MBAM detecting files that cannot be seen on the file system

[enstro]

I'm trying to figure out whether I'm dealing with a rootkit or something else. We've got a terminal server that everyone uses (20+ users) for administrative purposes on the network. Every time we run a Flash or Quick scan with MBAM (PRO), it detects 148 items in each users roaming profiles directory. If we choose to have MBAM remove the suspect items, they will just show up again on another scan. Rebooting the server after a scan / removal yields no different results. Here are some other characteristics that we know so far. I've also attached a partial mbam log (I only included the objects that are found in one users profile since the same exact objects are found in everyone elses profile).

-We're running McCrapfee (McAfee) on the system and it finds nothing (go figure)

-We are unable to see the files that MBAM is detecting on the file system (Folder options are set to 'show hidden files'). We've even went as far as to zip up a suspect directory, move that zip file to a unix file system, unzip it and still are not able to see the files. Perplexing!

-Everytime we create a new user on the domain, the same exact malware objects show up in an MBAM scan in the new users roaming profile directory

-In the log file below, 192.168.1.137 is the server in which all of the users profiles are physically located

Any guidance will be greatly appreciated!

enstro

--------------------------------------------

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5322

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/30/2010 2:56:07 PM

mbam-log-2010-12-30 (14-55-56).txt

Scan type: Quick scan

Objects scanned: 135531

Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 7

Files Infected: 141

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

\\192.168.1.137\userdocs\userx\favorites\

[miekiemoes]

Hi,

This is indeed related with the fact that this is scanned on/from a network. Malwarebytes can't access these drives, thus, it causes misreads in malwarebytes.

We already fixed this with the latest version 1.50.1.1100, so please update your Malwarebytes to the latest program version and let me know if you're still getting these detections.

[enstro]

Thanks for the response miekiemoes! We upgraded to 1.50.1.1100 and that took care of MBAM reporting false positives. Thanks again!

[miekiemoes]

Glad to hear this fixed it

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.