Boot.Mebroot

Detection of Boot.Mebroot on the computer signifies that hard drive is severely infected with a boot Trojan. Follow the guide on this page to remove the threat from an infected system.

Boot.Mebroot is a common detection method used to identify Master Boot Record that was infected by Trojan.Mebroot. Boot.Mebroot is a detected MBR or first sector of the hard drive that was contracted by rookit Trojan. This part of the drive is generally used for boot strapping operating system to load it after BIOS has done checking necessary hardware and software requirements. If MBR was infected with Boot.Mebroot , the whole operation can be controlled by the Trojan.

Damage Level: High

Systems Affected: Windows 9x, Windows 2000/Server, Windows XP, Windows Vista

Characteristics
A Trojan created specifically to intrude MBR of target computer is causing Boot.Mebroot infection. It modifies the MBR silently and creates a backdoor that aims to steal sensitive data from the infected computer. Remote attacker may also gather online banking records through the same backdoor channel. With the use of highly developed rootkit techniques, the entire operation of this Trojan will remain hidden to users and security programs as well.

Distribution
Most common propagation of a Trojan that brings Boot.Mebroot is via drive-by-download method. Additionally, unsafe file-sharing networks and fake multimedia web sites are also seen as distribution outlet of this Trojan. It will specifically infect and change the Master Boot Record (MBR) for the main purpose of running malicious code when computer starts.

How to Remove Boot.Mebroot

Boot.Mebroot Removal Tool for Older Versions of Windows:

1. Start the computer using Windows Recovery Console:
- Insert the Windows Installation Disc into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
- Select the installation that you want to access from the Recovery Console.
- Enter the administrator password and press Enter.
- Type “fixmbr” command and press Enter.
(Follow the onscreen instructions to restore the Master Boot Record)

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

Boot.Mebroot Removal Tool for Windows Vista and Windows 7:

1. Start the computer using System Recovery Options:
- Insert the Windows Vista or Windows 7 Installation Disc into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press any key when prompted.
- Select your desired settings, language, currency, input devices and so on. Then, click Next
- Click on Repair your computer.
- Select the operating system that you want to repair, then click Next.
- You will see a System Recovery Options window, click on Command Prompt.
- When you are in command prompt, type bootrec.exe /fixmbr and press Enter.

FixMBR Boot.Mebroot

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

3. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.

4. Update the virus definitions.

5. Restart Windows in SafeMode
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears.
- Use Arrow Up+Down to select SafeMode on the selections menu.

6. Run a full system scan and clean/delete all infected files.

Additional Program to Remove Boot.Mebroot:

Kaspersky Bootable USB Flash Drive A tool from Kaspersky will allow you to create a bootable virus scanner that can be run from any computer. This can be boot and run from media drives such as CD, DVD or USB Flash Drive. Download and follow the procedures here.

Alternative Removal Method for Boot.Mebroot

Option 1 : Use Windows System Restore to return Windows to previous state

If Boot.Mebroot enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Boot.Mebroot infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.