[dba-Tech] Generic MBR Rootkit and Vipre

Lembit Soobik lembit.dbamail at t-online.de
Thu Apr 9 04:57:30 CDT 2009


Thank you, Jon,
that explains it. I do have Goback.
Also explains why Malwarebytes did not find it.

Thanks a lot for your help
Lembit

----- Original Message ----- 
From: "Tydda Jon - Slough" <jon.tydda at lonza.com>
To: "Discussion of Hardware and Software issues" 
<dba-tech at databaseadvisors.com>
Sent: Thursday, April 09, 2009 11:19 AM
Subject: Re: [dba-Tech] Generic MBR Rootkit and Vipre


> Although, having googled it myself, you should look at this thread on the 
> Vipre page:
>
> http://support.sunbeltsoftware.com/Default.aspx?answerid=1851
>
> Answer ID:  1851 Product:  VIPRE
> Last Updated:  4/1/2009
>
> VIPRE found "Generic MBR Rootkit"
>
> Question
> What can I do about this "Generic MBR Rootkit"?
>
> Answer
> VIPRE is identifying a false positive on your computer.  A false positive 
> occurs when a virus scanner erroneously detects a 'virus' in a 
> non-infected file. False positives result when the definition file used to 
> detect a particular virus is not unique to the virus - i.e. the same 
> signature appears in legitimate, non-infected software.
>
>
> The Generic MBR Rootkit that VIPRE is detecting is caused by a hidden 
> partition on your computer. This hidden partition is in part generated by 
> an active Backup software. e.g. Norton's GoBack, Roxio's GoBack, 
> FarStone's DriveClone Pro & RestoreIT.
>
>
> The trace for this threat, in the detail summery looks something like 
> this:
> - **<trace type="32" dispValue="""."PhysicalDrive0">**
> ** <attr n="path" v="""."PhysicalDrive0" />**
>
> We are currently working on correcting this false positive. In the 
> meantime, you can set VIPRE to "always allow" this detection the next time 
> the scan detects it.
>
>
> Also, this page tells you how to report a false positive: 
> http://www.sunbeltsecurity.com/Submit.aspx?type=falsePositive&cs=5104D20A8309C784EE7BCD8BFF85EB45
>
> And this one might help too: 
> http://getsatisfaction.com/sunbeltsoftware/topics/need_help_with_mbr_rootkit_removal
>
>
>
> Jon
>
>
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com 
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Lembit Soobik
> Sent: Thursday, April 09, 2009 10:02 AM
> To: Discussion of Hardware and Software issues
> Subject: [dba-Tech] Generic MBR Rootkit and Vipre
>
> Hi,
> I have just installed Vipre on an old Win2K PC and the first scan found a 
> "Generic MBR Rootkit", recommended action "Quarantaine".
> when I clicked "Clean", it showed up as "Allowed".
> scanned again, found the rootkit again, this time I definetely set it to 
> "Delete", hit Clean and again it shows up as allowed.
>
> Obviously this kid is able to cheat Vipre.
>
> just ran Malwarebytes, which did not find that rootkit - at least not with 
> quickscan. now running deep scan.
>
> any idea how to get rid of that beast?
>
> thanks
> Lembit
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
> This communication and its attachments, if any, may contain confidential 
> and privileged information the use of which by other persons or entities 
> than the intended recipient is prohibited. If you receive this 
> transmission in error, please contact the sender immediately and delete 
> the material from your system.
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com 




More information about the dba-Tech mailing list