Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help please with Boot.mebroot

  • Please log in to reply
1 reply to this topic

#1 guswood


  • Members
  • 11 posts
  • Local time:05:33 PM

Posted 06 February 2010 - 02:27 PM

Hello all. Thank you in advance for any help you can lend me!

I was having problems with my computer, and so did a clean reinstall of windows and reformatted my drives. I had presu,ed the problem I was having (freezing) was perhaps a virus, and though starting again would be a good idea. I reforamtted and reinstalled, but since then my Norton internet security has been detecting Boot.mebroot. It also finds it when I connect my external drives or a usb stick. It says that it removes it, but of course it doesn't.

I have followed their instructions and run the fixmbr and then performed the full scan. But so far no luck, It keeps reappearing.

When I decided to reformat my externals, I transferred all the data onto my desktop. If I need to reformat it all again, would the trojan be contained in those files if I backed them up to an external again? There is much there that I would not like to lose.

Any help you could give me on removing this would be greatly appreciated



BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,776 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:33 PM

Posted 07 February 2010 - 08:53 AM

Mebroot is a Trojan horse that overwrites the Master Boot Record of the hard disk with its own code and stores a copy of the original master boot record at another sector (62) while using rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors 0 (MBR), 60, 61 and 62.

...During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system. Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.

StealthMBR Rootkit

Mebroot is contracted and spread through ads in spam e-mail attachments, by using shared folders on peer-to-peer networkes, using Torrents, and via drive-by downloads when visiting porn and malicious websites using browser exploits. For more specific details about this infection, read:If it keeps reappearing after using the "mbr.exe -f" command, then either that fix did not work or you are getting reinfected through one of its spreading venues.

Edited by quietman7, 07 February 2010 - 09:04 AM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users