Jump to content
Tech

MBAM detection of file that does not exist (not a rootkit)

Recommended Posts

Noticed that someone downloaded the logs.

Thanks for the support.

Share this post


Link to post
Share on other sites

I used Macrium once (it's installed, but I never use the backup to recover).

I'm not with my external disk with the backup. Maybe tomorrow morning.

But I really doubt that a file called f.exe ever existed or was backuped...

What will I monitor with Process Monitor? A file that does not exist and a process that is never there? ???

Share this post


Link to post
Share on other sites

You did say that when you created a renamed exe to f.exe and it could not be deleted? If so than something must be going on.

Process monitor will track the disk access. So if you run a scan with a filter for C:\ while running malwarebytes scan we might be able to catch whats happening here. Wether its a MBAM or Malware problem.

Share this post


Link to post
Share on other sites

Please, help me. I'm not used to Process Monitor. I've run it and scan with MBAM.

I've added two filters: mbam.exe process and C:\ folder.

I've got the picture, but I don't know how to interpret it.

post-42493-1276009535_thumb.png

Share this post


Link to post
Share on other sites

Ok change the filter from c:\ to c:\f.exe

Also leave the mbam filter out for now. This way we can see what may be access the file or if its only mbam.

Could you also give me a screen shot of the filters you included?

Thanks.

Share this post


Link to post
Share on other sites

Here are both screenshots.

The filters and the results.

Hope we're getting close of it. Thanks for the support.

post-42493-1276037289_thumb.png

post-42493-1276037299_thumb.png

Share this post


Link to post
Share on other sites

Here is another test, with different filters but seems the same results.

post-42493-1276041641_thumb.png

post-42493-1276041675_thumb.png

Share this post


Link to post
Share on other sites

For some reason Malwarebytes cant seem to get direct access to your directory.

This is what it should look like on a good machine:

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"8:12:42.3787424 PM","mbam.exe","2084","CreateFile","C:\f.exe","NAME NOT FOUND","Desired Access: None, Disposition: Open, Options: Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

"8:12:42.3788125 PM","mbam.exe","2084","QueryOpen","C:\f.exe","NAME NOT FOUND",""

"8:12:42.3788792 PM","mbam.exe","2084","QueryOpen","C:\f.exe","NAME NOT FOUND",""

I am going to research a little bit more. In the meantime this could be caused by your chipset drivers. Would you mind trying to download and install your latest chipset drivers? After that try again and let me know if any change.

Share this post


Link to post
Share on other sites

Please, elaborate.

Chipset drivers? Which hardware?

I have none offered by Windows Update and this is a Dell Vostro 1510 with Windows 7 32 bits fully updated.

I'm a little afraid to mess with drivers... the last time I've done I need to fully reinstall Windows 7. It's a high price.

Share this post


Link to post
Share on other sites

What antivirus are you running? I believe it is avast?

Can you please disable the realtime protection temporarily and run another scan with MBAM and see if there is any changes. Something is not allowing MBAM to access the c:\ directory structure on your machine. Also evidence of this was when you copied the renamed f.exe file over and were unable to delete it. Something or a corrupt directory structure is blocking our scan.

Share this post


Link to post
Share on other sites

Yes. I use avast for sure (5.0.454 and the latest virus database).

What could have corrupted the directory structure? I've run chkdsk /F more than once and it did not correct anything though...

Share this post


Link to post
Share on other sites

Yes. I use avast for sure (5.0.454 and the latest virus database).

What could have corrupted the directory structure? I've run chkdsk /F more than once and it did not correct anything though...

Share this post


Link to post
Share on other sites

It's not avast (at least, not the resident) as the results are the same (Process Monitor is the same and MBAM detection is the same).

Share this post


Link to post
Share on other sites

Chkdsk can not fix all corruption problems. Wish it could.

Overclocking, hard drive, malware, chipset drivers, etc could cause corruption. I did see your avast forum post about this happening once before and a reformat and reinstall solved it. Whats scary is it happened again. About how long between the two times?

Some things to check hardware wise:

1. Belarc advisor will check the smart status of the hard drive for predictive failure. http://www.belarc.com/smart.html

2. If you decide to go the format and reinstall route as a last resort after you backed everything up, try the latest intel chipset drivers for your vostro. (not the dell or microsoft ones) These are very stable. There is an auto detect on this page: http://www.intel.com/p/en_US/support/highlights/chpsts/imsm

Good luck.

Share this post


Link to post
Share on other sites
Chkdsk can not fix all corruption problems. Wish it could.

Me too.

Overclocking

Never did it.

hard drive

Hmmm... SMART status seems ok.

malware

The only one with problems is MBAM... strange uh?

I did see your avast forum post about this happening once before and a reformat and reinstall solved it. Whats scary is it happened again. About how long between the two times?

A month more or less...

1. Belarc advisor will check the smart status of the hard drive for predictive failure. http://www.belarc.com/smart.html

I've dropped the use of Belarc as it was not adding me any *useful* information. I'll try it again.

2. If you decide to go the format and reinstall route as a last resort after you backed everything up, try the latest intel chipset drivers for your vostro. (not the dell or microsoft ones) These are very stable. There is an auto detect on this page: http://www.intel.com/p/en_US/support/highlights/chpsts/imsm

I'll try.

Good luck.

Hmmm... Seems we cannot do anything else?

Share this post


Link to post
Share on other sites

I'll add f.exe to the MBAM exclusion list. I have no other solution.

Thanks for the support.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.