HELP! Reformatting hard drive doesn't remove boot.mebroot trojan virus!

C is my hard drive, E is the partitioned system restore drive and D is the FAT.  D and E show they are clean on a Norton scan. 

I will try to get a screen shot, but in the meantime, I can tell you that the virus shows up every time I start up the computer and periodically when I am using it - a pop-up will show that there was a threat and Norton resolved it (not!).  In the history, the virus is shown as resolved, a high threat level, s trojan virus and one that affects the MBR. 

Please confirm:

- if you are dis-connected from the Internet when running Scans. 

 

Message Edited by Floating_Red on 10-04-2008 03:33 PM

You need to completly wipe bothy partitions. Back up your data. Reformat “C”. Did you delete your old partions first?

If you really want to do this correctly then you need to delete all partitions and start from the ground up.


Dieselman743 wrote:
If you really want to do this correctly then you need to delete all partitions and start from the ground up.

Hannah12: Please do other suggestions that Users have provided here first; if they do not work, we will help you to get rid of this "monster".  *Coughs*  ;)

Hi Hanna12,

 

Although Dielseman743 may have suggested the only viable alternative, let's try an "end run" around this thing first.

 

Download, install and update the FREE version of Malwarebytes. It is an on-demand scanner which will not interfere with Norton.

 

Once installed, run a Full System Scan with Malwarebytes in safe mode while unplugged from the internet.

 

Keep us posted.

Message Edited by Phil_D on 10-04-2008 10:51 AM

The scan shows the virus whether I am connected to the internet or not. 


Hannah12 wrote:
The scan shows the virus whether I am connected to the internet or not. 

 

Yes, but that is not the point. 

 

If you run a Scan, and Norton says it can Remove it, you may get re-infected; also, when Connected, the Hacker can use anti-removal techniques.  That is why you should always run Scans without being connected to the Internet.

Hi Hannah12,

 

We generally suggest disconnecting from the internet during a removal procedure so that the virus or malware can't "phone home" and regenerate itself. 

 

Have you tried Malwarebytes?

 

EDIT: I guess Floating_Red has a faster keyboard - sorry for some duplicated info.

Message Edited by Phil_D on 10-04-2008 11:11 AM

I installed Norton 09 and Malwarebytes and ran scans of both not connected to the internet.  Norton picked up the virus again and keeps picking it up.  Malwarebytes did not detect it.

Well if it picked it up is it gone?  Look in your history logs? Does it show resovled?

No it isn’t gone.  Norton just detected it again. 

Norton always shows it is resolved but it isn’t since it reappears every time I restart the computer as well as periodically when I am using the computer.

Hi Hanna12,

 

First, have you performed a manual "Run Live Update" from the main Norton window? 

 

After that, let's check your Norton Product for issues.

 

Go to "Help & Support" in the main Norton window. Then select "One Click Support".

 

 

 

After the interface loads, click "Begin Support Session".  That will scan your Norton Product to check for any issues.

 

 

Let us know.

Message Edited by Phil_D on 10-04-2008 01:25 PM

Done it said everything is normal.

Okay, thanks.

 

This will take some more thought - sorry about that.

 

Perhaps someone else will jump in with an idea in the mean time.

Here are 2 programs to try. If not then you need to wipe your drive out completely.

 

 http://www.freedrweb.com/cureit/

 

 http://usa.kaspersky.com/downloads/removaltools.php

Have you done a Full System Scan with Norton 2009 in Safe Mode?  Likewise with Malwarebytes?  If not, please run Norton LiveUpdate and then boot in to Safe Mode.

1 Like

To Everyone,

 

This has gotten to me the most confusing, discombobulatin thread I have ever tried to read.

 

Everyone is talking at once.  Everyone is giving suggestions at once.  Everyone is asking questions at once.  And when the poor helpseeker answers, the answers are never clearly attributable to a particular question nor is their meaning clear.

 

Someone asks "do you restore your system?"  And the helpseeker says "yes."

 

I think that

A.  The helpseeker needs to be a lot clearer in her answers.  Hannah, this means you.  It's not your fault, but there are so many answers requiring specific data, that when you say something like "yes, I did," too many people are thinking they know what you are saying when that's not what you're saying at all.

      For examples:

      1.  did you reinstall the original computer image using recovery disks supplied by your computer manufacturer?  If so,

           a.  did you erase each partition?

           b.  did you remove each partition other than the main one (usually C)?

             [note, a and b are totally different things and have totally different consequences]

      2.  did you repair windows using a repair option from the windows installation disk?

            [note, 1 and 2 are totally different things and have totally different results.]

      3.  did you run a virusscan in Safe Mode?  If so,

            a.  which products did you run the scan with?

            b.  what was the report?

            c.  were you unplugged from the internet at the time?

      4.  do you have operating systems on either of your other partitions.  You would know this because you will be asked to choose between them when you power on your computer.

      5.  Hannah, you reported (or so it sounded to me) that after restoring your system, you immediately had a report from NIS 2009 that your computer had infections.  This confuses me.  You also said that your computer was an old.  Old computers woult have neither of the two recent NIS programs on board.  Restoring your system (in the sense that I understand it) would not put either on these programs on your computer.  So my hunch is that when you say you restored your system, you me that you went to System Restore and picked an earlier date restore point to restore from.

             a.  Is that what you mean?  That you used Windows System Restore to restore to an earlier restore point?  [If so, that is not a good way to remove a virus.  It may remove the registry links while leaving the virus files in place on your computer.]

             b.  Did you Restore from some other backup software?  If so, which kind?


And now the help crew.  You really impress me, guys, all jumping in trying to be of assistance.

 

But you're all jumping up and down shouting, "me, me, me - use my fixes, use my suggestions, use my recommended software."  That can be extremely confusing; even counterproductive.  I've seen you all work before as a team; I bet you can do it now.

 

And some of you (I blush to say it) seem to have nothing to say other than to repeat someone else's advice.  It's almost as though you are trying to earn some quality points for being a good guy.  But the result is clutter.  What are we up to, four pages?!  And half the posts are repeats of earlier posts?


So, I just repeated the questions already asked that I don't think have been clearly answered.  Maybe the answers will help everyone once they know what they actually are.

Hi.  I will tell you what I have done.  To clear up one thing, I have never used system restore to go back to a restore point, because, well, at this point, I think it would be pointless!.  

 

First, when it became obvious that NAV08 couldn't remove the virus, I signed up for Norton's Virus Removal Service at $99.99.  Several of their technicians tried a number of things in an attempt to get rid of the virus, but they finally gave up and told me to reformat the hard drive.

 

I called HP to ask about this and they said they could get rid of the virus for $59.99 - no problem!  They downloaded AVG and a trojan virus remover program and ran these which said everything was clean.  Not according to Norton which still picked up the virus.  Then they told me to back everything up (which took days) and run a non-destructive recovery from the partition.  Virus still there.  Then they had me run a destructive recovery from the partition.  I couldn't get on the internet no matter what the technician did so I couldn't download SP2 and install Norton.  He said the virus had corrupted the partitioned system recovery drive.

 

Then I ordered the 8 System Recovery cd's from Computer Surgeons.  HP said just put them in and run them and do the "standard recovery" option.  I did, downloaded all the Microsoft updates including SP2 and 3.  Then I installed NAV08.  Virus showed up.  Called HP, they had me do everything again - which takes several hours to do - this time using the "full recovery" option and I had no different results.  They they took me through a process where I had to hit certain keys after I inserted the first recovery cd which allowed me to erase the hard drive.  (Note:  the cd's I received offer no options except for "standard system recovery", "full system recover" and "quit" when inserted.  To get to the other options, such as erasing, one has to know the secret, mystery keys to press and no instructions come with the cd's to guide a home user through this process.)

 

After erasing the HD and then running the recovery cd's, I again downloaded the SP's and installed NAV08.  Virus popped up. 

 

Then I read that I should turn off system restore after fixing the MBR.  I couldn't figure out how to just run the fixmbr command and neither could 2 HP reps.  So I just ran the cd's again (without erasing) and when the computer booted up, I immediately disabled the system restore.  The virus was still there. 

 

I tried reformatting D (FAT) and E (Recovery partition) from Windows and running the cd's again with no better result. 

 

I have downloaded Malwarebytes which doesn't pick up the virus, and NortonAV09 which does.  I have started scanning D and E separately and they always come up clean on Norton.

 

The computer only came with NortonAV02, so I have to get online when the process is done to download SP2 and install Norton.  If I am becoming re-infected through that process I don't know what to do since I can't install Norton without going online.

 

I  reformat using the "Full Restore" option as opposed to the "Standard Restore".  I have done this about 7 times now!  Right now, I am trying this after once more erasing the hard drive first.  The HP technician says that this process erases everything, removes the partitions and recreates it all. 

 

I have spoken with at least 30 HP technicians on this.  The person I spoke with a couple of hours ago when I started this latest reformat said that according to HP's Level 2 technicians that he consulted with, if this doesn't work, it means that the virus is "deep in a lower layers of the hard drive that the reformatting done by the system recovery cd's cannot reach".  He said they only fix the top layers of the hard drive.  He said I would need to take the computer to "a store" which will have "special software" that can fix this "hardware problem".  I asked if I could just get the cd's and do it myself and he said that only a trained technician can do this. 

 

It will be another couple of hours before this process is finished again (!) and I will then know if Norton is still picking up the virus.