I get this message : "MBR sector of the 1. physical disk-Win32/Mebroot.H Trojan" & NOD32 can't clean it nor delete it. I have two HDD with 3 partitions and in deep scan it shows this message for all three of them.But (this is where it gets interesting) when i disconect the hard disk i use only as storage, and rescan the disk containing windows OS, non "Win32/Mebroot.H Trojan" message appears. The same thing appears when i connect my memory stick. Any suggestions??

I'd suggest repairing MBR using the Windows recovery CD

I THINK U DIDN'T UNDERSTAND THE PROBLEM.WHEN I DISCONNECT THE 2ND HDD AND RESCAN, NO "Win32/Mebroot.H Trojan" MESSAGE OCCURS.THE PROBLEMS OCCURS WHEN I CONNECT THE 2ND HDD OR EVEN MY MEMORY STICK.& NOT ONLY IN THEM BUT ALSO IN THE DISK THAT WAS CLEAN 5' AGO!!IT'S VERY STRANGE!SO THERE IS NOTHING TO REPAIR WHEN THE DISK CONTAINING OS IS "LEFT ALONE".

Hello Raiden32, I don't see any sense in why you are shouting at the 1 person who can help you out. I'd rethink your reply and if there was some miscommunication then proceed to explain with integ. and not child-like behavior.. Marcos was suggesting on what you typed as you problem.. These people are here to help not to be hollered at nor yelped at.. Try again and you might receive a decent replay..

"Peace"

The point is that Mebroot is hidden if the system is started from an infected partition.

Please provide us more details about the hard disk configuration, such as:

disk1 - 3 partitions: 1. system1, 2. system2, 3. data1
disk2 - 2 partitions: 1. system3, 2. data2

MY REPLY TO MARCOS WASN'T AGGRESSIVE.IN FACT I'M VERY PLEASED THAT HE RESPONDED THAT FAST.I ONLY SAID THAT MAYBE HE DIDN'T UNDERSTAND WHAT THE PROBLEM REALLY WAS SO I EXPLAINED IT FURTHER.

{QUOTE-> MY REPLY TO MARCOS WASN'T AGGRESSIVE.IN FACT I'M VERY PLEASED THAT HE RESPONDED THAT FAST.I ONLY SAID THAT MAYBE HE DIDN'T UNDERSTAND WHAT THE PROBLEM REALLY WAS SO I EXPLAINED IT FURTHER. <-QUOTE}
Hi Raiden - You are probably not aware that printing with capital letters is called shouting. You would use capitals if you are mad. ;D

thanks twl845 that i didn't know (newbiee in the world of informatics!!!)

Explanation:

{QUOTE-> I get this message : "MBR sector of the 1. physical disk-Win32/Mebroot.H Trojan" & NOD32 can't clean it nor delete it. <-QUOTE}

In this case, Mebroot was found in the MBR of the data (non-system) disk. It was not found on the system disk because Mebroot has been activated from the MBR of the system disk.

{QUOTE-> I have two HDD with 3 partitions and in deep scan it shows this message for all three of them.
<-QUOTE}

If possible, please show us the scanner log. The number of messages should be the total number of installed physical disks (including USB sticks) - 1 (excluding the system disk where Mebroot is hidden).

{QUOTE-> But (this is where it gets interesting) when i disconect the hard disk i use only as storage, and rescan the disk containing windows OS, non "Win32/Mebroot.H Trojan" message appears. <-QUOTE}

If you have only the system disk connected, Mebroot won't be detected in MBR as long as it's active. Please follow my advice and use the Windows installation CD to start the recovery console and repair MBR by running fixmbr or fixmbr \device\harddisk2 for the 2nd disk (read http://support.microsoft.com/kb/314058 for more information about using the recovery console)

Hi everyone. I just encountered this same error message which is confusing to me. I reformatted my sole hard drive and reinstalled Windows XP this afternoon. The only other thing I've done is to download ESET NOD32 antivirus and run a system scan. Any idea why a system with a fresh load should experience this problem and how to fix it?

Thanks for the help!

I am also having this problem.

This is my HD configuration:

200446

C -> System & Software
D, E, F -> Data

this is the NOD32 ScanLog (scaned only the operating memory
and boot sectors of all the partitions C, D, E and F):

200444

and this is the alert window of NOD32:

200445

I have found in my experience that fixing MBR viruses involves booting from something other than the HD. A LiveCD or BartPE environment, so that the MBR is not locked by the hard drive. Unfortunately I'm not aware of a way to use NOD32 that way.

hi everyone. I tried to fix the problem of the MBR virus with Windows Recovery Console.The thing is that i can't get the Recovery Console going.I start the pc with the Windows CD-ROM, i open the menu and at "Welcome to Setup" screen i get this message: "You must be the administrator in order to use this feature" i press ok and
"Welcome to Setup" screen shuts down. But i'm the administrator! It's my pc and i did the format.

did you have any similar problem?do you thing that the MBR virus changed any settings?

:D I fixed it!!! :thumb: I had to f8 at the begging so as to start an installation. Then "R" to run the recovery console. BUT :o i had to run fixmbr on each disk separately, meaning that i had to leave only one disk connected to motherboard each time. Having both connected when running "fixmbr\device\harddisk0" or "fixmbr\device\harddisk1" it said that the command wasn't valid. And guess what... the MBR of the "data" disk was the one infected not the one of the system.(this is why when i disconnected it, MBR of the system disk appeared clean) So do the same & remember only one disk connected each time (for those having 2 or more )

a big thanks to MARCOS for his advice :thumb:

Thanks for all. I fixed the problem too, with the Recovery Console - not each disk separately - all at once. I used "fixmbr" and "fixboot" for all of the disks and the partitions and that's worked - no threads detected in NOD32. But when I started GMER 1.0 there is "sector 61: malicious code @ sector 0x1d1c4581 size 0x1a9". Is this something to worry about it?