MBR trojan Mebroot.K

Hello all,

Im new on this site, so first of all greetz to everyone.
I am the lucky one who has got a MBR trojan.
I have NOD32 running on my Win XP PC.
NOD gives the following message:
MBR sector of the 1. physical disk contains trojan Win32/Mebroot.K.

As i already noticed NOD is unable to clean or replace the MBR.
Also i tried to fix the MBR from the windows repair console. (with the fixmbr command)
The repair console writes a new MBR and says the original "MBR seems to be non standard". But after reboot the trojan is still there.
I have a bootsector protection in my BIOS but for some stupid reason i disabled this.
Can someone help me with this problem ??
Thanks in advance.

regards,
Cube

 

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

 

I followed the guide but the trojan is still in my MBR.
After the program scans i turned of the system restore function on all HD's.
I ran windows repair console and did a fixmbr. Command was executed and wrote a new MBR.
But the trojan is still there after reboot.
I attached the 4 logs. (1 zip file contains 3 logs)
Only superanti spyware found some issues. The others found 0 problems. :confused
Also NOD32 did not found infections.
I am confused. I am afraid a format c: will not remove this trojan.
Hopefully you can help me with this problem.
Thanks in advance.

Regards,
Cube

 

Found :http://www.avertlabs.com/research/blog/index.php/2008/03/23/exploring-stealthmbr-defenses/
This looks like a nasty trojan. I will try today to delete all my partitions with FDISK and setup windows on a new partitioned disk. Hopefully the trojan will be gone.
I hope when i make new partitions sectors 60-63 will be overwritten.
I will let you know when I'm back online.

greets
Cube

 

......................
I am getting depressed here.
When i start fdisk he says that my HD is only 20Gb big. But this should be a 160GB drive.
I did the fdisk /mbr command to erase my mbr but this won't work. Still drive is 20Gb.
After that tried the fixmbr again in the win repair console but also that won't work !!!!!!
Somebody please help me. Or do i have to buy a new hard drive ?
Am i the only one who has the stupid trojan ?
I am out of ideas................

HELP!!!!!

 

Sorry for the delay.

Why are you doing things without, proper guidance. FDISK is a tool from the MS-DOS days and is to only be used on FAT32 File systems.

The MBR could have been repaired; but first you have to disinfect the file system, before it can be removed.

Now you are left with no option but to do a 'Clean Install' of Windows XP.

A Clean install tutorial at The Elder Geek; http://www.theeldergeek.com/clean_installation_of_windows_xp.htm

 

I did a clean install. First i removed all partitions.
Then made 1 partition. Installed windows on it.
Removed network plug before install.
After installing windows xp installed mainbord drivers and directly after that NOD32.
I ran NOD32 . I have NO network connection at that moment.
And....................... believe it or not.
I have my Mebroot trojan again.

BTW You asked me why i was using FDISK. My C: is always FAT32.
I am 40 years old and I grew up with dos and those commands. I am still using my floppydrive also.
So i had to use FAT to be able to repair my drive.(I am a bit "oldfashion" with my tools)
And i expirienced 3 or 4 MBR virusses in the past. But they were not that hard to kill like this one. Most of the time they were gone after repartioning the drive or after the fixmbr from the repair console.

But returning to my problem,
The strange thing is that NONE of the files on my harddrive are infected.
I ran 4 virusscanners (Macfee virscan,NOD32,AV,Trendmicro) and ALL of them
found 0 infections in my files. NOD32 is the only one who says that my MBR is infected.
But i downloaded some other programs. (GMer,mbr.exe and others)
I will try them.

 

FDISK is not a part of Windows XP and should never be used when partitioning a HDD for XP installation. Windows XP has its own tool set that is used by the installer to parttion and format the HDD for installing XP.

You should be using the NTFS file sytem and not FAT32. For starters NTFS is a more secure file system.

Today's boot sector virus variants are far more difficult to remove than the boot sector virus of a few years ago.

You came here for advice, and so far you have told me what you are doing instead of waiting for me to give advice.

I need the NOD32 scan log, so I can see exactly what it is that NOD32 thinks it has found.

 

Your are completely right.
Sorry for the inconvenience i have caused.
Here is the log.

 

NOD32 doesn't seem to have found anything other than the infected MBR.

I'm going to need some more logs, to confirm that the infected MBR is the only problem.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide