TSR.BOOT virus on windows 7

Discussion in 'ESET NOD32 Antivirus' started by jc007, Nov 9, 2009.

Thread Status:
Not open for further replies.
  1. jc007

    jc007 Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    1
    I did a clean install on intel SSd with windows 7 64 bit and am now getting this TSR.BOOT virus MBR with ESOD scan. it is unlikely that this is real virus since i havent installed much on this system yet.

    Any help will be appreciated.
     
  2. Fixer

    Fixer Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    141
    Location:
    Bulgaria, EU
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    That is interesting. I am unsure of how Intel prepares the master boot record code, but I have not seen this behavior when installing Microsoft Windows 7 64-bit edition to a Kingston SSD, so whether it is a false positive alarm or a piece of malware is open to conjecture at this point.

    Since making a copy of a MBR for submission to the virus lab can be a bit tricky, I will send you a private message explaining how to submit it to the virus lab for analysis.

    Regards,

    Aryeh Goretsky
     
  4. infoflex

    infoflex Registered Member

    Joined:
    Nov 11, 2009
    Posts:
    2
    Location:
    Stockholm, Sweden
    Hi.
    We are reseller of lenovo products as well as NoD32.
    Resently Ive got 2 T500 laptops with w7 32bit. Latest NOD32 AntiVirus 4.0.467 and same virus varnings. Hanging laptops in strange ways.. made a factory restore and then tryed without NoD32, works great. Installed NOD32 AntiVirus 4.0.467, got same strange hangings.. on both laptops, identical.

    New factory restore and now tryed some norton 30day trial, no problem at all. All the other "original" programs are installed, and the both laptops are tested with latest win patches + lenovo patches, coz thats how they will be used! Ive talked to the Swedish support and they want logfiles, well my users dont wanna try and error :) so Ive just wait for a fix.. Could be combo of R&R and NoD32.. coz R&R has messed up netscreen VPN clients before with bluescreen, and I found looong thread about R&R and lenovo modells.

    My 2p..
     
  5. softalk

    softalk Registered Member

    Joined:
    Dec 12, 2009
    Posts:
    3
    Same problem here.. Just sold a batch of acer systems and a 10 user licence for nod32. (unfortunately I persuaded the company to move to eset from their old av company)

    Systems are preinstalled with both W7Pro and XPPro.. upon installing nod32 I get TSR.BOOT virus found unable to clean.

    After looking through the forums, it appears this particular problem has been doing the rounds since at least 2004. Thats FIVE years!!

    Come on guys.. there must be a simple solution to this problem by now without having to mess about sending mbr images to eset!

    Is there any way to get nod32 to ignore the virus (which obviously gives so many people the headache of a fp)?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You need to send an image of your MBR to ESET as it is a non-standard one and needs to be added to the exception list.
     
  7. infoflex

    infoflex Registered Member

    Joined:
    Nov 11, 2009
    Posts:
    2
    Location:
    Stockholm, Sweden
    Na, I cant and wont.. coz nod32 hangs my 2 lenovo t500 systems, sorry, but those to are running smooth with other antivirus systems now, you're to slow :rolleyes:
    No other AV system I tested does this, and that is a handful of the known ones. So until a solution, we can not ship nod32 with T500, or maybe other lenovo modells as well.:thumbd:
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Lenovo notebooks are known to suffer problems when the file MountPointManagerRemoteDatabase in the System Volume Information is being scanned or backed up (you'll find tons of references to this issue on other vendors' websites). The solution is to exclude that file from scanning, however, only an exclusion in the kernel syntax (\Device\HarddiskVolume2\System Volume Information\MountPointManagerRemoteDatabase) may be effective which can be, however, done only by editing the registry directly in safe mode. An easier solution could be excluding extensionless files from scanning in both the real-time protection and on-demand scanner extension setup.
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    how can Eset fix it if you are so unwilling to help? As a guess, it
    will be fixed but it will obviously take longer while Eset find another way
     
  10. softalk

    softalk Registered Member

    Joined:
    Dec 12, 2009
    Posts:
    3
    ok.. I tried.

    I sent an email to support@eset.com which was returned by them together with a message that I didnt have a valid ticket number.

    I also filled in their online support submission page 5 hours ago.. as of yet no reply.

    I considered switching off boot scan for now.. I can't find that option.

    I switched off the on screen message notification to hopefully hide the problem until it's fixed in a future update.. the message still appears.

    My company have been reselling other AV products for a very long time and only recently took on esets range of products. I understand that the only way they can update their database is via submission from users, but if the submission process is half hearted and slow, then the delay at times will be unacceptable.

    As someone said above.. no other AV product I've tried has a problem with the acer systems. I now have to purchase another companies product for these 10 machines so I can ship them without delay and I have a 10 user licence for esets product, registered to the same company and so unusable for anyone else.

    I want to like esets products really I do, but so far it's not looking too good for them is it.
     
  11. softalk

    softalk Registered Member

    Joined:
    Dec 12, 2009
    Posts:
    3

    Update: MRB now sent to eset for analysis.
     
Thread Status:
Not open for further replies.