Removing ING mebroot virus

If a mebroot variant has infected your system, then your registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If you still have a restore point created before you got infected with Boot.Mebroot. But … SURPRISE … that — as well as a complete reinstall of Windows — won’t work as your Master Boot Record is infected as well! Time for a REAL tried & tested solution !!

The bad news? There are no tools to do the cleaning for you. Not even aswMBR. What do you need is original Windows XP recovery CD. And perform these simple to do, and simple to follow steps:

REMOVAL TOOL for Boot.Mebroot :

1. Start the computer using Windows Recovery Console:

– Insert the Windows XP CD-ROM into the CD-ROM drive.

– Restart the computer from the CD-ROM drive.

– Press R to start the Recovery Console when the “Welcome to Setup” screen appears.

– Select the installation that you want to access from the Recovery Console.

– Enter the administrator password and press Enter.

– Type “fixmbr” command and press Enter:

(Following the onscreen instructions to restore the Master Boot Record)

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

3. Temporarily Disable System Restore (For WinXP only)

– On the Desktop, Right Click on My Computer

– Select the System Restore Tab

– Mark the “Turn Off System Restore” to disable and UnMark to Enable

– Click Apply on the Bottom of the Dialog Box to save the settings.

– A message “This deletes all existing restore points” will appear, click Yes to disable.

– Click OK.

Note: System Restore must be enabled after cleaning process.

4. Update the virus definitions.

5. Restart Windows in SafeMode

– During BootUp (just before Windows Start) process Press F8 continuously until selection appears

– Use Arrow Up+Down to select SafeMode on the selections menu.

6. Run a full system scan and clean/delete all infected file(s)

7. Test if it’s remove by using ING virus cleaner: http://www.ing.nl/Images/FCleaner_1108_tcm7-83068.exe

8. Call ING helpdesk to have them remove the block, so you can access your bank account again (takes 2-3 days)

Addendum Sep 12, 2011: after successfully cleaning dozens of computers with the steps described above, I ran into a new ‘strain’ of the Mebroot virus tonight. One that kept ‘resetting’ back to an infected MBR. After 2 hours of trial & error, and trying countless of rootkit removers from every known anti-virus manufacturer on the planet … I found my solution by using bleepingcomputer.com/download/anti-virus/combofix. Warning up front: it’s an extremely powerful tool! If you don’t have system administrator skills, you probably will wreck your computer! Don’t say I didn’t warn you. And also be sure to check it’s logfile afterwards.