fidelius2 3 Posted February 9, 2014 Share Posted February 9, 2014 Hello, Nod32 warned the user of a PUA when it first saw the executable (on a USB key) allowing to alter the MBR. Fine. But it was not able to see that the MBR of Windows 7 had been altered by a loader. The scan was made from a bootable cdrom with Eset Sysrescue in order not to be fooled by a rootkit or another bad thing deeply hidden. The scanning of MBR has been also asked. Is it Eset policy or is it too difficult to detect ? Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 9, 2014 Share Posted February 9, 2014 Hi, Was this a laptop or desktop ? What version of virus database was used? I have seen non-malicous loaders for windows 7, that is not detected as a threat or found by ESET software, simply because it is a rare pirated crack that has possibly not been seen by many computers around the world. There are some loaders that also do not remain resident. They make the changes needed, and then delete themselves, leaving no traces behind to even be caught by scanners or software, simply because Windows appears to be acting normal. Do you know which loader this was or can locate it manually ? You could also submit the data to ESET for study and future detections if possible. Thanks for your posting. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted February 9, 2014 Administrators Share Posted February 9, 2014 Potentially unwanted applications don't perform modifications of mbr, such software would be classified as malware. I'd suggest submitting it to ESET's Malware research lab for analysis and possible reclassification if it's confirmed that it modifies mbr. Link to comment Share on other sites More sharing options...
fidelius2 3 Posted February 9, 2014 Author Share Posted February 9, 2014 Nod32 says it is Win32/HackTool.WinActivator.I On Virust*t*l 21 out of 50 AV flag it us such. What I do not understand is why the the file EXE is flagged and once it has been run from a USB stick, an outside scan of the mbr returns nothing. I guess it modifies the mbr because it is loaded before Windows is started. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 386 Posted February 13, 2014 ESET Moderators Share Posted February 13, 2014 Hello,Some hacking tools are classified as Potentially Unsafe Applications.If you would like to submit the Win32/HackTool.WinActivator.I file to ESET's researchers for further examination, you can do so by following the instructions ESET Knowledgebase Article #141, "How do I submit a virus, website or potential false positive sample to ESET's lab?."Regards,Aryeh Goretsky Link to comment Share on other sites More sharing options...
Recommended Posts