cloning the the drive using another empty clean formatted drive. (I use acronis true image). It works like a charm. No more Boot.Mebroot I have Boot.Mebroot on my 2nd physical drive – 1tb (not on the boot drive). Try all the method above, none work. even formatting the drive no luck. I had it resolved by cloning the the drive using another empty clean formatted drive. (I use acronis true image). It works like a charm. No more Boot.Mebroot

]]> By: Kap'n Krunchhttp://www.precisesecurity.com/trojan/bootmebroot#comment-5599 Kap'n Krunch Mon, 29 Mar 2010 02:24:56 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-5599 I finally got this thing off my computer. Gone. But for me, it was on my external hard drive. Turned out the trigger for the virus was the autoplay function for the device. Once I disabled all the autoplay features, Norton stopped blocking it. I was then able to easily get my files off of my external. mebroot was chilling in 2 places called 0x85 and 0x81 which I found at: run: regedit -- hkey_local_machine -- software -- Microsoft -- windows -- current version -- policies -- explorer then into HonorAutoRunSetting -- Modify. Once I knew where it was I could understand how it was launching itself.If you have an external or some USB flash drive thumb drive or whatever, don't be fooled. It could be in there.Also, partioning your unused space, no matter how small, is really important I think. I finally got this thing off my computer. Gone. But for me, it was on my external hard drive. Turned out the trigger for the virus was the autoplay function for the device. Once I disabled all the autoplay features, Norton stopped blocking it. I was then able to easily get my files off of my external. mebroot was chilling in 2 places called 0×85 and 0×81 which I found at:
run: regedit — hkey_local_machine — software — Microsoft — windows — current version — policies — explorer then into HonorAutoRunSetting — Modify. Once I knew where it was I could understand how it was launching itself.

If you have an external or some USB flash drive thumb drive or whatever, don’t be fooled. It could be in there.

Also, partioning your unused space, no matter how small, is really important I think.

]]> By: Burnthttp://www.precisesecurity.com/trojan/bootmebroot#comment-5519 Burnt Sun, 21 Mar 2010 15:53:08 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-5519 @ RicardoI also have a blank password I'm not sure if the virus places itself into the recovery partition, so after booting into the repair console run these commands, one of which may not work as I'm not sure if the recovery partition would have a device #fixmbr \device0 fixmbr \device1 and maybe for the recovery partition fixmbr \device3Recovery partition does have a boot letter ie: E\ so run these commands alsoFixboot c: Fixboot d: Fixboot e:exitthen restart. @ Ricardo

I also have a blank password
I’m not sure if the virus places itself into the recovery partition, so after booting into the repair console run these commands, one of which may not work as I’m not sure if the recovery partition would have a device #

fixmbr \device0
fixmbr \device1
and maybe for the recovery partition
fixmbr \device3

Recovery partition does have a boot letter ie: E\
so run these commands also

Fixboot c:
Fixboot d:
Fixboot e:

exit

then restart.

]]> By: Ricardo Morronhttp://www.precisesecurity.com/trojan/bootmebroot#comment-5490 Ricardo Morron Fri, 19 Mar 2010 18:45:34 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-5490 Dear Mr. Burnt, I tried your method unsuccessfully. Please note that I do not have administrator's password, so I press enter without tipping nothing when I am requested. Furtheremore, the restoration disk to start in safe mode was created using Windows XP Home plain, I mean SP2 and SP3 were not installed yet. A final remark: I have 2 physical hard disk but 3 partitions C (main), E (for recovery) and D in the second disk to store just files (no programs). I wonder if I have to assign both partition to device0 or use a device number for each partition. I am very concerned and I am seriously thinking to buy a new computer. Your very valuable help will be very appreciated. Thanks in advance. Dear Mr. Burnt, I tried your method unsuccessfully. Please note that I do not have administrator’s password, so I press enter without tipping nothing when I am requested. Furtheremore, the restoration disk to start in safe mode was created using Windows XP Home plain, I mean SP2 and SP3 were not installed yet. A final remark: I have 2 physical hard disk but 3 partitions C (main), E (for recovery) and D in the second disk to store just files (no programs). I wonder if I have to assign both partition to device0 or use a device number for each partition.
I am very concerned and I am seriously thinking to buy a new computer. Your very valuable help will be very appreciated. Thanks in advance.

]]> By: Burnthttp://www.precisesecurity.com/trojan/bootmebroot#comment-5467 Burnt Wed, 17 Mar 2010 15:23:16 +0000 http://www.precisesecurity.com/threats/bootmebroot/#comment-5467 @ David after you reboot with a windows installation CD and select r to enter the recovery console and enter password these are the commands i used to fix the mbr and br of my drives,I have 3 hard disk drives, \device0 = first, \device1 = second, \device2 = third on the ide chainCommand Results fixmbr \device0 Fixes mbr on the first drive on the ide chain this is my c: hdd fixmbr \device1 second drive on the ide chain = d: hdd fixmbr \device2 third drive on the ide chain = e: hddCommand Results Fixboot c: fixes br on c: drive Fixboot d: fixes br on d: drive Fixboot e: fixes br on e: driveIf I'm correct I would assume that you have 3 or more hdd also, I cant tell you fully how as I'm unsure of your machine as you say one of the drives is listed as ?: and I'm not sure exactly what this means maybe an external usb drive ? or a flash drive or something ?All i can tell you is the commands i used on my 3 hdd and it solved the problem, What i done was combined several suggestions into my own thoughts as every machine can be different. I hope you get it sorted out. @ David
after you reboot with a windows installation CD and select r to enter the recovery console and enter password these are the commands i used to fix the mbr and br of my drives,

I have 3 hard disk drives, \device0 = first, \device1 = second, \device2 = third on the ide chain

Command Results
fixmbr \device0 Fixes mbr on the first drive on the ide chain this is my c: hdd
fixmbr \device1 second drive on the ide chain = d: hdd
fixmbr \device2 third drive on the ide chain = e: hdd

Command Results
Fixboot c: fixes br on c: drive
Fixboot d: fixes br on d: drive
Fixboot e: fixes br on e: drive

If I’m correct I would assume that you have 3 or more hdd also, I cant tell you fully how as I’m unsure of your machine as you say one of the drives is listed as ?: and I’m not sure exactly what this means maybe an external usb drive ? or a flash drive or something ?

All i can tell you is the commands i used on my 3 hdd and it solved the problem, What i done was combined several suggestions into my own thoughts as every machine can be different. I hope you get it sorted out.

]]>