TheSpirit

Hi Marcin. I suppose you are right. After all, it took me more than a month to realize that something was missing. Awfully quiet....

I keep a copy of the Eicar test file on my system drive to verify that malware scanners detect and report this correctly. All the others do, but not MBAM. Is this too simple or irrelevant?

Yes indeed, you are right, and it does appear in the list of drivers in Process Explorer, but only during the scan. Thank you.

Thanks again exile, I did manage to find a mysterious handle in Process Explorer. Process Monitor is interesting, of course. I'll try that later. Millions of events, I'm sure.

Thanks exile, but then I should be able to find it in Process Explorer as a driver in the System process like all other drivers, or listed on Autoruns' driver tab, right? This is a bit like tracking malware.

New user running MBAM free on XP pro SP2+. Everything works just fine, and when I run a scan, this event pops up in the system event log: Event Type: InformationEvent Source: Service Control ManagerEvent Category: NoneEvent ID: 7035Date: 2008-12-07Time: 08:49:00User: **********\AdministratorComputer: **********Description:The MBAMSwissArmy service was successfully sent a start control.It looks fine to me, so I tried to trace this service using Windows and Sysinternals tools, but this seems to be impossible. So, where is it? Rootkit?