NOD found TSR.BOOT virus.I need help

Discussion in 'NOD32 version 2 Forum' started by visitor, Feb 10, 2004.

Thread Status:
Not open for further replies.
  1. visitor

    visitor Guest

    opened on demand scanner and found this line in red

    MBR sector of the 1. physical disk contains probably unknown TSR.BOOT virus.

    clean has no effect. any help please. Thank you

    scanning log (full)
    ----------------------------------------------------------------------------------
    NOD32 version 1.620 (20040210) NT
    Command line: /local /quit-
    Checking CRC of the NOD32.EXE file: status OK
    Operating memory is OK.
    MBR sector of the 1. physical disk contains probably unknown TSR.BOOT virus.
    date: 11.2.2004 time: 03:04:32
    Scanned disks, directories and files: C:
    C:\pagefile.sys - error opening (file locked) [4]
    scanning interrupted by user!
    number of files scanned: 5596
    number of viruses found: 0
    time of completion: 03:05:11 total scanning time: 39 sec (00:00:39)
    Notes:
    [4] File cannot be open. It is being exclusively used by another application or operating system.
    ----------------------------------------------------------------------------------
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,

    it seems to be only a false positive. Do you have any boot manager or another program that might have modified the boot sector installed?
     
  3. visitor

    visitor Guest

    Thanks Marcos
    I don't have any boot manager other than XP boot manager(dual boot)
     
  4. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Well NOD is now scaring me a little. Last night it found three trojans / virii hidden in the restore file on drive G:, so last night I turned off the restore on that drive to allow the files to be deleted.

    That seemed to work fine, so I decided today to run a deep scan on the drive - just in case. I found the following reported (see attachment)...

    So, to the questions:

    1) Anyone any idea what an MBR sector is and why it may have trouble scanning them? This is on an IDEA drive which reports no errors under Windows.

    2) The TSR.BOOT virus - looks like it has taken no action. How on earth does one get it to kill it, if it is genuine of course....

    AVG never found this, but then again it missed the other trojans too!

    So should I panic and if so how do I clear the blasted thing!
     

    Attached Files:

  5. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Message TSR.BOOT virus is result of heuristic analysis, which may sometimes cause false possitive identification, especially on some boot loaders and managers which code is general virus look-a-like. I just wonder: 8th physical disc.... Do you have any knowledge of the disc history (linux instalations etc ?) In any case, try to contact ESET support for further instructions
     
  6. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Cheers for the information it is possibly what I thought, a rogue report. ESET support are unlikely to help as I'm currently trialing the software as a replacement to AVG which I was running quite contentedly until I read the recent stats outlined here which concerned me somewhat.

    Plus recently AVG had been acting strangely detecting a virus and removing it - the problem was the software it was trying to remove was AVG!

    Ref the disk history as far as I'm aware (and I built the PC) there are two drives, an older IDE drive and a newer SATA drive. IIRC the drive G: used to be part of the old PC's system, but was never used as a boot drive as it held (holds) by main download archives before they are burnt to DVD.

    Taking this into account should I worry, given that no other AV package I've tried has ever picked up on the problem.

    Stil trying to work out whether NOD is performing brilliantly or whether it is not work switching from AVG......

    I want the best but.....
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    They will provide support, can you please send an email to support@nod32.com and place a link to this thread.

    We would appreciate if you can let us know how you go, as we all learn this way...

    Cheers :D
     
  8. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Cheers for that recommendation, one email just sent with my concerns, the screenshot and a reference to the thread, we will see what transpires :)
     
  9. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    You have only two physical disks in your case but it is reading 8. Aren't you concerned with the problems on 5, 6 and 7? Remember, it is not sayinng logical disks, it is saying physical. Do you have usb divices that masquerade as disks? I know my printer does as it has the ability to read camera memory devices.

    By the way, noone answered your original question. MBR is master boot record.
     
  10. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Cheers for the reply..... ref the other drives that does not really worry me as I do have a a 5-way card reader, a iPod and a Pocket PC plugged in most of the time so those can account for the other devices I guess.

    MBR - right I should have guessed.

    Hmm, looks like I still have troubles though, the worms I thought I'd killed from there restore file are still there (see below) - how should one kill these nasties off.....
     

    Attached Files:

  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Turn off System Restore, reboot your machine and then turn System Restore back on...

    Cheers :D
     
  12. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Grin I did that already, but only turned it off for drive G: when I guess it needs to be turned off globally :) Will do that tonight - then hopefully the deep scan that runs at 21:00 will show them cleared.

    BTW Mark @ NOD32 Tech Support has been in touch and has advised:

    Which I will try tonight when I get home (at the office now)...

    Cheers
     
  13. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Update:

    TSR.BOOT : Well the requested debug file has been sent to NOD32 Tech Support tonight so we will see what turns up from the investigation of that data.

    WORMS: Action taken so far

    - System restore turned off globally
    - PC Shutdown
    - PC Rebooted
    - System restore turned on globally
    - Deep AV scan run

    Result Trojans and worms still showing as being present

    - System restore turned off globally
    - PC Booted into Safe Mode
    - Deep AV scan run on drive C:
    - PC Rebooted
    - Deep AV scan run

    Result Trojans and worms still showing as being present :(

    Interesting to note that the Trojans detailed in the log do not seem to have any removal applications on the web anywhere.

    Anyway the above data has been given to Tech Support so will report back tomorow on what they say.

    Argh! Now this is driving me nuts!
     
  14. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    If you turned off system restore, the restore files should have been deleted. If so, in what files are the the problems being found? Is it still the resore files? These should no longer be on your machine.

    If they weren't deleted automatically, turn off system restore, boot to safe mode, go to the place where they are stored, I believe its system volume information, and manually delete them.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just run a scan in Safe Mode with Nod32, make sure Nod32 is set as per instructions found in post number 2 HERE

    Let us know how you go...

    Cheers :D
     
  16. Visiting

    Visiting Guest

    Be sure to run the CLEAN,,,,,,not the scan. Scan will only report what it finds....not clean it.
     
  17. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Cheers Blackspear - instruction noted, I do tend to run other cleaners, most of them in the list on a regular basis anyway as a matter of course.

    Mind you I've now found the instructions in the forum on how to set up the system properly to actually deep scan and clean, not scan only (which I was doing previously as per the default settings).

    Ran a manual scan and it looks like the problem was resolved as no virii found.

    Very silly IMHO to have a default action that does not include deep scanning or cleaning when first installed.

    Anyway will run another scan later and check what the results are...

    Secondary query ref setup......

    When running AVG I used to perform a full all drives system scan nightly at 21:00. With NOD configured as per the 'scan drive C:' instructions in the forum this can take ages....

    So what would be the best recommendations be for weekly and daily scans?

    Or should I just do one large deep full scan weekly?

    I must admit NOD seems to fit the bill but is horrendous to configure properly - I'm in IT and have configured quite a few systems and none seem as complex as NOD.
     
  18. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    There is an "In Depth" scan button.
     

    Attached Files:

  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    For my system that is tweaked, well, like I recommend ;) :D I have Nod32 run a weekly scan.


    Nod32 is very customisable for those that want to be able to do so.

    Hope this helps...

    Cheers :D
     
  20. tekguru

    tekguru Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    12
    Stan999: Oh I know that, all I'm saying it is not really obvious :)

    Blackspear: Fair enough, one full scan tonight to make sure I'm clean then drop back to a weekly then :)
     
  21. Gauthreau

    Gauthreau Guest

    I don't really want to steer the thread in a different direction, but what the heck is EMON? I see that it is beta.

    Neil
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    EMON is for MS Outlook.

    Cheers :D
     
    Last edited: May 14, 2005
  23. lead brick

    lead brick Guest

    Hi,

    Found this thread via a google search for "tsr.boot" and "virus". Didn't even put NOD32 into search terms, but thats what I use now, and got the same alert as the person who started this thread

    I suspected it was the OSL2000 boot manager ( http://www.osloader.com/ ) that I installed before installing NOD, but wanted something in the way of confirmation, so thanks
     
Thread Status:
Not open for further replies.