Page 1 of 1

BING detected as rootkit?

Posted: Mon Nov 03, 2014 2:21 pm
by ohaya
Hi,

I use MalwareBytes, and when I enable rootkit detection on that, it is detecting something as "Unknown.rootkit.VBR" on physical 0, drive 2. I have been posting on the MalwareBytes help forum, and their walking me through different scans, but looking at where it thinks this rootkit is, which appears to be my boot drive where I have BING installed (and the only drive with an EMBR, I think), I'm wondering if they may be detecting BING as a rootkit.

Has anyone had this happen?

Thanks,
Jim

Re: BING detected as rootkit?

Posted: Mon Nov 03, 2014 3:09 pm
by TeraByte Support
Sounds like they just presume if it's not a standard MS MBR code that it's a
root kit? You can boot up the boot disk and see if it says to reactivate
or starts a new install.


"ohaya" wrote in message news:8885@public.bootitng...

Hi,

I use MalwareBytes, and when I enable rootkit detection on that, it is
detecting something as "Unknown.rootkit.VBR" on physical 0, drive 2. I have
been posting on the MalwareBytes help forum, and their walking me through
different scans, but looking at where it thinks this rootkit is, which
appears to be my boot drive where I have BING installed (and the only drive
with an EMBR, I think), I'm wondering if they may be detecting BING as a
rootkit.

Has anyone had this happen?

Thanks,
Jim


Re: BING detected as rootkit?

Posted: Mon Nov 03, 2014 4:58 pm
by ohaya
I'm not sure I understand what you said? Do you mean to say that I can boot after I let Malwarebytes "clean" what it thinks is the problem, and if BING says that I need to reactivate, then maybe they munged the BING boot code or something like that?

If that is what what you mean, I've tried letting Malwarebytes "clean" or "quarantine" what it thinks is the problem, and then it wants me to reboot the system, which I do, but when the system reboots, I don't get anything from BING telling me that I need to re-activate BING.

The other thing, besides BING, that is on this system is I am booting off of a Samsung SSG, and I'm wondering if maybe Samsung installs something that it making Malwarebyte think it's a rootkit.

Thanks,
Jim


TeraByte Support wrote:
> Sounds like they just presume if it's not a standard MS MBR code that it's
> a
> root kit? You can boot up the boot disk and see if it says to reactivate
>
> or starts a new install.
>
>
> "ohaya" wrote in message news:8885@public.bootitng...
>
> Hi,
>
> I use MalwareBytes, and when I enable rootkit detection on that, it is
> detecting something as "Unknown.rootkit.VBR" on physical 0, drive 2. I
> have
> been posting on the MalwareBytes help forum, and their walking me through
> different scans, but looking at where it thinks this rootkit is, which
> appears to be my boot drive where I have BING installed (and the only drive
>
> with an EMBR, I think), I'm wondering if they may be detecting BING as a
> rootkit.
>
> Has anyone had this happen?
>
> Thanks,
> Jim

Re: BING detected as rootkit?

Posted: Mon Nov 03, 2014 7:51 pm
by Bob Coleman
For whatever it's worth, I have MalwareBytes and BIBM (not BING) and have had no conflict between the two.

Re: BING detected as rootkit?

Posted: Mon Nov 03, 2014 8:07 pm
by ohaya
Hi,

Thanks. Note that you have to enable rootkit detection in MalwareBytes (it's off by default) in the settings.

Also, I'm kind of starting to think that it may be something else and not BING. The reason I'm think that is that I have another Windows 7 partition that is on my boot drive, and if I use the boot entry for that and boot to that Windows then run MalwareBytes, it doesn't detect any rootkit.

As I said, the SSD Windows partition is on a Samsung SSD, and I think that Samsung leaves a part of the SSD available, and may be putting something there that MalwareBytes is detecting. I don't know at this point.

Thanks,
Jim



Bob Coleman wrote:
> For whatever it's worth, I have MalwareBytes and BIBM (not BING) and have
> had no conflict between the two.

Re: BING detected as rootkit?

Posted: Tue Nov 04, 2014 4:51 pm
by Doug_B
Yes, I have seen this behavior with Malwarebytes versions 2.02x and 2.03x (paid version) on my system with BIBM installed to HD0. 2.02/3 are fairly new versions. I don't recall all the particulars with regard to the HDD and partition(s) that MBAM was identifying as a rootkit, but I think that when I ran MBAM from an OS partition on HD0, it was detecting a rootkit somewhere on HD1, and when I ran MBAM from an OS partition on HD1, it was detecting a rootkit somewhere on HD0.

I decided to test out what MBAM would do to clean this so-called detection about which I was already skeptical, due to the multitude of hidden OS partitions I had about (I currently have Limited Primaries = Y throughout). I made sure all my "non-test" partitions were backed up (I have a few test OS partitions that are easy enough to restore to an earlier state) and then tried to remove / quarantine the so-called rootkit.The result was a lost test OS partition on HD1; the associated partition table entry was gone.

Since that time, I have seen the detection again and indicated to MBAM not to quarantine but to add an exception. Not sure if it worked beyond this scan; I don't recall running an MBAM scan since, and MBAM does not show exceptions on the UI for this class of detection (it does list file / folder exceptions). I'll have to scan again to see what happens. I'd also like to do more thorough testing of this false detection in the near future.

Edit: FWIW, HD0 is an SSD, HD1 is a HDD. Also, I still have a BIBM partition on HD1 that was installed in my pre-SSD days. System has only Win7 x64 and Win XP x32 OSs, and motherboard does not have UEFI.

Doug

Re: BING detected as rootkit?

Posted: Tue Nov 04, 2014 5:42 pm
by mjnelson99
I once had to contact my AV provider because one of Terabyte programs
showed up badly. Cannot remember specifically what program or what it
found. It was probably 6 yrs ago

I did contact the vendor with the name of program & contact info.
Very shortly after that, no more AV problems.
Mary

On 11/4/2014 10:51 AM, Doug_B wrote:
> Yes, I have seen this behavior with Malwarebytes versions 2.02x and 2.03x (paid version) on my system with BIBM installed to HD0. 2.02/3 are fairly new versions. I don't recall all the particulars with regard to the HDD and partition(s) that MBAM was identifying as a rootkit, but I think that when I ran MBAM from an OS partition on HD0, it was detecting a rootkit somewhere on HD1, and when I ran MBAM from an OS partition on HD1, it was detecting a rootkit somewhere on HD0.
>
> I decided to test out what MBAM would do to clean this so-called detection about which I was already skeptical, due to the multitude of hidden OS partitions I had about (I currently have Limited Primaries = Y throughout). I made sure all my "non-test" partitions were backed up (I have a few test OS partitions that are easy enough to restore to an earlier state) and then tried to remove / quarantine the so-called rootkit.The result was a lost test OS partition on HD1; the associated partition table entry was gone.
>
> Since that time, I have seen the detection again and indicated to MBAM not to quarantine but to add an exception. Not sure if it worked beyond this scan; I don't recall running an MBAM scan since, and MBAM does not show exceptions on the UI for this class of detection (it does list file / folder exceptions). I'll have to scan again to see what happens. I'd also like to do more thorough testing of this false detection in the near future.
>
> Edit: FWIW, HD0 is an SSD, HD1 is a HDD. Also, I still have a BIBM partition on HD1 that was installed in my pre-SSD days. System has only Win7 x64 and Win XP x32 OSs, and motherboard does not have UEFI.
>
> Doug
>
>

Re: BING detected as rootkit?

Posted: Thu Nov 06, 2014 3:21 am
by ohaya
Hi Mary,

I've had to do that before with MBAM, when they were flagging some legitimate websites as malicious and as you described, they fixed those in their next update, but this situation hasn't gone that way. I've been posting on their forum, and they had me go through a whole slew of different things, but so far no conclusions, so I've opened a support case with them. Hopefully that'll go better. I'll report back if anything comes of it.

Thanks,
jim


mjnelson99 wrote:
> I once had to contact my AV provider because one of Terabyte programs
> showed up badly. Cannot remember specifically what program or what it
> found. It was probably 6 yrs ago
>
> I did contact the vendor with the name of program & contact info.
> Very shortly after that, no more AV problems.
> Mary
>
> On 11/4/2014 10:51 AM, Doug_B wrote:
> > Yes, I have seen this behavior with Malwarebytes versions 2.02x and 2.03x
> (paid version) on my system with BIBM installed to HD0. 2.02/3 are fairly
> new versions. I don't recall all the particulars with regard to the HDD and
> partition(s) that MBAM was identifying as a rootkit, but I think that when
> I ran MBAM from an OS partition on HD0, it was detecting a rootkit
> somewhere on HD1, and when I ran MBAM from an OS partition on HD1, it was
> detecting a rootkit somewhere on HD0.
> >
> > I decided to test out what MBAM would do to clean this so-called
> detection about which I was already skeptical, due to the multitude of
> hidden OS partitions I had about (I currently have Limited Primaries = Y
> throughout). I made sure all my "non-test" partitions were backed up (I
> have a few test OS partitions that are easy enough to restore to an earlier
> state) and then tried to remove / quarantine the so-called rootkit.The
> result was a lost test OS partition on HD1; the associated partition table
> entry was gone.
> >
> > Since that time, I have seen the detection again and indicated to MBAM
> not to quarantine but to add an exception. Not sure if it worked beyond
> this scan; I don't recall running an MBAM scan since, and MBAM does not
> show exceptions on the UI for this class of detection (it does list file /
> folder exceptions). I'll have to scan again to see what happens. I'd also
> like to do more thorough testing of this false detection in the near
> future.
> >
> > Edit: FWIW, HD0 is an SSD, HD1 is a HDD. Also, I still have a BIBM
> partition on HD1 that was installed in my pre-SSD days. System has only
> Win7 x64 and Win XP x32 OSs, and motherboard does not have UEFI.
> >
> > Doug
> >
> >