Discussion in 'NOD32 version 2 Forum' started by mike_in_sd, Jun 13, 2008.
Nod32 is detecting mebroot.k trojan, but says that it cant
any help ?
Give me please whole path to detected file.
Thanks for the reply Kosak ...
Its a MBR (master boot record) Trojan ..
Yes, I know. Thing, which I wanted to know was, if caught file is really in MBR or System Volume Information, where are often located detected files and then users can't remove it (solution is very simple). Ok, when you talk that threat is really in MBR, so use Recovery console with command "fixmbr".
Just to be sure, backup your data!
nod says win32/mebroot.k
I tried several programs from safe mode.
I tried turning off system restore .. then turning it back on.
just cant get rid of this thing ...
thanks for looking
just tried cureit ... fixed it ...
Hi Kosak, I experienced the same problem and thanks very much for your advice. I managed to remove the trojan at MBR sector of the 1. physical disk.
However, similar trojan appeared: MBR sector of the 2. physical disk - Win32/Mebroot.K trojan
This time fixmbr wouldn't work. Could you please help
Try to use this command:
x - drive letter
Hello, thanks for the quick reply.
I've tried the command. The external hard disk is G Drive, so I typed "fixmbr g". But only C:\WINDOWS> appeared, no other response.
I believe with the FIXMBR command that you have to specify the device name to replace the MBR on a hard disk drive, i.e., "FIXMBR \Device\HardDisk0" at the Recovery Console. Replace "HardDisk0" with the device name for the external USB hard disk drive.
I tried the command you suggested:
"C:\WINDOWS>" appeared again.
Was that the correct device name for your USB external drive?
From Windows Explorer, the drive name shows as: DRIVE_G(G
If I click on the drive's property, it shows as: DRIVE_G
I'm not very good at computer. Hopefully didn't make mistake on the device name.
Does it mean there's no way to fix the problem?
In order to use the FIXMBR command, you will need to specify the logical device name for your external USB hard disk drive.
I would suggest that you sent email to firstname.lastname@example.org explaining the problem you are experiencing with a link to this message thread. They will be able to tell you how to identify the logical device name for your external hard disk drive and any other specific instructions required to remove the the infected master boot record.
Thank you for your reply. I've sent email to eset as suggested. Hopefully they will be able to help me.
Thanks a lot.
Hi there, the fixbmr thing really works here is how i was able to fix the same problem on a friend's computer.
1. boot on XP CD
2. Press R for repair
3. In recovery console type the following
4. fixmbr \device\harddrive0
Are you sure you want to replace MBR blablabla... y (yes)
4. fixmbr \device\harddrive1
4. fixmbr \device\harddrive2
(for as much drives as you have)
After typing fixmbr \device... there is a warning message, if you dont see that warning message it means that you mistyped the command.
I first tried with "/" instead of "\" and that is why it was not working first.
Hope that helps...
Great! Authentic_Emz, it really works!!!
The command is similar to agoretsky's but it is not necessary to change the device name, simply type: fixmbr \device\harddisk0 will do.
I first typed fixmbr \device\harddrive0 but won't do and tried fixmbr \device\harddisk0 and it works like magic.
I didn't receive any response from NOD support and I do really appreciate all of your help. Thanks a lot