Jump to content

MBAR picking up files when Trend Micro open

Recommended Posts


Have a machine that was infected with ransomware. I have used EaseUS secure erase to wipe out the whole drive and reinstall WIndows 10 pro on it, have even done a destory partitions, format, reinstall windows 10.

Whenever I run MBAR scan with Trend running I get these detections, even after a fresh install.

Infected: c:\users\defaultuser0\appdata\roaming\pidloc.txt --> [Trojan.Agent.Trace]
Infected: c:\google\googleupdate.a3x --> [Worm.Rowmanti]
Infected: c:\google --> [Worm.Rowmanti]
Infected: c:\skypee\googleupdate.a3x --> [Worm.Rowmanti.E]
Infected: c:\skypee --> [Worm.Rowmanti.E]
Infected: c:\users\defaultuser0\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\user\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\default\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Scan finished

If i close Trend Micro and run scan again, these detections don't occur.

I'm not sure if this is a false positive due to Trend, or there actually somehow is still remnants of this malware? Even though it can't be seen in Windows Safemode, with hidden files showing, not through explorer or the cmd prompt, system restore turned off. Tried other Antivirus scanners and no pickups. Looked up cleaning Worm.Rowmanti.E and no files or entries in registry.

I added a second hard drive and installed Windows 10 on it and get no detections if running MBAR scan with Trend open. It's only on this NVMe SSD disk that it happens.

I'm thinking of buying a new nvme drive to see if that matters, these detections don't occur until Scanning Registry and Directory Data happen in MBAR.

If this isn't a false positive, I'm thinking somehow the SSD is reporting to MBAR that these files once existed on the drive but would have thought a secure erase through EaseUS would of fixed that but it hasn't. The thing is I have Trend installed on other computers and when run MBAR it come back clean.

Link to post
Share on other sites

Hello @npiotrowski and :welcome:

You have started this topic in the Malwarebytes Anti-Exploit (MBAE) Beta sub-forum.

Did you mean to post in the Malwarebytes Anti-Rootkit (MBAR) BETA Support sub-forum or the Malwarebytes Anti-Ransomware (MBARW) Beta sub-forum?

Thank you.

Edited by 1PW
Link to post
Share on other sites


It appears these may be false positives from Malwarebytes Anti-Rootkit Beta which are being caused by Trend Micro as you suspect.  Please try temporarily disabling or removing Trend to see if that makes any difference and let us know. Apologies, I just saw where you already mentioned that disabling Trend did indeed eliminate the detections.


Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.