Jump to content

False Positive - Unknown.Rootkit.VBR


Recommended Posts

post-189387-0-96266900-1435655029_thumb.Scanned system using Malwarebytes Anti-Malware v2.1.6.1022, there were no problems.  I then installed the new update (v2.1.8.1057) and it gave me a Malware Threat indicating Unknown.Rootkit.VBR, Location: Physical Sector #0 on Volume #2.  I removed the threat and rebooted.  The system gave me an error indicating there was no operating system.  After running several diagnostic programs, it showed that my Windows volume had been wiped completely.  It was now only Unallocated Space.

 

Fortunately, I had an image of the volume I made on Sunday, June 28 which I restored using TeraByte's Image for Windows.  Thank God that worked!

 

Whatever you do, do not remove the Unknown.Rootkit.VBR.

 

For further information, I am dual booting Windows 7 Professional using TeraByte's BootIt Bare Metal.  One volume is on a 240GB OCZ Vertex 3.  The BootIt program resides on this SSD using 5MB.  The second version of Win7 is on a Samsung 850 EVO (500GB SSD).  Each SSD is on its own separate SATA 3 port and neither volume can be accessed from the other but are hidden from one another. 

Link to post
Share on other sites

Thanks for your help.  I suspected it might have something to do with the TeraByte BootIt Bear Metal; however, that program is on a completely separate volume from the volume that MAM indicates has the VBR.  In any event, I have put together a PDF showing the layout of my system with notations as well as the MBAR log you requested.  There is probably more information there than you needed, but I having been in the USAF as an Admin Assistant and having worked for corporate attorneys for 35+ years, keep detailed notes.  Never know when you might find them useful.  Thank you.

2015_06_30.2010 - Results of MBAR Test.pdf

system-log.txt

Link to post
Share on other sites
  • Staff

Ok unfortunately i need mbar run one more time.

 

Can you run from command prompt like this

 

mbar.exe /v

 

That will give me a more complete report with the checksums i need to correct this. Again dont remove anything.

 

To get to command prompt easily hold the shift key and right click the folder mbar is located in. From the right click window click open command window here

 

then on that line in the black box type this and run mbar this way with that v switch.

 

mbar.exe /v

Link to post
Share on other sites
  • Staff

Ok i believe i may have gotten this fixed.

 

Can u update mbar databases or MBAMs and rescan? Should be db 2015070301 swissarmy/rootkit database.

 

Hopefully it shouldnt be detected anymore.

 

 

Thanks very much for this information!

Link to post
Share on other sites
  • Staff

Ok i adjusted the white some. Please see if  there is any difference with mbar. Btw u can uncheck the system box to stop if from running a full scan and save a lot of time.

 

If that doesnt have any change after you updated and scanned then please do the following.

 

Can you start a scan with mbar from the command line with this:

 

mbar.exe /z /v

 

It will drop these two files that start with VBR/MBR while the scan is running in the portable  folder:

 

C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-2-0-63-i.mbam...
C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...

 

Can u zip those up and attach them here?

 

Thanks.

Link to post
Share on other sites
  • 2 weeks later...
  • Staff

 

 

One volume is on a 240GB OCZ Vertex 3.  The BootIt program resides on this SSD using 5MB.  The second version of Win7 is on a Samsung 850 EVO (500GB SSD).  Each SSD is on its own separate SATA 3 port and neither volume can be accessed from the other but are hidden from one another. 

 

How did you make one volume hidden from another in Bare Metal?

Link to post
Share on other sites

After reading your email, I realize I made an error as to the "240GB OCZ Vertex 3".  That is not correct.  The  "240GB OCZ Vertex 3" is configured as a RAID0 using an Intel 520 Series (120GB SSD) and an OCZ Vertex 3 (120GB SSD).  This RAID0 setup is used for video captures only.  It does not boot, there is no OS on it.

 

When my system boots, the Terabyte BootIt Bare Metal menu window appears (somewhat similar to the Acronis TrueImage OS menu program).  With BootIt, I can add boot volumes to the menu and select which to boot to - Windows, Ubuntu, etc. and BootIt allows you to manage volumes.  Hiding the AsusP8P67Deluxe volume from the MediaCreationOS volume and vice versa keeps each OS from interfering with the other such as updates I may want on the main working volume but not on the Media volume, etc.  BootIt allows me to also access one volume from the other simply by configuring the hidden option which can come in handy if the Asus volume doesn't boot I can still access it from the Media volume and correct problems.  Very, very useful and inexpensive utility.  Also, even though the two volumes are hidden from each other, both volumes use the same PageFile, Temp/TMP, Cookies, IE Temporary Internet Files folders on another volume (Volume P named PageFileTemp) for efficiency, space saving and other diagnostic reasons.

 

So my main daily Win7 working volume (Volume named AsusP8P67Deluxe) on the Intel 520 Series (240GB SSD) is hidden from the Win7 (Volume named MediaCreationOS) on the Samsung 850 EVO (500GB SSD).  The MediaCreationOS volume is only used for multimedia projects (Sony Vegas Pro, Boris FX, Slysoft, Hauppauge, Corel VideoStudio, Corel Pinnacle Studio, Corel Avid Studio, and other similar audio/video software) dedicated solely to video/audio projects without any other software I would use on a daily basis (Word, Outlook, WordPerfect, Internet access, Microsoft Money, etc.) and which are all on the AsusP8P67Deluxe volume.

 

If my analysis is correct, the False Positive - Unknown.Rootkit.VBR according to Windows 7 Computer Management program indicates "volume #2" is the AsusP8P67Deluxe volume.  It is on this disk (the Intel 520 Series 240GB SSD) on the second volume.  The first volume on this disk is the BootIt Bare Metal program).

 

I hope I haven't confused things.  I build my own systems and they tend to be complicated.

Link to post
Share on other sites
  • Staff

The log you've sent here shows that one of your partitions on a Physical drive #2 is marked as both HIDDEN and ACTIVE which is a serious red flag for anti-rootkit engine. That's why it throws the detection. But this is not all: the file system for this partition could not be determined for some reason so anti-rootkit engine considers this as a malicious partition and completely removes that. I spent a day experimenting with the latest version of the BootIt NG Bare Metal trying different options and I was unable to achieve such results when the partition was marked both HIDDEN and ACTIVE at the same time and also the file system for all my cases was always determined correctly. Therefore I need additional, possibly step-by-step info of how were you able to configure Bare Metal that way when the second volume is not visible for a currently active operating system. Are you using some volume encryption together with Bare Metal? Or some additional software?

 

Also I noticed that Master Boot record of your hidden drive is not standard, neither Windows, nor Bare Metal. It looks a kind of custom made and looks pretty suspicious from the anti-malware standpoint. Did you use some software other than Bare Metal to configure MBR on that drive?

 

And one more thing: According to the log file, there are some kernel hooks detected in your system (the line "IRP handler 0 of \Driver\mvs91xx points to an unknown module"). That means some drivers in the system are tampering with a Windows Kernel and this is usually a sign of a rootkit infection. But still maybe some custom software is installed in your system which does such hacking. Would be glad to figure this out.

Link to post
Share on other sites

I resolved the issue by unchecking the "Keep HD Active" in BootIt Bear Metal (BIBM).  With this checked, it allowed all active drives to retain the Active attribute.  Now the Active attribute only applies to the volume booted.

 

As for the hidden volume (MediaCreationOS), its file system does not display either the volume name or the format using the Windows Computer Management applet.  However, using Acronis Disk Director 12, it displays the hidden volume's name and format and all its attributes).

 

I only use Acronis Disk Director 12 for creation and management of all volumes.  I only use Terabyte Image for Windows/Linux for imaging/restoring.

 

As you can see from the attachments, the system boots into BIBM's Boot Menu (which the user creates).  If you click the "Maintenance" command button on that menu, it opens the editor for managing the Boot Menu.  Select the boot volume and then the "Edit" command button, it opens the "Edit Menu Item" from which configuration of the selected boot menu item may be undertaken. 

 

As the attachments indicates, this "Edit Menu Item" screen identifies the volume name, the hard drive number and the boot volume.  The menu shows the "MBR Details" of all the drives and as you can see, HD0 partition 0 contains the BootIt EMBRM which is formatted as a 5MB FAT16 Primary and partition 1 as the Windows 7 Pro AsusP8P67Deluxe boot volume which is 223.6GB NTFS Primary.  The details also display HD1 with only 1 partition (0) hidden when the Asus P8P67 Deluxe volume is selected to boot from "Boot Menu".  If I had provided you with a screen capture of the MediaCreationOS "Edit Menu Item" you would see the same MBR Details only the AsusP8P67Deluxe volume is hidden when the MediaCreationOS is booted.  The information I provided you hereinabove as to the capacity, drive format and other attributes was taken from other parts of the program and I provided to you just for your information.

 

As to the mvs91xx hooks are related to the two SSDs connected to the Marvel PCIe 9128 SATA 6 HyperDuo on the motherboard as well as the PCI Express SATA Card (Iocrest)\Model SI-PEX40065 (Marvell 88SE9215).

 

I do so much appreciate you taking the time and effort to resolve this issue which you did when I began my troubleshooting with your indication of both drives showing ACTIVE.  I checked the BIBM Manual and discovered the answer in disabling the "Keep HD Active" option.

 

I trust I have provided answers to your questions and, if not, please advise.  Otherwise, we can consider this issue resolved.  I did run a thorough check of my complete system with the your Malware software as well as other diagnostic software and there were no problems.  I maintain a tight control over my system.

 

Thank you.

 

post-189387-0-24033700-1437480186_thumb.

post-189387-0-58422100-1437480198_thumb.

post-189387-0-54284100-1437480214_thumb.

post-189387-0-27365100-1437480234_thumb.

Link to post
Share on other sites

I had the exact same problem today.  Unchecked the HD Active option, and rootkit detection has gone away.

Thank you very much for finding a temporary solution to this detection, and I hope that a more permanent malwarebytes solution may be coming in the future.

 

Link to post
Share on other sites
  • 1 month later...

I wonder if you could have a look at my topic here please. I have the same issue with the Unknown rootkit VBR detection. My system also has a hidden active partition with boot folder and BCD file that directs to the OS windows 7 partition. It's an HP Compaq and that is the standard way the system came from factory. I did make one of the primary partitions logical so as to split it for the OS and personal files but the active partition was always hidden and if I unhide it the system doesn't boot.

https://forums.malwarebytes.org/index.php?/topic/172463-unknownrootkitvbr-detected-by-malwarebyes-full-scan/

Thanks

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.