How To Remove Mebroot From The Operational Memory Of Your PC

About two months ago, I turned on my PC and Nod32, which is the anti-virus protection I use on my laptop, popped up an alarm window saying that it found a Win32/Mebroot trojan virus in the operational memory and that it cannot be cured or removed.

To be honest with you this was actually the first serious virus problem I'd experienced on my PC, as I later found out it wasn't that easy to get rid of it as I first thought. I would search all over the internet, but didn't find a clear answer and the tools that were said to remove this virus just didn't work. I only found out how serious problems it can cause and that it's sometimes impossible to be definitely removed from the PC as it is designed to hide in a sector of your hard drive. What was even more annoying, was the description of what's the purpose of this virus on your PC. It's designed to wait in the shadows and peek on your important passwords like to your Ebay, or bank account.

However, I'm happy to say that just at the point where I was thinking that the only way how to really clean the Mebroot trojan from my disk is to actually destroy it and buy a one, I tried a solution that really worked. I read a lot of forums and finally found a real solution which was at the end a lot simpler that you'd expect.

First, use MBR Rootkit to verify that your PC is actually infected.

Download mbr.exe to your Desktop.

- Double-click mbr.exe and follow prompts.
- When mbr.exe is ready, it will create a log.

If your PC is infected that you'll see something like this in your output log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x3a384c41 size 0x1c0 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Although in my case it was this:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user & kernel MBR OK

And after fixing problem my log said this:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

DISCLAIMER: I'm not responsible for any harm that you might do to your computer while following this guide, nor am I saying that this is the right solution for your problem. I'm just saying how I removed the virus Win32/Mebroot from my PC. Everything you do to your computer following this guide or any advice received from me is on your own responsibility only.

Follow this step by step process to remove Win32/Mebroot from your PC forever.

1. Take your Windows XP CD
2. Insert it in your CD/DVD drive
3. Restart your PC
4. Now you have to boot from your CD (in my case, I'd just press any key)
5. It's going to take like 4 minutes to read the data from the Windows CD, and that you'll press the key R to get to the Recovery console
6. In the DOS console that's going to follow, you might be asked to choose a Windows install - there's gonna be just one so type 1 and hit ENTER.
7. Write fixmbr and hit ENTER
8. You'll be warned that this process might harm your disk, but you'll continue.
9. At the end just type exit, hit ENTER, and your PC is going to be restarted and your NOD32 will no longer detect any virus in your PC - because it has just been removed by fixing of your disk header.

I hope you liked my article and that you found it useful. I'd just like to add one more thing, the only anti-virus software that was able to detect this Mebroot virus was the Eset Nod32 and I'm glad I've had this installed instead of the other competitors. Thanks for reading and I wish you a nice day!