Boot.Mebroot keeps showing after removal...

dchldiu · ‎06-20-2010

Got 3 hard drives on my PC (the OS drive is clean, no problems), but NIS finds and "Fully Removes" Boot.Mebroot from those 2 extra drives every time I boot (or restart) my PC.... The way I see it, NIS doesn't really remove those trojans, it just bloks them.

Is there a way to remove for good the Rootkit from those hard drives? I really don't want to fdisk /mbr them.

N_sb_combatant · ‎05-11-2010

Hi

You might want to try the steps provided @

http://www.symantec.com/security_response/writeup.jsp?docid=2008-010819-3217-99&tabid=3

Quads · ‎07-21-2008

Bleeping Computer have tools, to check for Mebroot (and variants) and one to remove the bootkit.

To be used under supervision by the Malware Removal Team or Instructor, they are 2 nice little tools.

http://www.bleepingcomputer.com/forums/forum103.html

Quads

dchldiu · ‎06-20-2010

For N_sb_combatant

Well, the solution implied by this article is based on the Rootkit residing on the booting drive. When you open the Windows Recovery Console, you can only fix the MBR of the hard drive where your OS is installed. This MBR on my PC is clean. The rootkit resides on each of the other 2 HDD that I have installed...

Oh, by the way, I'm running Win 7 and the article in your link doesn't seem to cover Win 7...

mdturner · ‎04-11-2008

Hi dchldui

You would be best advised to follow the recommendations of Quads, who is a rootkit and malware expert, and contact Bleeping Computer ( www.bleepingcomputer.com ).

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone

delphinium · ‎11-21-2008

The Symantec link is also from January 2008, and may not be valid for the new malware.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Quads · ‎07-21-2008

There is also another tool that should also be used under supervision like on Bleeping, that will check all installed drives boot code

40 GB \\.\PhysicalDrive0 OK(DOS/Win32 Boot code found)

1 TB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)

1 TB \\.\PhysicalDrive2 OK (DOS/Win32 Boot code found)

1.5 TB \\.\PhysicalDrive3 OK (DOS/Win32 Boot code found)

But to fix the drives involved it's either use of the command prompt and typing out the command(s) or the use of a script, (I have the template).

Though problems can occur if you have like a Dell Recovery Hard Drive installed after cleaning.

Quads

dchldiu · ‎06-20-2010

@Quads

Please send me more info about this detection/ cleaning tool.

Can you make the template available to me?

Thank you.

Quads · ‎07-21-2008

I no longer do malware removal on this Forum due to the forums danger level.

Bleeping Computers Malware Removal Team and Intructors have available to them all the tools including the tool that checks all Hard Drives installed in a PC.

Supervision is advised due to the tools involved and the MBR (boot records). This is why problem can occur after with like installed Dell /HP etc recovery drives.

Quads