Endpoint Protection

My Symantec Antivirus (version 10.x) detected but failed to remove a boot sector virus called Boot.Mebroot.   Symantec's removal instructions at http://www.symantec.com/security_response/writeup.jsp?docid=2008-010819-3217-99&tabid=3 
 say "Symantec have developed a tool to remove this threat. Please contact Symantec Technical Support for further information."   Alas, the tech support person that I contacted professed ignorance of the boot.mebroot removal tool.    Does any one know how to get a copy of the semantec boot.mebroot and/or trojan.mebroot removal tools?

Hi,

Is this of any help or have you already tried it?

http://www.symantec.com/security_response/writeup.jsp?docid=2008-010819-3217-99&tabid=3

Cheers,
Rob

Hey,
 
f18man i also found this :

http://www.softpedia.com/get/Antivirus/Trojan-Mebroot-Removal-Tool.shtml

Cheers,
Rob

HotRob, 
   Thanks for the idea, which are both scary. The sole review  of the download at http://www.softpedia.com/get/Antivirus/Trojan-Mebroot-Removal-Tool.shtml 
says  "Now how do it restart my computer."   And, instructions  for the tool says:
    "If you are using a non-standard Master Boot Record (MBR) or if you use encryption on your HDDs or partitions, we recommend that you make a back up before running this removal tool." 

So, it seems that removal of Boot.Mebroot removes the master boot record (MBR), which evidently may also wipe out all files on the boot drive in at least some cases. 

I wonder if there is a way to check before I try removing and repairing the MBR if  all my files will be lost and my computer will fail to restart.   In other words, how can one tell if one has either encryption on the boot HDD or its partitions, or if the MBR on the boot drive is non-standard?

My Norton tells me I'm infected with Boot.Mebroot. I've repeatedly tried the manual Removal, and the above provided removal tool, to no effect. The Tool, prompts me that Trojan.Mebroot is not active on my system. and when I try to run the tool in safe mode, it prompts with a driver error. Any ideas?

Yesterday, Thursday April 9, I had a friend's infected laptop. 
All kinds of bad stuff going on with this thing.  Did the usual, removed the malware and uninstalled the bad apps, (Windows XP Ant-Virus, Windows XP anti-virus Pro, etc.)

Finally, I wiped my brow and thought, it's finally clean.  AV time.  So I downloaded and registered a free version of an AV (Home Edition)  and installed it.  Ran the scan...  and to my dismay!!  Viruses!  The bad kind.

Explorer.exe (%systemroot%\explorer.exe) infected!!  Could not be cleaned.
Lsass.exe (%systemroot%\lsass.exe)
Winlogon.exe (%systemroot%\winlogon.exe)
Services.exe (%systemroot%\services.exe)
SVChost.exe (%systemroot%\svchost.exe)

All the legitimate ones!  I downloaded and tried all the tools for removal from all the major and not so major vendors.  And nothing!  Nothing could clean these files, delete them or get rid of my viruses.

I figured, right before I gave up, I would give it one more shot.  The LONG shot.

So I proceeded to remove the HDD from the infected machine.  I downloaded the Service Pack for the machine that was infected, in this case XP SP2. 

- Ran the SP2 installer from a COMMAND prompt with the /x option and extracted to a partition on the clean machine.

Updated the AV (Symantec EP) on another machine, removed that machine from the network and installed the HDD in it.

I allowed the drive to be scanned, and SEP said, bad things here.  And deleted the culprits.  Very important files from Windows in order to successfully.

This is exactly what I wanted to happen. 

Back to the COMMAND prompt.  Service Pack was extracted to the C:\temp folder.

expand c:\temp\i386\explorer.ex_ e:\windows\explorer.exe
expand c:\temp\i386\lsass.ex_ e:\windows\lsass.exe
expand c:\temp\i386\svchost.ex_ e:\windows\svchost.exe
expand c:\temp\i386\services.ex_ e:\windows\services.exe
expand c:\temp\i386\winlogon.ex_ e:\windows\winlogon.exe  

No more Boot Sector virus!  Scanned with SEP and machine is clean. 

**Problem** 
If I scan with SFC it will not recognize the date stamp on the Executables, I put in from the SP.  So will want to squash them.

**Solution**
Installed SP3 on top of the now clean machine.  Date stamps good again.

Seems long to do, but I spent 4 and a half hours trying to remove the damn thing before coming up with this 15 minute solution.

Cheers.




 

Hey guyes, like you I too was got with this little monster. I too ran manual removal and norton no longer picked up virus (problem solved) or not!!

basically rewriting the mbr with fixmbr did not work in my case. other software also failed to find the virus untill I was advised by techy friend of mine to use malwarebytes, available from cnet, that found the bliter and deleted it after scanning for a long time!!!

It got rid of the dll script that starts the virus off.

hope this works in all you cases

I contacted Norton about having boot.mebroot on my system via their online chat.  I was told that I needed to take my computer to a local tech person, that they would be unable to remove it with their $99 service.

Have not done this yet. 

Rorschach112 at "GeeksToGo" steered another to Dr. Web's "CureIt".  I downloaded a current version of this and it found and removed or quarantined a couple of files fairly quickly.  Since this, Norton does not detect and remove "Boot.mebroot" anymore.  Hopefully this is now resolved.  Why couldn't Norton do this?  Did not require booting into Windows recovery console and running fixmbr or anything complicated.

I hope it's really fixed.  It appears to be.

Also ran full system scan with CureIt and it found a lot of things that it thought were viruses or trojans that I think probably weren't.  I let it remove, move or quarantine all just in case.  No ill effects as of yet.