Mebroot.k Trojan, cant remove

Hi ...

Nod32 is detecting mebroot.k trojan, but says that it cant
clean it.

any help ?

 

Hi!

Give me please whole path to detected file.

 

Thanks for the reply Kosak ...

Its a MBR (master boot record) Trojan ..

 

Yes, I know. Thing, which I wanted to know was, if caught file is really in MBR or System Volume Information, where are often located detected files and then users can't remove it (solution is very simple). Ok, when you talk that threat is really in MBR, so use Recovery console with command "fixmbr".

Just to be sure, backup your data!

 

nod says win32/mebroot.k

I tried several programs from safe mode.

I tried turning off system restore .. then turning it back on.

just cant get rid of this thing ...

thanks for looking

 

just tried cureit ... fixed it ...

thanks

 

Hi Kosak, I experienced the same problem and thanks very much for your advice. I managed to remove the trojan at MBR sector of the 1. physical disk.

However, similar trojan appeared: MBR sector of the 2. physical disk - Win32/Mebroot.K trojan

This time fixmbr wouldn't work. Could you please help

 

Hello!

Try to use this command:

Code:

fixmbr x:

x - drive letter


Regards

 

Hello, thanks for the quick reply.

I've tried the command. The external hard disk is G Drive, so I typed "fixmbr g". But only C:\WINDOWS> appeared, no other response.

 

Hello,

I believe with the FIXMBR command that you have to specify the device name to replace the MBR on a hard disk drive, i.e., "FIXMBR \Device\HardDisk0" at the Recovery Console. Replace "HardDisk0" with the device name for the external USB hard disk drive.

Regards,

Aryeh Goretsky

 

Thanks agoretsky!

I tried the command you suggested:

FIXMBR \Device\DRIVE_G

"C:\WINDOWS>" appeared again.

 

Hello,

Was that the correct device name for your USB external drive?

Regards,

Aryeh Goretsky

 

From Windows Explorer, the drive name shows as: DRIVE_G(G

If I click on the drive's property, it shows as: DRIVE_G

I'm not very good at computer. Hopefully didn't make mistake on the device name.

 

Does it mean there's no way to fix the problem?

 

Hello,

In order to use the FIXMBR command, you will need to specify the logical device name for your external USB hard disk drive.

I would suggest that you sent email to support@eset.sk explaining the problem you are experiencing with a link to this message thread. They will be able to tell you how to identify the logical device name for your external hard disk drive and any other specific instructions required to remove the the infected master boot record.

Regards,

Aryeh Goretsky

 

Hello Aryeh

Thank you for your reply. I've sent email to eset as suggested. Hopefully they will be able to help me.

Thanks a lot.

 

Hi there, the fixbmr thing really works here is how i was able to fix the same problem on a friend's computer.
1. boot on XP CD
2. Press R for repair
3. In recovery console type the following
4. fixmbr \device\harddrive0
Are you sure you want to replace MBR blablabla... y (yes)
4. fixmbr \device\harddrive1
4. fixmbr \device\harddrive2
(for as much drives as you have)

After typing fixmbr \device... there is a warning message, if you dont see that warning message it means that you mistyped the command.
I first tried with "/" instead of "\" and that is why it was not working first.
Hope that helps...

 

Great! Authentic_Emz, it really works!!!

The command is similar to agoretsky's but it is not necessary to change the device name, simply type: fixmbr \device\harddisk0 will do.

I first typed fixmbr \device\harddrive0 but won't do and tried fixmbr \device\harddisk0 and it works like magic.

I didn't receive any response from NOD support and I do really appreciate all of your help. Thanks a lot