Playing it safe, I unplugged the system from the local LAN and did a bit of research on an uninfected system. According to Symantec, the fix was as simple as using FIXMBR to overwrite the virus. With this information; I rebooted to the Recovery Console, ran FIXMBR on all three (3) physical drives in the system, rebooted to Windows, and ran a full system scan...which came up clean. However, I still got the Norton pop-up about the Mebroot infection...until I went into the Norton History for Unresolved Security Threats, selected the Mebroot entry, and hit options. Once there, it gave me the option to remove the file, but when I did it said the file was no longer on the system. I also ran MalwareBytes Anti-Malware afterwards in regular Windows mode which came up clean.
From the bits I've been able to dig up on this site, this particular critter can be quite nasty and there is no way to be 100% certain it is gone until all drives are formatted and the OS is reinstalled. With that in mind, I do have monthly image backups of my drives (via Ghost) and daily backups of my critical data (via Robocopy) to an external drive. The system in question is running Win XP SP3 (fully patched), and will be upgraded to Win 7 in the near future (clean install to zero-wiped drives).
I know the "safe" bet here is to go forward with the wipe and Win7 install, but free-time is a factor for me, so I would like to know what my options are to be reasonably certain I have a system that is clean in the interim.
Additionally, I did run GMER's MBR.EXE util on the boot drive, which came up clean. Log is below.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD3000HLFS-01G6U3 rev.04.04V05 -> Harddisk0\DR0 -> \Device\0000009e device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK
Edited by HateTheSnow, 01 April 2011 - 11:09 PM.