Trojan.Mebroot
Trojan.Mebroot is a deadly Trojan that can modify and infect Master Boot Record (MBR) of hard-drive. This Trojan can hide its presence by utilizing a complex rootkit technology. Trojan.Mebroot will infect the Master Boot Record (MBR) of the hard drive where boot-strapping of the operating system occurs. When starting the computer, infected MBR is loaded so as the Trojan that became a part of it. This method makes the harmful Trojan memory-resident. Trojan.Mebroot can now execute its own code that will load specific rootkit-driver and execute other malware that were dropped on the compromised computer.
Trojan.Mebroot may arrive on the system in a variety of ways. It primarily propagate on web sites that will take advantage of Internet browser’s vulnerability. Visiting these sites can download the Trojan without the knowledge of user. Fake multimedia web site that offers online adult movies are also responsible to broaden the infection of Trojan.Mebroot. The Trojan will disguise as a required player or decoder needed to watch movie which is actually non-operative. Additionally, Trojan.Mebroot is famously distributed as software cracks and key generators on file-sharing networks. Malicious files are deliberately uploaded by malware authors and shared as useful tool to completely run an unlicensed program.
Alias: StealthMBR, Stealth MBR rootkit
Threat Level: High
Systems Affected: Windows 9x, 2000, XP
How to Remove Boot.Mebroot :
FIRST AID TO STOP Boot.Mebroot :
If this virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with Boot.Mebroot, please restore Windows to previous configuration.
REMOVAL TOOL for Boot.Mebroot :
1. Start the computer using Windows Recovery Console:
- Insert the Windows XP CD-ROM into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
- Select the installation that you want to access from the Recovery Console.
- Enter the administrator password and press Enter.
- Type “fixmbr” command and press Enter:
(Following the onscreen instructions to restore the Master Boot Record)
2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.
3. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.
4. Update the virus definitions.
5. Restart Windows in SafeMode
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears
- Use Arrow Up+Down to select SafeMode on the selections menu.
6. Run a full system scan and clean/delete all infected file(s)
ADDITIONAL TOOLS AND PROGRAMS TO REMOVE Trojan.Mebroot:
Kaspersky Bootable USB Flash Drive
A tool from Kaspersky will allow you to create a bootable virus scanner that can be run from any computer. This can be boot and run from media drives such as CD, DVD or USB Flash Drive. Download and follow the procedures here.
Technical Details and Additional Information:
Other functionalities of Trojan.Mebroot Trojan:
- Trojan.Mebroot silently modifies MBR of an infected drive when executed.
- It can operate as backdoor to allow a remote attacker to gain illegal access on the compromised system.