NOD32 detects boot sector virus

Discussion in 'ESET NOD32 Antivirus' started by jamtoday, Feb 27, 2012.

Thread Status:
Not open for further replies.
  1. jamtoday

    jamtoday Guest

    Hi

    This morning I got two warnings that NOD32 detected a virus but was unable to clean. The two entries in the log file read:

    "Startup scanner active boot sector of the 0.physical disk probably unknown TSR.BOOT virus unable to clean"

    I've rebooted and no further warnings. What should I do, please?
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    It might have been wiped out on the reboot. But I'd want to know for sure.
     
  3. mouser

    mouser Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    18
    I got this as well today. this suggests to me that it's a brand new signature added to nod32.

    Still doesn't tell us whether it's newly picking up on a real maware, but it does mean that the probability of this being a false positive is not insignificant.

    Anyone else?
     
  4. sargey

    sargey Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    14
    Yup, got this as well on our main 2k8 server.
     
  5. Vimto

    Vimto Registered Member

    Joined:
    Mar 7, 2010
    Posts:
    4
    Location:
    United Kingdom
    Just to update, had one of these on a PC at our site and one of our clients. Could others report in too please? Don't want to reject as a false positive just yet.
     
  6. Mafste

    Mafste Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    1
    Location:
    Netherlands
    2 different computers as well today.
    TSR.Boot virus.

    VERY high possibility of being a false positive.
    Signed up to report.
     
  7. CrimsonSoul

    CrimsonSoul Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    3
    Location:
    UK
    Yep I just got that aswell
     
  8. therivierakid

    therivierakid Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    2
    Location:
    UK
    We have had 4 machines this morning (UK) with TSR.BOOT alert. Has this been identified as a false alarm? Currently scanning the pcs with USB based rescue 'CD'.
     
  9. Monkstable

    Monkstable Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    1
    This has just tripped on every single Macbook in the office running Bootcamp & Win7, i'm guessing this is another false positive from a bad update?
     
  10. CrimsonSoul

    CrimsonSoul Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    3
    Location:
    UK
    It looks like a false positive but I`am still scared to log into Steam just incase
     
  11. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    It's a false positive, will be fixed soon
     
  12. Mat3000

    Mat3000 Registered Member

    Joined:
    Jun 7, 2008
    Posts:
    7
    I got the same alert (I use ESET NOD32 5.0.95.0):

    Modul Prufung der Systemstartdateien - Alarm ausgelost auf Computer XYZ: aktiver Bootsektor des physischen Datentragers 0. enthalt moglicherweise unbekannter Virus TSR.BOOT Virus.

    Is there already an official statement from ESET, confirming that this is a false positive?
     
  13. edpaul

    edpaul Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    1
    Location:
    UK
    I have just phoned ESET UK support and they confirm that update 6918 contains the boot sector false positive. They said that the update has been suspended and will be replaced shortly.
     
  14. jedwards17

    jedwards17 Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    1
    Location:
    UK
    It is a false positive. Had a very quick reply from Eset.

    Good Morning,

    Unfortunately the most recent update that we have released was an update for the boot sector scanning module of our system. The result of this means that on some computers we are detecting a false positive by the name of “TSR.BOOT virus”. If you are receiving this message then it is likely that you are being affected by this false positive however you are in no way at risk. The issue has been submitted to our development team and should be resolved shortly.

    Kind Regards,

    Neil Street Customer Care Engineer - ESET UK
     
  15. therivierakid

    therivierakid Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    2
    Location:
    UK
    Thanks for the confirmation. Had about 30 machines showing the alert in the end and was getting a bit nervous!
     
  16. jakass

    jakass Lurker

    Joined:
    Feb 27, 2012
    Posts:
    1
    Location:
    Dubai
    I have the same problem today too, I got the notification just after rebooting my laptop and I am lot worried about it :(
    Please advise
    Am running NOD v 4.2.40.0
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is indeed false positive (at least if it started to be detected after update 691:cool:. However, it does not cause any harm to your system, data or other files like typical FPs can do.

    Updates were suspended after the initial reports to lower the impact on our customers. A new update addressing the false detection of certain boot sectors is going to be released momentarily.
     
  18. CrimsonSoul

    CrimsonSoul Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    3
    Location:
    UK
    Good to see that its a false positive :)
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    well, I restarted mine this morning and getting a error that it cant boot. Asking me to restore to a earlier image, which I dont have. Even if I try to swith to a different snapshot in FD-ISR it wont boot. Wont even let me go to Repair Computer.

    I really, really, really hope this isnt because of Eset. Or, well lets just cross that bridge if I have to.:mad:
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I was in the process of uninstalling Nod and then on reboot is when it happened. Do you think it was detected and put into quanantine and then without me knowing it and uninstalling Nod, this happened. I really hope not.
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    ESET does not touch the boot sector at all upon heuristic detection so it's highly unlikely the issue would be connected with the FP.
     
  22. Mwh65

    Mwh65 Registered Member

    Joined:
    May 8, 2008
    Posts:
    17
    Can confirm I got this on 1 of the 5 computers in an office I manage.

    Updating signature database to 6919 from 6918 has cleared the problem.
     
  23. Chaa006

    Chaa006 Registered Member

    Joined:
    Feb 27, 2012
    Posts:
    1
    Location:
    United Kingdom
    Agreed. Rev. 6918 shewed nine false positives on this system (seven physical discs) and Rev. 6919 says the same nine are clear.
     
    Last edited: Feb 27, 2012
  24. djrussell53

    djrussell53 Guest

    Hello,

    A friend of mine in Australia has the same Eset message. Below is what is in the log file. Just wanted to add to the list of others that are having the same problem. Thanks-

    27/02/2012 8:45:35 PM Startup scanner boot sector active boot sector of the 0. physical disk probably unknown TSR.BOOT virus unable to clean
     
  25. RyanW

    RyanW Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    77
    I've got 5 machines popping this right now. Sure hope it's a FP.
     
Thread Status:
Not open for further replies.