[dba-Tech] Generic MBR Rootkit and Vipre

Tydda Jon - Slough jon.tydda at lonza.com
Thu Apr 9 04:19:43 CDT 2009


Although, having googled it myself, you should look at this thread on the Vipre page:

http://support.sunbeltsoftware.com/Default.aspx?answerid=1851

Answer ID:  1851 Product:  VIPRE
Last Updated:  4/1/2009

VIPRE found "Generic MBR Rootkit"

Question
What can I do about this "Generic MBR Rootkit"?

Answer
VIPRE is identifying a false positive on your computer.  A false positive occurs when a virus scanner erroneously detects a 'virus' in a non-infected file. False positives result when the definition file used to detect a particular virus is not unique to the virus - i.e. the same signature appears in legitimate, non-infected software.


The Generic MBR Rootkit that VIPRE is detecting is caused by a hidden partition on your computer. This hidden partition is in part generated by an active Backup software. e.g. Norton's GoBack, Roxio's GoBack, FarStone's DriveClone Pro & RestoreIT.


The trace for this threat, in the detail summery looks something like this:
- **<trace type="32" dispValue="""."PhysicalDrive0">**
 ** <attr n="path" v="""."PhysicalDrive0" />**

We are currently working on correcting this false positive. In the meantime, you can set VIPRE to "always allow" this detection the next time the scan detects it.


Also, this page tells you how to report a false positive: http://www.sunbeltsecurity.com/Submit.aspx?type=falsePositive&cs=5104D20A8309C784EE7BCD8BFF85EB45

And this one might help too: http://getsatisfaction.com/sunbeltsoftware/topics/need_help_with_mbr_rootkit_removal



Jon


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Lembit Soobik
Sent: Thursday, April 09, 2009 10:02 AM
To: Discussion of Hardware and Software issues
Subject: [dba-Tech] Generic MBR Rootkit and Vipre

Hi,
I have just installed Vipre on an old Win2K PC and the first scan found a "Generic MBR Rootkit", recommended action "Quarantaine".
when I clicked "Clean", it showed up as "Allowed".
scanned again, found the rootkit again, this time I definetely set it to "Delete", hit Clean and again it shows up as allowed.

Obviously this kid is able to cheat Vipre.

just ran Malwarebytes, which did not find that rootkit - at least not with quickscan. now running deep scan.

any idea how to get rid of that beast?

thanks
Lembit

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

This communication and its attachments, if any, may contain confidential and privileged information the use of which by other persons or entities than the intended recipient is prohibited. If you receive this transmission in error, please contact the sender immediately and delete the material from your system.




More information about the dba-Tech mailing list