Hi, I am a user of Nod32 since a few months. A couple of days ago, I got infected by the Mebroot.K trojan. At first, Nod32 didn't detect anything. It was the Bios built-in antivirus thta was freaking out during boot. So I did a fixmbr from the recovery console. Next boot went fine until I logged into windows and Nod32 said there was Mebroot.K on the 1., 2. and 4. physical drives. So I did the fixmbr again, this time aon all drives. Booted fine, windows as well. Then 1 or 2 reboots later, I got the Nod32 message again, this time only on 1. and 2. drives. It been like this for a few days. This morning when I booted, no messages from Nod32, but I had decided to do a full low-level format on the 2. hard drive (write zeros). Used the pc a bit without rebooting... a little while later comes the Nod32 warning that Mebroot.K is on the 2. physical drive again. It didn't mention the 1. one. I am a bit lost as to what to do next. I've been googling the last days without finding much that helped. Anyone with an idea? Is this a new virus?
I've run CureIT, I think it found some malware. I'll see after a few reboots if the problem still happens
Hello, Please download a copy of ESET's MebRoot Removal Tool from this page on ESET's web site, run it on your system and report the results back. Regards, Aryeh Goretsky
ok, the Mebroot removal tool didn't find anything, so I guess CureIT cleaned it well... heres the nod32 log out of interest: Code: 10/15/2008 9:43:52 PM Startup scanner boot sector MBR sector of the 2. physical disk Win32/Mebroot.K trojan unable to clean 10/14/2008 7:00:44 PM Startup scanner boot sector MBR sector of the 2. physical disk Win32/Mebroot.K trojan unable to clean 10/14/2008 7:00:44 PM Startup scanner boot sector MBR sector of the 1. physical disk Win32/Mebroot.K trojan unable to clean 10/14/2008 7:00:23 PM Startup scanner boot sector MBR sector of the 2. physical disk Win32/Mebroot.K trojan unable to clean 10/14/2008 7:00:23 PM Startup scanner boot sector MBR sector of the 1. physical disk Win32/Mebroot.K trojan unable to clean what does FP mean btw?
I have the same problem, after upgrading to NOD32 3.0.672 sometimes (not always) when I start my pc I get the message: Startup scanner boot sector MBR sector of the 1. physical disk Win32/Mebroot.K trojan I tried with EmebRemover by Eset, Fixmebroot by Norton, Gmer, SysInspector.... nothing, no one can find it. With Gmer I get this report: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 62 ! so the only thing I can imagine is that (I hope) it's a false positive. Any ideas? thanks
Just to be sure , use the Windows Recovery Console and the option fixmbr http://support.microsoft.com/kb/307654 http://www.kellys-korner-xp.com/win_xp_rec.htm You can also send ESET a log from ESET SysInspector - before fixing the Master boot record
I went on that way, but as soon as fixmbr showed "warning! you will lose all your data..." I decided to go back. Do you think fixmbr is safe? And what about Sysinspector? A full detail scan or just a basic one? thanks a lot
yes, fixmbr is safe, but it didn't help me get rid of the message. try to scan your computer with CureIT, it's free, and I think this is what fixed mine: http://www.freedrweb.com/cureit/
I had Mebroot once. It infected my NICs drivers. Couldn't do anything under Windows. I removed the files using Ubuntu live CD and reinstalled the NIC after.
