• Please use real names.

    Greetings to all who have registered to OPF and those guests taking a look around. Please use real names. Registrations with fictitious names will not be processed. REAL NAMES ONLY will be processed

    Firstname Lastname

    Register

    We are a courteous and supportive community. No need to hide behind an alia. If you have a genuine need for privacy/secrecy then let me know!
  • Welcome to the new site. Here's a thread about the update where you can post your feedback, ask questions or spot those nasty bugs!

virus

Valentin Arfire

New member
hello friends

somehow I got infected with a boot virus called TSR.BOOT

At the time I got it I had a daily updated Avast; I thought my mouse broke but on other OS it didn't...
then I tried Avira and neither of them discovered anything;
I tried Kaspersky and it proved to my surprise ... innocent and in the end I tried one called NOD32 which found it but couldn't eliminate it.

of course it happened on the windows partition

I am running a 3 OS system : osX Leopard, windows XP and Ubuntu;
the reason I am using the infamous windows is there are some programs that don't exist on other platforms and I got used to them :(

I will probably have to reinstall the windows partition but since in my case this takes a lot of time, I'll probably make a hdd upgrade so I'll try a clean installation. I am using 64 bit on osX and Ubuntu (and of course nothing bad ever happens there) and I have a 32 bit XP license - the last sale I have made to Microsoft corp.
 

John Angulat

pro member
Valentin -
Do not just re-partition.
TSR.boot is a tough virus to remove.
The problem is the virus is a boot sector virus.
Once you remove/uninstall any Windows s/w you need to wipe that partition clean.
This can ony be done by re-formatting and clearing the master boot record.
DOS command is fdisk /mbr.
You must use the /mbr option, as fdisk alone, during a re-partition, does not clear the mbr.

Here's a link to the MS-DOS command info: http://support.microsoft.com/kb/69013

Hope this helps.
 

John Angulat

pro member
Hi Doug,
That will only work if the virus has been removed and you wish to repair the mbr.
I believe Valentin still has the virus and cannot find a way to remove it.
 

Valentin Arfire

New member
thank you friends

yes the virus is still there and to make the situation as complicated as possible I really have 3 OS and would definitely loose the other 2 boot options at fdisk /mbr command and probably at the microsoft advice.

I tried to run NOD32 in safe mode and didn't worked. Also I've been unimpressed by the Kaspersky incompetence to get rid of it

I have found an application called eliminte.it that pretends is an antivirus, but the trial version only discovers it and since I don't have feedback, I treat it with reserve.

:(

I'll need anyway a larger hard disk so the effort of a week or so... to reinstall everything will be well worth it

have a wonderful week my friends with plenty of good light
 

Asher Kelman

OPF Owner/Editor-in-Chief
Valentin -
Do not just re-partition.
TSR.boot is a tough virus to remove.
The problem is the virus is a boot sector virus.
Once you remove/uninstall any Windows s/w you need to wipe that partition clean.
This can ony be done by re-formatting and clearing the master boot record.
DOS command is fdisk /mbr.
You must use the /mbr option, as fdisk alone, during a re-partition, does not clear the mbr.

Here's a link to the MS-DOS command info: http://support.microsoft.com/kb/69013

Hope this helps.

John,

If I were to download several of Valentin's image files to work on for him, then I might also be downloading that virus. Can that hover around on a Mac OS and infect other folks PC's by email from my Mac? Can this virus clone itself without the Windows system?

Asher
 

John Angulat

pro member
Hi Asher,
The short answer is probably not.
Very few viruses can be embedded within a image file such as .jpg.
However, if a user also downloads a viewer, the virus may be embedded there.
Either way most TSR (terminate and stay resident) viruses are Windows based attacks so the worst case scenario is you benignly pass along virus to the next person.
You operate on a Mac platform, correct?
I don't belive you have your drive(s) partitioned to run Windows also, correct?
If this is true on both counts, you're safe.

Now Valentin, a few more questions, suggestions -
When you open Windows Task Manager and select the tab "Processes" can you see the TSR.boot virus running? If yes, try the following -
Terminate the process via Task Manager.
Leaving the Task Manager open, run your anti-virus s/w.
If that does not clean the virus, repeat the same steps but run the anti-virus s/w from a disk.

Remember, the virus is a program that must load each time you turn your computer on.
Therefore, it is being called from some source. You've got to find that source.
Back in the day of simple Windows it could be called from autoexec or another batch program referenced in config. sys or config.db...nowadays it is much harder to trace.
 

StuartRae

New member
Hi Valentin,

You have 3 OSs, so you must have a boot manager, right?
It's quite likely that NOD has picked up the fact that the boot manager has modified the boot sector and reported this as a false positive.
What symptoms does your little intruder exhibit?

Regards,

Stuart
 

John Angulat

pro member
Stuart, that a very good point.
There are many reports of NOD32 reporting "false positives".
One question I never asked Valentin - other than NOD32's "discovery", do you have any indication (performance, effect, etc.) there is actually a virus?

Also, try runing msconfig. Check startup and services. Do you see anything out of the ordinary?

Another option is to download and run Malwarebytes. Use the free version. Make sure you update the virus database after downloading to ensure the most current list is used.
 

StuartRae

New member
I was going to suggest Malwarebytes as well.
Mind you, it's also prone to false positives, its latest suggestion being that exiftool was up to no good on my desktop.

Stuart
 

Valentin Arfire

New member
thank you for the concern

Unfortunately the effect is annoying: some left clicks are systematically omitted and I can't approximate the effect those clicks would do - for those who know - I can't put points by hand in ptgui; I can't define vertical lines and I can't use drag and drop in Pano2vr; other tasks may be approximate with keyboard shortcuts and some extra brain activity :)

I'd gladly use the leopard but :( some of the programs exist only for windows - such as DevalVR
 

John Angulat

pro member
Ok, you've got a virus.
Now start trying to ID its location and eliminate it.
There's a lot of info in this thread for you to try.
Keep us posted as to your progress.
It is a discouraging problem, but hopefully not insurmountable.
 

StuartRae

New member
Mmmm, I'm still not entirely convinced. The main reason is 'why?'. Why go to all the trouble of writing a boot sector virus just to disable the left mouse button, when (as there appear to be no other symptoms) there are far easier ways of doing it?

I done a lot of searching, and can't find anything that specifically targets the left button. The closest I got was a trojan, W32.Bropia, which randomly switches left and right buttons, but I think you'd notice that.

1. Run Malwarebytes as John suggests. It'll find pretty much anything that's there.

2. Try re-installing the mouse, maybe with the most up-to-date driver.

3. Check mouse settings to make sure that the left button hasn't been re-assigned to a different function. My driver gives me the choice of several, including 'none'.

4. It's probably not a hardware problem as the mouse works in the other OSs, but the button contacts can fail intermittently.

Best of luck!

Regards,

Stuart

P.S. here's to Malwarebytes.
 

Asher Kelman

OPF Owner/Editor-in-Chief
For those of us running XP under Parallels in Macs, what software should we be using to keep these viruses at bay? I only use Windows for running Imatest.

Asher
 

John Angulat

pro member
Asher,
The Windows side of a parallel XP/Mac is as vulnerable to viruses, bots, key loggers and all things nefarious as is a stand-alone PC.
Very, very vulnerable.
I would recommend Microsoft Defender as an absolute minimum.
It is well rated (actually beats McAfee and Symantec in many benchmark tests).
Best of all, it is free.
I would also have Malwarebytes and Spybot running. Again, both are free.
Spybot (with Teatimer) is especially good at picking up registry changes or attempts thereto.

Other than a bit slower on a cold startup (lots of info to load) I have never noticed a degradation in performance or speed as a consequence of have all 3 running.
 

Asher Kelman

OPF Owner/Editor-in-Chief
Asher,
The Windows side of a parallel XP/Mac is as vulnerable to viruses, bots, key loggers and all things nefarious as is a stand-alone PC.
Very, very vulnerable.
I would recommend Microsoft Defender as an absolute minimum.
It is well rated (actually beats McAfee and Symantec in many benchmark tests).
Best of all, it is free.
I would also have Malwarebytes and Spybot running. Again, both are free.
Spybot (with Teatimer) is especially good at picking up registry changes or attempts thereto.

Other than a bit slower on a cold startup (lots of info to load) I have never noticed a degradation in performance or speed as a consequence of have all 3 running.

Thanks so much John!

That's a very economical protection scheme. Beyond that, anything that will be even better, say from Norton?

Asher
 

Valentin Arfire

New member
Thank you all

StuartRae
I have changed the mouse and... surprise, this one (it's another bluetooth one since I'm trying to spare the USB ports and the previous bluetooth one has a left button non functional) after proper installation works.

I am in a kind of shock: if the hardware was the problem then my perspective on the windows proves... optimistic since the other 2 OS worked satisfactory with it.

Anyway I am now scanning with the program you've recommended and hope the TSR.boot is actually the multi OS loader (for mac I use one called REFIT) and the nod32 is a stupid software thet is running windows only

I am sure the windows vulnerabilities decrese much when a passive browsing conduit is decided, with an anti-malware and an anti-virus daily updated

when I'll know more I'll just let you know
 

StuartRae

New member
Hi Valentin,

I'm pleased you've apparently solved the problem.

nod32 is a stupid software..........
On the contrary, Nod32 is highly regarded. What it's done is to alert you that the boot sector has been changed, and suggested that it may be a symptom of an (unknown) virus. The final decision is yours.

Best wishes,

Stuart
 

Valentin Arfire

New member
Hi Stuart,

after a first pass the software found something - nothing resembling to the boot threat - I erased the 5 temporary files, restart and now I'm scanning again.

regarding the nod32 you are right, I used it for a year or so until something went wrong with my license and I just couldn't update it so it became useless - now it was a free version from their website.
 

John Angulat

pro member
Thanks so much John!

That's a very economical protection scheme. Beyond that, anything that will be even better, say from Norton?

Asher

Hi Asher,
Running Norton on top of Windows Defender is akin to "belt and suspenders", no real benefit. Save your pennies for a new Nikon.
The s/w trio I suggested is the standard for my corporation.
We were long time users/subscribers to Symantec, only to watch PC after PC crash from viruses their s/w failed to catch (so much for supposedly the "best in the business"). McAfee and Norton aren't nearly as large, nor do they have the resources.
Microsoft's approach says it all - it is in their best interest to keep the world free of viruses, as most of the world uses their products.
I applaud them for offering such a valuable product free of charge.


Now, you need to remember (as does anyone viewing this thread) some basic tenents of protection:
  • Your anti-virus s/w is only as good as the last update. You must keep it up to date. All products offer a method for automatically updating the database. Enable that function.
  • Your anti-virus s/w has no value if you do not scan your device on a regularly scheduled basis. All products provide a method to set scanning schedules. Enable that function.
  • Always have your firewall enabled.
 
Top