Mebroot.K

Discussion in 'ESET NOD32 Antivirus' started by mr_leb, Oct 15, 2008.

Thread Status:
Not open for further replies.
  1. mr_leb

    mr_leb Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    7
    Hi,

    I am a user of Nod32 since a few months. A couple of days ago, I got infected by the Mebroot.K trojan. At first, Nod32 didn't detect anything. It was the Bios built-in antivirus thta was freaking out during boot. So I did a fixmbr from the recovery console. Next boot went fine until I logged into windows and Nod32 said there was Mebroot.K on the 1., 2. and 4. physical drives. So I did the fixmbr again, this time aon all drives. Booted fine, windows as well. Then 1 or 2 reboots later, I got the Nod32 message again, this time only on 1. and 2. drives. It been like this for a few days. This morning when I booted, no messages from Nod32, but I had decided to do a full low-level format on the 2. hard drive (write zeros). Used the pc a bit without rebooting... a little while later comes the Nod32 warning that Mebroot.K is on the 2. physical drive again. It didn't mention the 1. one.

    I am a bit lost as to what to do next. I've been googling the last days without finding much that helped. Anyone with an idea? Is this a new virus?
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello, have you got System restore disabled? Can be there other malware, which install it?
     
  3. mr_leb

    mr_leb Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    7
    I've run CureIT, I think it found some malware. I'll see after a few reboots if the problem still happens
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please download a copy of ESET's MebRoot Removal Tool from this page on ESET's web site, run it on your system and report the results back.

    Regards,

    Aryeh Goretsky
     
  5. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102
    could be a FP as well, that's why your pc did not worked so good,
    paste the log
     
  6. mr_leb

    mr_leb Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    7
    ok, the Mebroot removal tool didn't find anything, so I guess CureIT cleaned it well...

    heres the nod32 log out of interest:

    Code:
    10/15/2008 9:43:52 PM	Startup scanner	boot sector	MBR sector of the 2. physical disk	Win32/Mebroot.K trojan	unable to clean		
    10/14/2008 7:00:44 PM	Startup scanner	boot sector	MBR sector of the 2. physical disk	Win32/Mebroot.K trojan	unable to clean	
    10/14/2008 7:00:44 PM	Startup scanner	boot sector	MBR sector of the 1. physical disk	Win32/Mebroot.K trojan	unable to clean		
    10/14/2008 7:00:23 PM	Startup scanner	boot sector	MBR sector of the 2. physical disk	Win32/Mebroot.K trojan	unable to clean
    10/14/2008 7:00:23 PM	Startup scanner	boot sector	MBR sector of the 1. physical disk	Win32/Mebroot.K trojan	unable to clean
    what does FP mean btw?
     
  7. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    False Positive.
     
  8. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102
    has this FP been fixed by ESET ?
     
  9. mr_leb

    mr_leb Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    7
    I dont think this is a false positive..
     
  10. azetaelle

    azetaelle Registered Member

    Joined:
    Oct 21, 2008
    Posts:
    3
    I have the same problem, after upgrading to NOD32 3.0.672 sometimes (not always) when I start my pc I get the message:
    Startup scanner boot sector MBR sector of the 1. physical disk Win32/Mebroot.K trojan
    I tried with EmebRemover by Eset, Fixmebroot by Norton, Gmer, SysInspector.... nothing, no one can find it.
    With Gmer I get this report:
    Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 62 !

    so the only thing I can imagine is that (I hope) it's a false positive.
    Any ideas? thanks
     
  11. ASpace

    ASpace Guest

    Just to be sure , use the Windows Recovery Console and the option fixmbr
    http://support.microsoft.com/kb/307654
    http://www.kellys-korner-xp.com/win_xp_rec.htm

    You can also send ESET a log from ESET SysInspector - before fixing the Master boot record

     
  12. azetaelle

    azetaelle Registered Member

    Joined:
    Oct 21, 2008
    Posts:
    3
    I went on that way, but as soon as fixmbr showed "warning! you will lose all your data..." I decided to go back. Do you think fixmbr is safe?
    And what about Sysinspector? A full detail scan or just a basic one?
    thanks a lot
     
  13. mr_leb

    mr_leb Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    7
    yes, fixmbr is safe, but it didn't help me get rid of the message.

    try to scan your computer with CureIT, it's free, and I think this is what fixed mine:
    http://www.freedrweb.com/cureit/
     
  14. azetaelle

    azetaelle Registered Member

    Joined:
    Oct 21, 2008
    Posts:
    3
    I run CureIT, no viruses found. Indeed I'll see if it works. Thanks
     
  15. maximx86

    maximx86 Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    11
    I had Mebroot once. It infected my NICs drivers. Couldn't do anything under Windows. I removed the files using Ubuntu live CD and reinstalled the NIC after.
     
Thread Status:
Not open for further replies.