MBR probably unknown TSR.BOOT virus

Discussion in 'NOD32 version 2 Forum' started by FanJ, Jun 9, 2005.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Hi,

    I'm coming to ask your help.

    I just did a scan with NOD32 (2.50.19) on my W98SE machine.
    I got this warning:

    =====
    Scanning Log
    NOD32 version 1.1135 (20050609)
    Checking CRC of NOD32.EXE: Status OK
    Operating memory is OK.
    MBR sector of the 1. physical disk contains probably unknown TSR.BOOT virus [7].

    Date: 9.6.2005 Time: 23:01:06
    Scanned disks, folders and files: C:; D:; E:; F:; G:
    C:\WINDOWS\WIN386.SWP - error opening (File locked) [4]

    Number of scanned files: 82135
    Number of threats found: 0
    Time of completion: 23:14:59 Total scanning time: 833 sec (00:13:53)

    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.
    =====

    I am wondering about that "probably unknown TSR.BOOT virus" in my MBR.


    What has happened:
    Since quite some time I cannot use Acronis TrueImage anymore.
    Well, I can make a backup image from within Windows (not from bootable floppies), but cannot restore anymore.
    Desperate as I was, I tried (probably not very wise; I don't know) a tool which is mentioned in a sticky thread at the Acronis forum:
    PLEASE READ BEFORE YOU POST
    I am talking about a tool to fix your MBR.

    === Quotes from that thread ===
    Sometimes you need to fix Master Boot Record on your hard drive. We have two special utilities for this purpose.
    1. Using floppy drive. Please insert a diskette into the floppy drive and run the file available by the link below:
    http://www.acronis.com/files/support/mbrautowrite_en.exe
    Once the floppy is written, boot the computer from it and confirm that you want to fix the master boot record.
    You do NOT need to copy this file to diskette. Just launch it from hard disk (or any media) with the diskette inserted.
    === end quotes ===

    Well, I am not saying that this has necessarily caused that warning from NOD32, but at the other hand my guess at the moment is that it is the cause.

    Some of you know perhaps that I use the file-integrity-checker ADinf32 Pro
    (see here ).

    Well ADinf32 gave me a warning, after I did use that MBR-fix tool, about a change in my MBR; see screenshot.

    For the moment I have NOD32 not let to try to fix that possible virus.

    Any help would be greatly appreciated !
    Thanks in advance,
    Jan.
     

    Attached Files:

  2. FanJ

    FanJ Guest

    And here is another screenshot from ADinf32, telling that it is indeed the MBR.

    To explain a little bit more:
    ADinf32 warns you only if files/folders (and boot records) have been changed.
    It is you, the user, who has to decide whether a change is legit or not.

    Well, in my case I thought:
    OK, I did try to repair the MBR, so nothing wrong.....
     

    Attached Files:

  3. FanJ

    FanJ Guest

    Scanned with KAV 4.5 : nothing suspicious.

    I can submit a file, but the MBR ? ;)
    I hope that ESET has the time to look at it and can reproduce it with the tool I mentioned.
    It looks to me a FP.

    Thanks,
    Regards, Jan.
     
  4. FanJ

    FanJ Guest

    ~bump~ ;)
     
  5. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India
    From what i can see, u can fix it by deleting the MBR and then again recreating it. I know how it works wid XP but im not sure about Win98. Umm... I guess it was something like boot wid ur 98 startup disk and choose start computer without CD ROM support and then type "fdisk /mbr". This will either delete and/or recreate the MBR. Hehe sorry couldnt help u specifically! Do research a bit before going ahead and trying this out. Get some second opinions too. Cuz im saying myself im NOT very sure about 98!!! So ill not be responsible if anything bad happens!!!

    I just posted this cuz someone might offer better advice thinking on these lines... ;)
     
  6. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    If I remember correctly, this will be a good thing to do IF AND ONLY IF you want to wipe out everything on your hard drive.

    Fdisk is the partiioning utility in DOS. I would read its help screens really carefully before using it unless you are prepared for a bare metal reinstall.
     
  7. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
  8. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I am of the belief that your boot sector may be a FP, but obviously you cannot send this to ESET for verification. All of the indicators you have posted appear to me that they are simply the result of the MBR fixing utility :)

    Seperately from your FP issue, have you run a scandisk - It's common in my experience for one small trivial file system anomaly to prevent imaging software from working correctly :)

    You decide if you want to, but I would have no problem either letting NOD32 repair or replace the MBR as you feel appropriate, or alternative using the 'FDISK /MBR' suggestion above by kalpic. Noting especially the warnings in the M$ limk that gberns posted. :)

    HTH :)
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jan, with this issue can you please send an email to support@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    We would appreciate if you could keep us in the loop with your progress, as we all learn this way…

    Cheers :D
     
  10. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India
    Hey dude, im not here to fry someone's PC. As far as i know, "fdisk /mbr" does fix MBR viruses. And even then, i did mention researching on it before trying!!! So please do your homework before pointing fingers!
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ladies and Gentlemen, let's keep it calm and civil...

    Cheers :D
     
  12. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India

    Hey im cool! Didnt mean it that way! Sorry if i sounded otherwise! Chill!
     
  13. FanJ

    FanJ Guest

    Hi all,

    First of all:
    Thanks to all who replied; I really appreciate it !!!

    At the moment I have not much time.
    I will later look closer at all your replies.

    Good suggestion Craig.
    I will send ESET an email.
    I can imagine that they don't have much time during the weekend for it ;)

    Cheers, Jan.
     
  14. FanJ

    FanJ Guest

    17 days later: still not fixed.

    Edited to add :

    I asked today Eset-support whether there was already any news.
    Yes, at least I got, very quickly (thanks !), a reply asking whether NOD32 still gives the warning.
    Yes, NOD32 still does; which I wrote in my reply.

    Jan.
     
    Last edited by a moderator: Jun 27, 2005
  15. FanJ

    FanJ Guest

    In case you didn't notice:

    There are 12 (twelve) ESET-moderators at this board.
    Not any of them replied in this thread so far.

    And in case ESET isn't aware of this:
    Acronis-support asked me already many days back to keep them informed about replies from ESET.

    And, again, in case ESET isn't aware of this:
    Both ESET and Acronis have their official Support forums here at the Wilders-board.
    Has anyone from ESET contacted anyone from Acronis, or the other way around?

    And yes, I did send an email to Anton Zajac (ESET): no reply.

    Isn't it time now that this issue can be solved?

    Thanks.
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    And if you did decide to let NOD32 repair the boot sector or the 'FDISK /MBR' suggestion above by kalpic, what happened?
     
  17. FanJ

    FanJ Guest

    I decided to wait to try other tools, because I think it is a false positive by NOD32.
    That is the issue here, unless I make a mistake (which is, of course, always possible).

    Trying to sum it up:

    1.
    There are two companies here at the forum with their official support forum here.
    I used a tool from one company, and the program from the other company gives a warning after that. Well, that can happen, no problem.
    In such a case (more generally: when two companies are involved) I have always tried to let both companies know about it, so they can sort it out.

    2.
    I did try, by posting here, to let users know that there might be an issue here.
    It is always possible that I might not be the only person who got this warning.

    3.
    In case I am not mistaken, there is an advice posted by ESET to let them know in case you get a MBR warning from NOD32.
    I did so (thanks Blackspear).

    4.
    One company, Acronis, told me quickly and several times that they cannot find a problem with their tool.

    5.
    The other company, ESET, seemed to have a problem to look at the problem.
    It took me several attempts to even get a reply.
    I know, ESET had their annual conference not so long ago, so that might have played a role here. I can understand that.

    6.
    I did try to have contact behind the scenes.
    I had contact with Blackspear (thanks Craig !!!!!).
    I had contact with Marcos, but I am not sure whether he realized it was a MBR issue.
    I did inform the board owners.
    I did inform Anton !!! (no reply...).
    I had contact with Jan Vanacky (ESET); I do hope that he will email me again.
    I did get a special tool from him to analyze my MBR, I did send it back, and I waited for over a week for a reply.

    7.
    I do have respect for ESET !!!!!

    8.
    I do realize that it might be caused by my own fault and/or my system.

    9.
    sigh...

    Best regards,
    Jan.
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have sent an email to Eset, and this thread and the other will be looked into shortly (there was a miscommunication as to which Jan at Eset had looked at this problem).

    Cheers :D
     
  19. FanJ

    FanJ Guest

    Thanks Craig !!

    Oops, I understand it.
    LOL, all those Jan's ;) :)

    Cheers, Jan :D
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I got a link to the utility, that produces the fp, from Jan on Saturday for the first time. Since there has been no update except the urgent one issued since then, the fp is still reported. However, I can assure you it will be remedied in the next update that is going to be released today.

    I'll need to investigate if my colleague actually got your email and didn't delete it in error when cleaning up his emails after he returned from a vacation.
     
  21. FanJ

    FanJ Guest

    The link to that utility is mentioned in the first posting in this thread, dated 10-June-2005.

    As far as I know this is the first time that someone from Eset clearly tells me that it is indeed a false positive.
    Thanks for the confirmation.

    Thanks for fixing it in the next update.
     
  22. FanJ

    FanJ Guest

    I am very pleased to tell that, as Marcos already wrote, the FP is fixed with today's update:
    NOD32 version 1.1156 ( 20050628 ).

    I would like to thank in the first place everyone at ESET and Blackspear ! :D
    Thanks also to the other posters in the thread, and the others involved.

    Apologies from my side for pushing maybe a little bit too hard.

    Best regards,
    Jan (again an happy user of NOD32 :D ).
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see Jan :D

    Cheers :D
     
Thread Status:
Not open for further replies.