"MBR sector of the 1. physical disk-Win32/Mebroot.H Trojan"

Discussion in 'ESET NOD32 Antivirus' started by raiden32, Jun 1, 2008.

Thread Status:
Not open for further replies.
  1. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    I get this message : "MBR sector of the 1. physical disk-Win32/Mebroot.H Trojan" & NOD32 can't clean it nor delete it. I have two HDD with 3 partitions and in deep scan it shows this message for all three of them.But (this is where it gets interesting) when i disconect the hard disk i use only as storage, and rescan the disk containing windows OS, non "Win32/Mebroot.H Trojan" message appears. The same thing appears when i connect my memory stick. Any suggestions??
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest repairing MBR using the Windows recovery CD
     
  3. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    I THINK U DIDN'T UNDERSTAND THE PROBLEM.WHEN I DISCONNECT THE 2ND HDD AND RESCAN, NO "Win32/Mebroot.H Trojan" MESSAGE OCCURS.THE PROBLEMS OCCURS WHEN I CONNECT THE 2ND HDD OR EVEN MY MEMORY STICK.& NOT ONLY IN THEM BUT ALSO IN THE DISK THAT WAS CLEAN 5' AGO!!IT'S VERY STRANGE!SO THERE IS NOTHING TO REPAIR WHEN THE DISK CONTAINING OS IS "LEFT ALONE".
     
  4. Bitten By C Bug

    Bitten By C Bug Registered Member

    Joined:
    May 9, 2007
    Posts:
    45
    Hello Raiden32, I don't see any sense in why you are shouting at the 1 person who can help you out. I'd rethink your reply and if there was some miscommunication then proceed to explain with integ. and not child-like behavior.. Marcos was suggesting on what you typed as you problem.. These people are here to help not to be hollered at nor yelped at.. Try again and you might receive a decent replay..

    "Peace"
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The point is that Mebroot is hidden if the system is started from an infected partition.

    Please provide us more details about the hard disk configuration, such as:

    disk1 - 3 partitions: 1. system1, 2. system2, 3. data1
    disk2 - 2 partitions: 1. system3, 2. data2
     
  6. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    MY REPLY TO MARCOS WASN'T AGGRESSIVE.IN FACT I'M VERY PLEASED THAT HE RESPONDED THAT FAST.I ONLY SAID THAT MAYBE HE DIDN'T UNDERSTAND WHAT THE PROBLEM REALLY WAS SO I EXPLAINED IT FURTHER.
     
  7. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Hi Raiden - You are probably not aware that printing with capital letters is called shouting. You would use capitals if you are mad. :D
     
  8. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    thanks twl845 that i didn't know (newbiee in the world of informatics!!!)
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Explanation:

    In this case, Mebroot was found in the MBR of the data (non-system) disk. It was not found on the system disk because Mebroot has been activated from the MBR of the system disk.

    If possible, please show us the scanner log. The number of messages should be the total number of installed physical disks (including USB sticks) - 1 (excluding the system disk where Mebroot is hidden).

    If you have only the system disk connected, Mebroot won't be detected in MBR as long as it's active. Please follow my advice and use the Windows installation CD to start the recovery console and repair MBR by running fixmbr or fixmbr \device\harddisk2 for the 2nd disk (read http://support.microsoft.com/kb/314058 for more information about using the recovery console)
     
  10. cithindril

    cithindril Registered Member

    Joined:
    Jun 2, 2008
    Posts:
    1
    Hi everyone. I just encountered this same error message which is confusing to me. I reformatted my sole hard drive and reinstalled Windows XP this afternoon. The only other thing I've done is to download ESET NOD32 antivirus and run a system scan. Any idea why a system with a fresh load should experience this problem and how to fix it?

    Thanks for the help!
     
  11. xZippy

    xZippy Registered Member

    Joined:
    Oct 25, 2007
    Posts:
    11
    I am also having this problem.
     
  12. mailemo

    mailemo Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    2
    This is my HD configuration:

    disks.JPG

    C -> System & Software
    D, E, F -> Data

    this is the NOD32 ScanLog (scaned only the operating memory
    and boot sectors of all the partitions C, D, E and F):

    log.JPG

    and this is the alert window of NOD32:

    alert.JPG
     
  13. Beta7

    Beta7 Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    8
    I have found in my experience that fixing MBR viruses involves booting from something other than the HD. A LiveCD or BartPE environment, so that the MBR is not locked by the hard drive. Unfortunately I'm not aware of a way to use NOD32 that way.
     
  14. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    Re: can't get the Recovery Console going

    hi everyone. I tried to fix the problem of the MBR virus with Windows Recovery Console.The thing is that i can't get the Recovery Console going.I start the pc with the Windows CD-ROM, i open the menu and at "Welcome to Setup" screen i get this message: "You must be the administrator in order to use this feature" i press ok and
    "Welcome to Setup" screen shuts down. But i'm the administrator! It's my pc and i did the format.

    did you have any similar problem?do you thing that the MBR virus changed any settings?
     
  15. raiden32

    raiden32 Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    11
    :D I fixed it!!! :thumb: I had to f8 at the begging so as to start an installation. Then "R" to run the recovery console. BUT :eek: i had to run fixmbr on each disk separately, meaning that i had to leave only one disk connected to motherboard each time. Having both connected when running "fixmbr\device\harddisk0" or "fixmbr\device\harddisk1" it said that the command wasn't valid. And guess what... the MBR of the "data" disk was the one infected not the one of the system.(this is why when i disconnected it, MBR of the system disk appeared clean) So do the same & remember only one disk connected each time (for those having 2 or more )

    a big thanks to MARCOS for his advice :thumb:
     
  16. mailemo

    mailemo Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    2
    Thanks for all. I fixed the problem too, with the Recovery Console - not each disk separately - all at once. I used "fixmbr" and "fixboot" for all of the disks and the partitions and that's worked - no threads detected in NOD32. But when I started GMER 1.0 there is "sector 61: malicious code @ sector 0x1d1c4581 size 0x1a9". Is this something to worry about it?
     
Thread Status:
Not open for further replies.