Jump to content
Tech

MBAM detection of file that does not exist (not a rootkit)

Recommended Posts

Hello, I use MBAM for years... But now I decided to register and login.

This is the second time I have problems with detection of a file that does not exist.

I have tried to solve this problem (twice) with the help of Essexboy (an antimalware guru) in avast forums.

What can I do more to help debbuging this as I'm quite confident this is a false positive.

I have already rum OTL, OTM, Combofix and avast.

External link to where I've discussed this: http://forum.avast.com/index.php?topic=59953

post-42493-1274550535_thumb.png

Share this post


Link to post
Share on other sites

Greetings and welcome :D

Please click on Start and select Run then type or copy/paste mbam /developer and run another Quick Scan and copy and paste the resulting log into your next reply.

Thanks :blink:

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Vers

Share this post


Link to post
Share on other sites

Well, start to think if I'll recommend MBAM as I always did... I hate lack of support...

Share this post


Link to post
Share on other sites
What happens when you try to create a file by the same name ?

The UAC is invoked and a file could be copied there without any "replace" warning.

Thanks for following this.

post-42493-1274809916_thumb.png

Share this post


Link to post
Share on other sites

File get deleted on boot due to Unlocker.

Now running another MBAM scanning.

Share this post


Link to post
Share on other sites

I am going to have the code team check into this as this should not be possible .

Share this post


Link to post
Share on other sites

Many thanks for the support.

Of course, feel free to ask me anything I could/need to do to follow this issue.

Share this post


Link to post
Share on other sites

Many thanks for the support.

Of course, feel free to ask me anything I could/need to do to follow this issue.

Share this post


Link to post
Share on other sites

I've restored a full partition image from 15 days ago.

Only avast Internet Security was there (no Comodo Time Machine) and the detection persists with the latest virus database of MBAM.

Any help? Should I give up?

Share this post


Link to post
Share on other sites

This could be an issue with file/folder permissions. Please try the fix located here to see if it helps.

If it does not, then re-create the f.exe file you created previously and leave it in place then do the following:

  • Perform a Quick Scan with Malwarebytes' Anti-Malware and allow it to remove the file, rebooting the computer so it can complete removal.
  • Open C: and verify that the file is now gone.
  • Run another Quick Scan with Malwarebytes' Anti-Malware to see if the file is still being detected or not.

Please let me know how it goes.

Thanks :)

Share this post


Link to post
Share on other sites

Thanks exile.

The Microsoft fix is for Windows XP/Vista and seems to be dangerous to be applied to Windows 7 that I'm using. It could mess all Windows installation.

I've recreated the f.exe file (copying a new and different executable and renamed it). Direct copy give me access permission denied, even allowing UAC.

Run MBAM. The file was detected, I'll clean and reboot. I'll post after that.

Share this post


Link to post
Share on other sites

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

Share this post


Link to post
Share on other sites

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

post-42493-1275394722_thumb.png

post-42493-1275394731_thumb.png

post-42493-1275394743_thumb.png

Share this post


Link to post
Share on other sites

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

Share this post


Link to post
Share on other sites

That's OK, please do the following and we can verify the settings manually without altering anything:

  • Open C: and right click in a blank area, not on any file or folder there, and select Properties
  • Click on the Security tab
  • Click on SYSTEM under Group or user names: and make sure that Full Control along with all other entries except Special permissions have a check under the Allow column
  • Do the same for Administrators and make sure that Users has check marks for each of the following:
    • Read & execute
    • List folder contents
    • Read

Please let me know if any of the settings differ from what I have described.

Thanks :)

Share this post


Link to post
Share on other sites

Sorry for the double (triple) post... I don't know what happened :)

I've tried to boot from a CD (both Linux and DOS) and could never find a file called f.exe.

There aren't any references into Windows Registry also.

Can anybody help?

I'll give up on MBAM if I can't solve this issue. It's the logical of the lack of support.

I've tested my computer with ComboFix, OTL, OTM and GMER. Neither of them find the file.

The problem seems to be inside MBAM. If not, please, guide me. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.