Hi,

I'm coming to ask your help.

I just did a scan with NOD32 (2.50.19) on my W98SE machine.
I got this warning:

=====
Scanning Log
NOD32 version 1.1135 (20050609)
Checking CRC of NOD32.EXE: Status OK
Operating memory is OK.
MBR sector of the 1. physical disk contains probably unknown TSR.BOOT virus [7].

Date: 9.6.2005 Time: 23:01:06
Scanned disks, folders and files: C:; D:; E:; F:; G:
C:\WINDOWS\WIN386.SWP - error opening (File locked) [4]

Number of scanned files: 82135
Number of threats found: 0
Time of completion: 23:14:59 Total scanning time: 833 sec (00:13:53)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.
=====

I am wondering about that "probably unknown TSR.BOOT virus" in my MBR.


What has happened:
Since quite some time I cannot use Acronis TrueImage anymore.
Well, I can make a backup image from within Windows (not from bootable floppies), but cannot restore anymore.
Desperate as I was, I tried (probably not very wise; I don't know) a tool which is mentioned in a sticky thread at the Acronis forum:
PLEASE READ BEFORE YOU POST (http://www.wilderssecurity.com/showthread.php?t=55317)
I am talking about a tool to fix your MBR.

=== Quotes from that thread ===
Sometimes you need to fix Master Boot Record on your hard drive. We have two special utilities for this purpose.
1. Using floppy drive. Please insert a diskette into the floppy drive and run the file available by the link below:
http://www.acronis.com/files/support/mbrautowrite_en.exe
Once the floppy is written, boot the computer from it and confirm that you want to fix the master boot record.
You do NOT need to copy this file to diskette. Just launch it from hard disk (or any media) with the diskette inserted.
=== end quotes ===

Well, I am not saying that this has necessarily caused that warning from NOD32, but at the other hand my guess at the moment is that it is the cause.

Some of you know perhaps that I use the file-integrity-checker ADinf32 Pro
(see here (http://www.wilderssecurity.com/showthread.php?t=72131) ).

Well ADinf32 gave me a warning, after I did use that MBR-fix tool, about a change in my MBR; see screenshot.

For the moment I have NOD32 not let to try to fix that possible virus.

Any help would be greatly appreciated !
Thanks in advance,
Jan.

And here is another screenshot from ADinf32, telling that it is indeed the MBR.

To explain a little bit more:
ADinf32 warns you only if files/folders (and boot records) have been changed.
It is you, the user, who has to decide whether a change is legit or not.

Well, in my case I thought:
OK, I did try to repair the MBR, so nothing wrong.....

Scanned with KAV 4.5 : nothing suspicious.

I can submit a file, but the MBR ? ;)
I hope that ESET has the time to look at it and can reproduce it with the tool I mentioned.
It looks to me a FP.

Thanks,
Regards, Jan.

~bump~ ;)

From what i can see, u can fix it by deleting the MBR and then again recreating it. I know how it works wid XP but im not sure about Win98. Umm... I guess it was something like boot wid ur 98 startup disk and choose start computer without CD ROM support and then type "fdisk /mbr". This will either delete and/or recreate the MBR. Hehe sorry couldnt help u specifically! Do research a bit before going ahead and trying this out. Get some second opinions too. Cuz im saying myself im NOT very sure about 98!!! So ill not be responsible if anything bad happens!!!

I just posted this cuz someone might offer better advice thinking on these lines... ;)

{QUOTE-> type "fdisk /mbr".
I just posted this cuz someone might offer better advice thinking on these lines... ;) <-QUOTE}

If I remember correctly, this will be a good thing to do IF AND ONLY IF you want to wipe out everything on your hard drive.

Fdisk is the partiioning utility in DOS. I would read its help screens really carefully before using it unless you are prepared for a bare metal reinstall.

I think I was maybe going a little overboard. Here is the link to Microsoft's page on fdisk /mbr: http://support.microsoft.com/kb/q69013/

I am of the belief that your boot sector may be a FP, but obviously you cannot send this to ESET for verification. All of the indicators you have posted appear to me that they are simply the result of the MBR fixing utility :)

Seperately from your FP issue, have you run a scandisk - It's common in my experience for one small trivial file system anomaly to prevent imaging software from working correctly :)

You decide if you want to, but I would have no problem either letting NOD32 repair or replace the MBR as you feel appropriate, or alternative using the 'FDISK /MBR' suggestion above by kalpic. Noting especially the warnings in the M$ limk that gberns posted. :)

HTH :)

Hi Jan, with this issue can you please send an email to support@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

We would appreciate if you could keep us in the loop with your progress, as we all learn this way…

Cheers ;D

{QUOTE-> If I remember correctly, this will be a good thing to do IF AND ONLY IF you want to wipe out everything on your hard drive.

Fdisk is the partiioning utility in DOS. I would read its help screens really carefully before using it unless you are prepared for a bare metal reinstall. <-QUOTE}

Hey dude, im not here to fry someone's PC. As far as i know, "fdisk /mbr" does fix MBR viruses. And even then, i did mention researching on it before trying!!! So please do your homework before pointing fingers!

Ladies and Gentlemen, let's keep it calm and civil...

Cheers ;D

{QUOTE-> Ladies and Gentlemen, let's keep it calm and civil...

Cheers ;D <-QUOTE}


Hey im cool! Didnt mean it that way! Sorry if i sounded otherwise! Chill!

Hi all,

First of all:
Thanks to all who replied; I really appreciate it !!!

At the moment I have not much time.
I will later look closer at all your replies.

Good suggestion Craig.
I will send ESET an email.
I can imagine that they don't have much time during the weekend for it ;)

Cheers, Jan.

17 days later: still not fixed.

Edited to add :

I asked today Eset-support whether there was already any news.
Yes, at least I got, very quickly (thanks !), a reply asking whether NOD32 still gives the warning.
Yes, NOD32 still does; which I wrote in my reply.

Jan.

In case you didn't notice:

There are 12 (twelve) ESET-moderators at this board.
Not any of them replied in this thread so far.

And in case ESET isn't aware of this:
Acronis-support asked me already many days back to keep them informed about replies from ESET.

And, again, in case ESET isn't aware of this:
Both ESET and Acronis have their official Support forums here at the Wilders-board.
Has anyone from ESET contacted anyone from Acronis, or the other way around?

And yes, I did send an email to Anton Zajac (ESET): no reply.

Isn't it time now that this issue can be solved?

Thanks.

And if you did decide to let NOD32 repair the boot sector or the 'FDISK /MBR' suggestion above by kalpic, what happened?

{QUOTE-> And if you did decide to let NOD32 repair the boot sector or the 'FDISK /MBR' suggestion above by kalpic, what happened? <-QUOTE}

I decided to wait to try other tools, because I think it is a false positive by NOD32.
That is the issue here, unless I make a mistake (which is, of course, always possible).

Trying to sum it up:

1.
There are two companies here at the forum with their official support forum here.
I used a tool from one company, and the program from the other company gives a warning after that. Well, that can happen, no problem.
In such a case (more generally: when two companies are involved) I have always tried to let both companies know about it, so they can sort it out.

2.
I did try, by posting here, to let users know that there might be an issue here.
It is always possible that I might not be the only person who got this warning.

3.
In case I am not mistaken, there is an advice posted by ESET to let them know in case you get a MBR warning from NOD32.
I did so (thanks Blackspear).

4.
One company, Acronis, told me quickly and several times that they cannot find a problem with their tool.

5.
The other company, ESET, seemed to have a problem to look at the problem.
It took me several attempts to even get a reply.
I know, ESET had their annual conference not so long ago, so that might have played a role here. I can understand that.

6.
I did try to have contact behind the scenes.
I had contact with Blackspear (thanks Craig !!!!!).
I had contact with Marcos, but I am not sure whether he realized it was a MBR issue.
I did inform the board owners.
I did inform Anton !!! (no reply...).
I had contact with Jan Vanacky (ESET); I do hope that he will email me again.
I did get a special tool from him to analyze my MBR, I did send it back, and I waited for over a week for a reply.

7.
I do have respect for ESET !!!!!

8.
I do realize that it might be caused by my own fault and/or my system.

9.
sigh...

Best regards,
Jan.

I have sent an email to Eset, and this thread and the other will be looked into shortly (there was a miscommunication as to which Jan at Eset had looked at this problem).

Cheers ;D

{QUOTE-> I have sent an email to Eset, and this thread and the other will be looked into shortly
<-QUOTE}

Thanks Craig !!

{QUOTE->
(there was a miscommunication as to which Jan at Eset had looked at this problem).

Cheers ;D <-QUOTE}

Oops, I understand it.
LOL, all those Jan's ;) :)

Cheers, Jan ;D

I got a link to the utility, that produces the fp, from Jan on Saturday for the first time. Since there has been no update except the urgent one issued since then, the fp is still reported. However, I can assure you it will be remedied in the next update that is going to be released today.

I'll need to investigate if my colleague actually got your email and didn't delete it in error when cleaning up his emails after he returned from a vacation.

{QUOTE-> I got a link to the utility, that produces the fp, from Jan on Saturday for the first time.
<-QUOTE}

The link to that utility is mentioned in the first posting in this thread, dated 10-June-2005.

{QUOTE->
Since there has been no update except the urgent one issued since then, the fp is still reported. However, I can assure you it will be remedied in the next update that is going to be released today.
<-QUOTE}

As far as I know this is the first time that someone from Eset clearly tells me that it is indeed a false positive.
Thanks for the confirmation.

Thanks for fixing it in the next update.

I am very pleased to tell that, as Marcos already wrote, the FP is fixed with today's update:
NOD32 version 1.1156 ( 20050628 ).

I would like to thank in the first place everyone at ESET and Blackspear ! :D
Thanks also to the other posters in the thread, and the others involved.

Apologies from my side for pushing maybe a little bit too hard.

Best regards,
Jan (again an happy user of NOD32 :D ).

Good to see Jan ;D

Cheers ;D