Mebroot.k Trojan, cant remove

Discussion in 'NOD32 version 2 Forum' started by mike_in_sd, Jun 13, 2008.

Thread Status:
Not open for further replies.
  1. mike_in_sd

    mike_in_sd Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    4
    Hi ...

    Nod32 is detecting mebroot.k trojan, but says that it cant
    clean it.

    any help ?
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    Give me please whole path to detected file.
     
  3. mike_in_sd

    mike_in_sd Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    4
    Thanks for the reply Kosak ...

    Its a MBR (master boot record) Trojan ..
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Yes, I know. Thing, which I wanted to know was, if caught file is really in MBR or System Volume Information, where are often located detected files and then users can't remove it (solution is very simple). Ok, when you talk that threat is really in MBR, so use Recovery console with command "fixmbr".

    Just to be sure, backup your data!
     
    Last edited: Jun 13, 2008
  5. mike_in_sd

    mike_in_sd Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    4
    nod says win32/mebroot.k

    I tried several programs from safe mode.

    I tried turning off system restore .. then turning it back on.

    just cant get rid of this thing ...

    thanks for looking
     
  6. mike_in_sd

    mike_in_sd Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    4
    just tried cureit ... fixed it ...

    thanks
     
  7. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Hi Kosak, I experienced the same problem and thanks very much for your advice. I managed to remove the trojan at MBR sector of the 1. physical disk.

    However, similar trojan appeared: MBR sector of the 2. physical disk - Win32/Mebroot.K trojan

    This time fixmbr wouldn't work. Could you please help:'(
     
  8. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello!

    Try to use this command:

    Code:
    fixmbr x:
    x - drive letter


    Regards
     
  9. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Hello, thanks for the quick reply.

    I've tried the command. The external hard disk is G Drive, so I typed "fixmbr g". But only C:\WINDOWS> appeared, no other response.
     
  10. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    I believe with the FIXMBR command that you have to specify the device name to replace the MBR on a hard disk drive, i.e., "FIXMBR \Device\HardDisk0" at the Recovery Console. Replace "HardDisk0" with the device name for the external USB hard disk drive.

    Regards,

    Aryeh Goretsky
     
  11. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Thanks agoretsky!

    I tried the command you suggested:

    FIXMBR \Device\DRIVE_G

    "C:\WINDOWS>" appeared again.
     
  12. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Was that the correct device name for your USB external drive?

    Regards,

    Aryeh Goretsky
     
  13. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    From Windows Explorer, the drive name shows as: DRIVE_G(G:)

    If I click on the drive's property, it shows as: DRIVE_G

    I'm not very good at computer. Hopefully didn't make mistake on the device name.
     
  14. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Does it mean there's no way to fix the problem?
     
  15. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    In order to use the FIXMBR command, you will need to specify the logical device name for your external USB hard disk drive.

    I would suggest that you sent email to support@eset.sk explaining the problem you are experiencing with a link to this message thread. They will be able to tell you how to identify the logical device name for your external hard disk drive and any other specific instructions required to remove the the infected master boot record.

    Regards,

    Aryeh Goretsky
     
  16. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Hello Aryeh

    Thank you for your reply. I've sent email to eset as suggested. Hopefully they will be able to help me.

    Thanks a lot.
     
  17. Authentic_Emz

    Authentic_Emz Registered Member

    Joined:
    Aug 2, 2008
    Posts:
    1
    Hi there, the fixbmr thing really works here is how i was able to fix the same problem on a friend's computer.
    1. boot on XP CD
    2. Press R for repair
    3. In recovery console type the following
    4. fixmbr \device\harddrive0
    Are you sure you want to replace MBR blablabla... y (yes)
    4. fixmbr \device\harddrive1
    4. fixmbr \device\harddrive2
    (for as much drives as you have)

    After typing fixmbr \device... there is a warning message, if you dont see that warning message it means that you mistyped the command.
    I first tried with "/" instead of "\" and that is why it was not working first.
    Hope that helps...
     
  18. panda12

    panda12 Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    7
    Great! Authentic_Emz, it really works!!!

    The command is similar to agoretsky's but it is not necessary to change the device name, simply type: fixmbr \device\harddisk0 will do.

    I first typed fixmbr \device\harddrive0 but won't do and tried fixmbr \device\harddisk0 and it works like magic.

    I didn't receive any response from NOD support and I do really appreciate all of your help. Thanks a lot:D
     
Thread Status:
Not open for further replies.