MBAM detection of file that does not exist (not a rootkit)

[Tech]

Hello, I use MBAM for years... But now I decided to register and login.

This is the second time I have problems with detection of a file that does not exist.

I have tried to solve this problem (twice) with the help of Essexboy (an antimalware guru) in avast forums.

What can I do more to help debbuging this as I'm quite confident this is a false positive.

I have already rum OTL, OTM, Combofix and avast.

External link to where I've discussed this: http://forum.avast.com/index.php?topic=59953

[Tech]

Can we bump?

Any help related to this?

[exile360]

Greetings and welcome

Please click on Start and select Run then type or copy/paste mbam /developer and run another Quick Scan and copy and paste the resulting log into your next reply.

Thanks

[Tech]

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Vers

[Tech]

Well, start to think if I'll recommend MBAM as I always did... I hate lack of support...

[nosirrah]

What happens when you try to create a file by the same name ?

[Tech]

What happens when you try to create a file by the same name ?

The UAC is invoked and a file could be copied there without any "replace" warning.

Thanks for following this.

[Tech]

Things get messed...

I can't delete that file. It's clean (http://www.virustotal.com/analisis/273f49ba639a0b208ce88224ff09ff4edc8ea5ac1690bdea8756cb9b705a1f3b-1274810862) but I can't delete or rename it... I can change the permissions either... Unlocker fails too. I'll try to boot...

[Tech]

File get deleted on boot due to Unlocker.

Now running another MBAM scanning.

[Tech]

File is detected again

[nosirrah]

I am going to have the code team check into this as this should not be possible .

[Tech]

Many thanks for the support.

Of course, feel free to ask me anything I could/need to do to follow this issue.

[Tech]

Many thanks for the support.

Of course, feel free to ask me anything I could/need to do to follow this issue.

[Tech]

nosirrah, any news?

[Tech]

I've restored a full partition image from 15 days ago.

Only avast Internet Security was there (no Comodo Time Machine) and the detection persists with the latest virus database of MBAM.

Any help? Should I give up?

[exile360]

This could be an issue with file/folder permissions. Please try the fix located here to see if it helps.

If it does not, then re-create the f.exe file you created previously and leave it in place then do the following:

• Perform a Quick Scan with Malwarebytes' Anti-Malware and allow it to remove the file, rebooting the computer so it can complete removal.
  
• Open C: and verify that the file is now gone.
  
• Run another Quick Scan with Malwarebytes' Anti-Malware to see if the file is still being detected or not.
  

Please let me know how it goes.

Thanks

[Tech]

Thanks exile.

The Microsoft fix is for Windows XP/Vista and seems to be dangerous to be applied to Windows 7 that I'm using. It could mess all Windows installation.

I've recreated the f.exe file (copying a new and different executable and renamed it). Direct copy give me access permission denied, even allowing UAC.

Run MBAM. The file was detected, I'll clean and reboot. I'll post after that.

[Tech]

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

[Tech]

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

[Tech]

The file is gone after boot.

But the next MBAM scanning detect it again. It's not shown in Windows Explorer (even unhidding files).

I'm afraid to change anything with Microsoft Fix as it is the root driver (C:\).

[exile360]

That's OK, please do the following and we can verify the settings manually without altering anything:

• Open C: and right click in a blank area, not on any file or folder there, and select Properties
  
• Click on the Security tab
  
• Click on SYSTEM under Group or user names: and make sure that Full Control along with all other entries except Special permissions have a check under the Allow column
  
• Do the same for Administrators and make sure that Users has check marks for each of the following:
  
  • Read & execute
    
  • List folder contents
    
  • Read
    

Please let me know if any of the settings differ from what I have described.

Thanks

[Tech]

Sorry for the double (triple) post... I don't know what happened

I've tried to boot from a CD (both Linux and DOS) and could never find a file called f.exe.

There aren't any references into Windows Registry also.

Can anybody help?

I'll give up on MBAM if I can't solve this issue. It's the logical of the lack of support.

I've tested my computer with ComboFix, OTL, OTM and GMER. Neither of them find the file.

The problem seems to be inside MBAM. If not, please, guide me.

[Tech]

Exile, the properties are exactly as you've posted.

[Tech]

Exile, the properties are exactly as you've posted.

[Tech]

Exile, the properties are exactly as you've posted.