Boot.Mebroot

Detection of Boot.Mebroot on the computer signifies that hard drive is severely infected with a boot Trojan. Follow the guide on this page to remove the threat from an infected system.

Boot.Mebroot is a common detection method used to identify Master Boot Record that was infected by Trojan.Mebroot. Boot.Mebroot is a detected MBR or first sector of the hard drive that was contracted by rookit Trojan. This part of the drive is generally used for boot strapping operating system to load it after BIOS has done checking necessary hardware and software requirements. If MBR was infected with Boot.Mebroot , the whole operation can be controlled by the Trojan.

Damage Level: High

Systems Affected: Windows 9x, Windows 2000/Server, Windows XP, Windows Vista

Characteristics
A Trojan created specifically to intrude MBR of target computer is causing Boot.Mebroot infection. It modifies the MBR silently and creates a backdoor that aims to steal sensitive data from the infected computer. Remote attacker may also gather online banking records through the same backdoor channel. With the use of highly developed rootkit techniques, the entire operation of this Trojan will remain hidden to users and security programs as well.

Distribution
Most common propagation of a Trojan that brings Boot.Mebroot is via drive-by-download method. Additionally, unsafe file-sharing networks and fake multimedia web sites are also seen as distribution outlet of this Trojan. It will specifically infect and change the Master Boot Record (MBR) for the main purpose of running malicious code when computer starts.

How to Remove Boot.Mebroot

Boot.Mebroot Removal Tool for Older Versions of Windows:

1. Start the computer using Windows Recovery Console:
- Insert the Windows Installation Disc into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
- Select the installation that you want to access from the Recovery Console.
- Enter the administrator password and press Enter.
- Type “fixmbr” command and press Enter.
(Follow the onscreen instructions to restore the Master Boot Record)

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

Boot.Mebroot Removal Tool for Windows Vista and Windows 7:

1. Start the computer using System Recovery Options:
- Insert the Windows Vista or Windows 7 Installation Disc into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press any key when prompted.
- Select your desired settings, language, currency, input devices and so on. Then, click Next
- Click on Repair your computer.
- Select the operating system that you want to repair, then click Next.
- You will see a System Recovery Options window, click on Command Prompt.
- When you are in command prompt, type bootrec.exe /fixmbr and press Enter.

FixMBR Boot.Mebroot

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

3. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.

4. Update the virus definitions.

5. Restart Windows in SafeMode
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears.
- Use Arrow Up+Down to select SafeMode on the selections menu.

6. Run a full system scan and clean/delete all infected files.

Additional Program to Remove Boot.Mebroot:

Kaspersky Bootable USB Flash Drive A tool from Kaspersky will allow you to create a bootable virus scanner that can be run from any computer. This can be boot and run from media drives such as CD, DVD or USB Flash Drive. Download and follow the procedures here.

Alternative Removal Method for Boot.Mebroot

Option 1 : Use Windows System Restore to return Windows to previous state

If Boot.Mebroot enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Boot.Mebroot infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

37 Comments

  1. Mackerz
    Jul 22, 2008 @ 00:22:58

    Hi, my system files are not infected with Boot.Mebroot but I downloaded a file which had it. I had suspicion on that file so before I even click it I scanned it with Norton Antivirus. The updates were up to date. it showed that the file contain virus. It was not resolving the issue. I deleted the file. But when again I scan my system with Norton it still it shows there and do not remove it. And yes… when ever I install the windows I turn off the System Restore point and its off from the beginning that’s why I believe there are no infected files. Could you please help me with this? And is there any information going out from my system? I have Norton 2007 and ‘Outpost firewall’ installed.

  2. Tinamarie
    Jul 27, 2008 @ 20:17:36

    I have the same problem as Mackerz and I tried what precisesecurity suggested. However, when I typed in “fixmbr” – it came back with this:
    Non-Standard or Invalid Master Boot Record.
    Fixmbr may damage your partition table if you proceed.
    This could cause all the partitions on the current hard drive to become inaccessible.
    If you are not having problems accessing your hard drive – DO NOT CONTINUE.

    What do I do now.

    Please help – I’m desperate.
    Thank you
    Tinamarie

  3. Whistler
    Sep 10, 2008 @ 09:19:01

    I had the virus, and did as described. The warning about the partitions I think is a possibility. Cause I have no problems accessing all my HDD and partitions after fixing my MBR this way.
    I hope I helped a little bit. Greetings from Holland.

  4. NoXiouS
    Sep 14, 2008 @ 17:22:29

    Hello. Clean Format, Clean Install of XPMCE and Norton. Install Zone Alarm, Finally connect net cable and go to Norton’s Live Update, then boom it finds it? I am on third attempt to fix/remove it. Already did the fixmbr thing and I still get this threat. Could it be in my Motherboard? Bios? I’m using all factory install discs that should be safe?

  5. Hannah12
    Oct 05, 2008 @ 19:11:22

    I have a long thread going on Symantec’s Norton forum about how I cannot remove this virus from my computer. Symantec’s Virus Removal Support that costs $99.99 couldn’t remove it. 30 HP tech’s from their paid support can not remove it. I have done everything including erasing the hard drive, deleting all partitions, writing zero’s to the hard drive and reformatting using HP disks. Norton’s virus removal tool that is specific to this virus does nothing. What next? I asked the service department at Fry’s about installing another hard drive and they said that they could try, but that the virus might be in the memory. Is that possible?

  6. Craig
    May 26, 2009 @ 09:55:03

    A low level format doesn’t work eithere. I’ve tried everything as above and deleting partitions and full low level format, reinstalled Windows XP and the virus is still there. I’m also coming to a dead-end with this one. Anyone actually managed to remove it?

  7. sctbrd
    Jul 21, 2009 @ 00:44:30

    Download the free 15 day trial Norton Anti-Virus 2009. It found Trojan.Mebroot and removed it. Sophos and the other forums gave all kinds of fancy, complex, lengthy repair steps.

    And it didn’t cost anything-and no long list of programs you don’t know about That can tie up your registry and just be a pain. Safe and inexpensive.

    Try to check the “Documents and Settings” file. The old installation files were still there when I thought a clean install would remove them. I deleted the old files then restored them to get my old address book file. When I restored them I got the alert and that Norton cleaned it up.

    Be very careful if you do try to delete the old Documents and Settings sub-files- don’t get the current ones!! Check some of the files for what Favorites or Cookies are and compare them to what you recently have done on the Net. Also check the created date- they will be the older ones.

    Now Ill buy Norton- one virus was worth it. Plus it’s on sale at Office Max!

  8. Khaos
    Jul 28, 2009 @ 15:08:08

    You can fdisk>Delete partitions then shut down the PC. Then after you start back up you can format. This wipes the memory and the disk. There’s no place for the code to live. Make sure there are no other removable drives/storage that could be an underground railroad for our little friend.

  9. Danmor
    Nov 09, 2009 @ 14:06:54

    Me too! Format. low level, delete partition, restore MBR, reload XP? Still housing boot.mebroot? What if I don’t remove it? is there life after mebroot?

  10. Josh
    Nov 24, 2009 @ 20:35:48

    I just spent 10 hours cleaning a system of Mebroot. The fix was actually not that bad in retrospect.

    Use MBR.EXE from gmer.net to monitor your infection and cleaning. It is the only tool that can detect the infection plus the location of the actual virus executable code on the end of your hard disk sectors. The main goal is to eliminate it from your MBR.

    I had to do a fresh boot (from power off) into a Windows XP CD for Recovery Console and then issue FIXMBR. The trick is to issue MAP to learn the name of your HD and then issue “FIXMBR \Device0\Harddisk0\” or whatever is appropriate. It should ask you Y/N to replace the MBR.

    Then issue FIXBOOT.

    I had a scare where it said Invalid Partition Table and would not boot like I lost my C drive. I knew the data was still there so I remained calm and did a FIXBOOT in Recovery Console and that fixed things.

    Now the system seems OK where before it was thrashing the disk and copying furiously into HelpAssist profile.

    Hope this helps someone.

  11. Dave
    Dec 03, 2009 @ 21:34:46

    Got this bitch on my netbook. Symptoms are: my computer completely freezes except for cursor, some process called “services.exe” sucks all the CPU. I’m actually browsing these forums on my iPod touch. :( also norton tells me it’s resolved the problem, but this couldn’t be farthere from the truth. my pc still freezes and A virus scan reveals the virus every time. I just ran their stupid tool and it told me that the virus wasn’t active on my pc. As my netbook doesn’t have a disk drive – is there a way to reload windows from a USB drive?

  12. Nicole
    Dec 15, 2009 @ 16:38:56

    We got to the part where it says to enter admin password, but we don’t have one, and it wants one and if we don’t enter one or type one like admin because there isn’t one, after 3 times, it makes you restart, any suggestions?

  13. WM
    Dec 23, 2009 @ 01:08:11

    Warning – there is a version that creates a large “unallocated space” from which it seems that it copies things into the HelpAssistant directory, using a javascript HTM file with a random name. I formatted and reinstalled, and it was back along with other users that should have been wiped. The only way to clean it was to reassign the unallocated space as a partition, fixmbr on both partitions then reinstall clean. If you miss the unallocated space (mine was 23GB) it appears to survive formatting…. it is completely evil.

  14. Kirvic
    Jan 15, 2010 @ 19:53:02

    I have this friend living on my 2 computers, a netbook with vista 32 bits, and a desktop win xp. I formatted, scan, system recovery, pray, i mean, did everything above, but nothing, it still there. I starting to think i need a new hard drive, but the thing is that, i have a lot of data that i need, if it let me burn on dvd there is the huge possibility of the files get infected? or it infects only the boot system files?

  15. ceaser/Greg
    Jan 28, 2010 @ 21:02:45

    according to my friend who hasn’t finished his computer repair man degree yet, one of our teachers says yes no viruses can infect RAM too. i told my friend that sounds crazy. how does it hold data when there’s no voltage going to the RAM? he was rathere insistant though that RAM CAN hold viruses that stay inside and “activate” when the RAM once again gets voltage. i want to do more research but i tend to believe him. our teachers are usually right at my college.

  16. ceaser/Greg
    Jan 28, 2010 @ 21:04:51

    p.s. I’ll add this link to my favorites because looks like a good long thread. i’ll let you know if i can remove the boot.mebroot but i get the feeling this is one of those leftover annoyances. as in, the real threat is gone and this little annoying file is still in BOTH MBR’s for my physical disks. apparently this thing doesn’t hit USB drives (at least not normally) because my external USB was attached and turned on at the time i acquired this virus. STAY AWAY FROM ONLINE VERSIONS OF NERO FOR A WHILE! hint hint

  17. ceaser/Greg
    Jan 29, 2010 @ 19:12:02

    step 1: clean with symmantec or other anti-virus, i used a free symmantec from school
    step 2: it’ll fail to clean the Boot.Mebroot so get your Windows CD, and sorry I use XP if it’s different in other versions but: run recovery console, then just do a FIXMBR in there. Now if you only got 1 physical drive, you’re all set right here. Your virus cleaner is going to say you’re free of Boot.Mebroot when you reboot and scan.
    step 3: if you have a 2nd physical drive that happens to have a windows install on it, you repeat the process. but most likely you only have windows on one of your physical hard disk. so for that drive you have to repartition it. this virus hangs by changing your physical disk attributes and it puts some little partition on there. For those who haven’t done it: you repartition by starting up and going to the safe mode w/command prompt and typing FDISK, but for people who don’t know how to do this, you should use the Windows CD and do a new install of Windows on the drive. Make sure you don’t accidentally install it over your current Windows install! Then let Windows format your drive (needless to say you have to backup ALL your data before you do this but I’m saying it) and NOW finally both your drives will be clean of Boot.Mebroot

    Who made this? What does it do? Why do they make it so hard to remove since it’s not doing ANYTHING for ANYONE once you already clean off the associated trojans. At least I think that’s the case. I have a theory it just makes your Hard Disk access randomly when there’s nothing going on.

    Ok that’s the end of the chapter in my book on this virus. Good luck. If what I said doesn’t work, then you aren’t doing it right!

  18. ceaser/Greg
    Jan 29, 2010 @ 19:15:51

    and DO NOT reformat anything or do anything beyond the FIXMBR if you a) only have 1 physical disk (i.e. disk that’s permanent in your computer not optical drives too) b) if your scanner shows you only got Boot.Mebroot on the Windows drive. Unfortunately if you have a physical drive that doesn’t have Windows installed, it’s infected and you have to back it up then do the FDISK. So if you got 1 100 GB drive that has Windows installed on it, and you don’t have any other hard disk in your system, you’re done after the FIXMBR. This is as of 1-28-2010 with current Windows Update and using offcially Symmantec Endpoint Manager, which is a simple version that has scanning on it.

  19. ceaser/Greg
    Jan 29, 2010 @ 21:27:37

    too bad you can’t edit this. it’s not even called FDISK in XP. you have to use DISKPART from command prompt. and i just scanned and the non-boot drive still did come up as having Boot.Mebroot

    I don’t know why it would still have the virus unless something late in the install process of Windows takes care of the bootblock. So just using Windows setup to auto partition that drive did not remove the problem. I probably would’ve had to completely install Windows on it and do FIXMBR in recovery console, because that DID work on the other drive. So go print out the instructions for DISKPART from microsoft support before you try this though. And again this method you will have to backup all your files after you clean because you’re going to lose all that’s on your disk. I’ll write again if it does not work.

  20. ceaser/Greg
    Feb 12, 2010 @ 21:02:57

    This seems to not work if the disk is listed as “physical disk 2″ and is on the same IDE chain as the bootdisk. FIXMBR can’t do anything to help it would seem to any disk other than the “physical disk 1″ even if it does have windows on it. I’m going to stop using this hard disk that’s infected I think.

  21. Hellpop
    Feb 17, 2010 @ 14:40:56

    I have been following everything here. I found this worm last week on my PC. The GMER mbr.exe program says I am clean on both discs, but Symantec keeps saying I have the damn thing, even after reformat of boot drive. Even before I started clean process, mbr.exe said my second disc was clean. Could Symantec Endpoint just be wrong? Is it detecting changes that were made by the Trojan even after the Trojan has been removed? I’m gonna try a wipe tool on my main drive… let’s see this bastard survive that!

  22. Hellpop
    Feb 17, 2010 @ 14:43:10

    Also Malwarebytes never detected this at all on my system and Symantec keeps finding it, I do a manual clean, it says cleaned, and then it finds it again.

  23. Burnt
    Feb 26, 2010 @ 15:27:19

    @ Josh, Thanks for the tips, I have (XP) 3 drives and with a few commands was able to fix this little bugger, I first went into the recovery console and issued command map to reveal my device names and then

    fixmbr \device0
    fixmbr \device1
    fixmbr \device2

    Fixboot c:
    Fixboot d:
    Fixboot e:

    Problem is now gone and no av program finds it anywhere..

    And to think I almost drove myself crazy…..I didn’t need any extra programs for anything…

  24. Burnt
    Feb 26, 2010 @ 15:34:42

    Note that these are my device names and drive letters, your may be different so issue command map before any other commands..

  25. lynn
    Mar 06, 2010 @ 00:09:11

    When I put my CD in, it says I have a newer version of windows XP what do I do now?

  26. Burnt
    Mar 08, 2010 @ 22:40:39

    Place the windows CD in the CD drive and reboot your machine
    “1. Start the computer using Windows Recovery Console:
    – Insert the Windows XP CD-ROM into the CD-ROM drive.
    – Restart the computer from the CD-ROM drive.
    – Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
    – Select the installation that you want to access from the Recovery Console.
    – Enter the administrator password and press Enter.”

    You’ll see something like this c:\Windows: , type these commands.

    c:\Windows:Map (this will show the name of your devices..)

    c:\Windows:fixmbr \device0 (fixes master boot record on your main drive)

    c:\Windows:Fixboot c: (Fixes boot record on your c drive)

    Repeat for every drive shown on the map command…Then type Exit hit and restart your machine, Then run a full virus scan once started..

  27. David
    Mar 15, 2010 @ 00:38:22

    I too have this boot.mebroot.

    Have tried Josh’s remedy to no avail. Don’t really understand Burnt’s use of \device0 with fixmbr. Map does not provide names of devices this way. Just C: D: E: etc. It also gives me one drive with “?” where the drive letter would usually be. The letters it gives do not seem to jive with the letters the drives show up in Windows Explorer?

    Any help will be appreciated.

  28. Burnt
    Mar 17, 2010 @ 15:23:16

    @ David
    after you reboot with a windows installation CD and select r to enter the recovery console and enter password these are the commands i used to fix the mbr and br of my drives,

    I have 3 hard disk drives, \device0 = first, \device1 = second, \device2 = third on the ide chain

    Command Results
    fixmbr \device0 Fixes mbr on the first drive on the ide chain this is my c: hdd
    fixmbr \device1 second drive on the ide chain = d: hdd
    fixmbr \device2 third drive on the ide chain = e: hdd

    Command Results
    Fixboot c: fixes br on c: drive
    Fixboot d: fixes br on d: drive
    Fixboot e: fixes br on e: drive

    If I’m correct I would assume that you have 3 or more hdd also, I cant tell you fully how as I’m unsure of your machine as you say one of the drives is listed as ?: and I’m not sure exactly what this means maybe an external usb drive ? or a flash drive or something ?

    All i can tell you is the commands i used on my 3 hdd and it solved the problem, What i done was combined several suggestions into my own thoughts as every machine can be different. I hope you get it sorted out.

  29. Ricardo Morron
    Mar 19, 2010 @ 18:45:34

    Dear Mr. Burnt, I tried your method unsuccessfully. Please note that I do not have administrator’s password, so I press enter without tipping nothing when I am requested. Furtheremore, the restoration disk to start in safe mode was created using Windows XP Home plain, I mean SP2 and SP3 were not installed yet. A final remark: I have 2 physical hard disk but 3 partitions C (main), E (for recovery) and D in the second disk to store just files (no programs). I wonder if I have to assign both partition to device0 or use a device number for each partition.
    I am very concerned and I am seriously thinking to buy a new computer. Your very valuable help will be very appreciated. Thanks in advance.

  30. Burnt
    Mar 21, 2010 @ 15:53:08

    @ Ricardo

    I also have a blank password
    I’m not sure if the virus places itself into the recovery partition, so after booting into the repair console run these commands, one of which may not work as I’m not sure if the recovery partition would have a device #

    fixmbr \device0
    fixmbr \device1
    and maybe for the recovery partition
    fixmbr \device3

    Recovery partition does have a boot letter ie: E\
    so run these commands also

    Fixboot c:
    Fixboot d:
    Fixboot e:

    exit

    then restart.

  31. Kap'n Krunch
    Mar 29, 2010 @ 02:24:56

    I finally got this thing off my computer. Gone. But for me, it was on my external hard drive. Turned out the trigger for the virus was the autoplay function for the device. Once I disabled all the autoplay features, Norton stopped blocking it. I was then able to easily get my files off of my external. mebroot was chilling in 2 places called 0x85 and 0x81 which I found at:
    run: regedit — hkey_local_machine — software — Microsoft — windows — current version — policies — explorer then into HonorAutoRunSetting — Modify. Once I knew where it was I could understand how it was launching itself.

    If you have an external or some USB flash drive thumb drive or whatever, don’t be fooled. It could be in there.

    Also, partioning your unused space, no matter how small, is really important I think.

  32. Remover
    Apr 03, 2010 @ 04:25:32

    I have Boot.Mebroot on my 2nd physical drive – 1tb (not on the boot drive). Try all the method above, none work. even formatting the drive no luck. I had it resolved by cloning the the drive using another empty clean formatted drive. (I use acronis true image). It works like a charm. No more Boot.Mebroot

  33. john
    May 31, 2010 @ 07:25:04

    I cant believe I am reading this! about the 2 years ago a hard drive antivirus built into the motherboard (asus p4pe)
    began making noise on start up. i disabled it after doing some searching, I’m using Norton right? Norton never found this until today, I am losing control of my computer after a long idle time, a window pops up telling me my computer is in use enter a password. when I re-enter windows Norton is busy doing an idle time scan, doing battle with this virus. funny Norton now says it has found the virus before. I have never seen it in the history before? Norton doesn’t seem to remember after a restart. I don’t know where to begin. I don’t have a recovery disk

  34. Ray
    Jun 09, 2010 @ 16:19:46

    I got this sink hole of a virus on my PC a little ways back, and am having all the problem listed above. I’m not the greatest with computers so I’m pretty hesitant about doing the recovery console bit as I don’t really know what I’m doing and don’t want to make things worse. to that end, does anybody know if just straight up getting rid of the old hard drive and having a new one installed works? Sure I have files, but nothing I cant live without so if anybody knows if just shelling out the money for a new hard drive would work I’m all ears

  35. Don
    Jun 10, 2010 @ 03:48:24

    This is a nice long thread and Symantec says that it is a low level threat and it states removal is EASY. If it’s so easy, why can’t Symantec Anti-Virus remove it? Once again a software company taking our money and giving us nothing in return.

  36. Danq
    Jun 10, 2010 @ 23:34:08

    Hi, has anyone (except for me :) experienced this Trojan on a windows 7 machine? I tried Burnt’s method above but it did not fix the problem. I have a machine running windows 7 pro with 2 internal HDD. I have Norton IS 2010 running and every time I boot up it finds boot.mebroot and removes it (so it says). I just recently reinstalled windows and that did not do the trick eithere. I did a clean install and format the partition that windows was installed on. Maybe I should delete the partition table and reformat next? Any other suggestions? Thanks

  37. Henry
    Jul 04, 2010 @ 09:36:38

    The best way to remove this particular piece of malware is to have a second computer available (make sure that it is fully updated and that the anti-virus is fully updated also), remove each hard drive from the infected computer, place the drive in an external hard drive case, connect the external drive (using USB or firewire – whichever your computer and external drive supports) to your computer and scan the drive (also run the removal tool(s) on the external drive). In this way you are using a confirmed clean computer to scan the infected drive(s). This method has worked for me with no issues.

Leave a Reply

*