Jump to content

Anti-malware found Unknown rootkit Driver called: "mbam.sys" !


Recommended Posts

This is an interesting situation...

 

After updating to the new version the scan results were very strange: the mbam.sys in SYSTEM32 picked up for unknown Rootkit Driver?!

 

attachment 1. time around scan results

 

there were 3 more Rootkit Drivers and a couple of Forged Physical Sectors on Master Boot Sector on volume #0  

 

which was strange and made me wonder if the volume #0 disk which is the SSD with OS in it, was picked up because of the data that might be written by Horizondata's 'RollBack Rx Professional' software.

 

Rollback RX is known to write data outside of OS. So that might be considered weird by MB...

 

After finding these errors I erased them. But as soon as I did that the contextual menu commands disappeared.  (Right click on item to command MB to scan). SO I uninstall and then re install the application.

 

And then did a second sweep. Strangely enough it found exactly the same threats once again.

 

attachment 2. time around scan results!

 
Then I did a last scan. Then I realized that after scanning, MB does not clean the malware and it states that it doesn't.
 
attachment cleaning results  & scan results 3
 
 
So here is my story.. 
and I am very curious about the outcome of this.. Obviously..  so thank you all for your inputs before hand..
 
cheers

1. time arround scan results.bmp

2. time around scan results!.bmp

cleaning results.bmp

scan results 3.bmp

Malwarebytes Anti-Malware scan results.txt

Link to post
Share on other sites

 

Rollback RX is known to write data outside of OS. So that might be considered weird by MB...

 

Yep.

 

Staff will correct me if I am wrong, but AFAIK Rollback RX is what's causing this.

It's been reported many times, most recently a day or so ago here: https://forums.malwarebytes.org/index.php?/topic/168483-absurd-false-positives/

 

See here, too: https://forums.malwarebytes.org/index.php?/topic/166372-continuing-the-false-positive-topic-as-per-instructions/#entry949620

 

Hope this helps,

Link to post
Share on other sites

Yes, thank you for that conformation but that's just one of the group of issues I have..

 

I didn't check the others (cng.sys / mwac.sys / npf.sys) but when you see that program finds it self (mbam.sys) a threat... (?!) You get confused at least to say..

 

Further more non of the threats that was found could be wiped out?!

 

In addition to the ones I mentioned above; 1680.exe in local temp are also untouched... 

Link to post
Share on other sites

I hear what  you are saying but my main wonder is about the weird Malwarebytes detection; 

 

"Unknown.Rootkit.Driver" in SYSTEM32. Which is  'mbam.sys' I assume the main driver and 'mwac.sys' which is I believe to be the Malwarebytes web access control driver for the update site.

 

The 'npf.sys'  and 'cng.sys' drivers which pos up every time I scan The C: drive, actuall one hundered percent harmless drivers as these link respectively prove:

 

 

https://www.virustotal.com/en/file/4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6/analysis/1432352256/

 

https://www.virustotal.com/en/file/3790a7dd0ac65f47a697a577744fdfa4cc1ca3422884c84e499f97ac91ba84f3/analysis/1432352573/

 

So why these drivers pops up in each scan as a harmful objects also can not be erased by MB...  ( I copied the drivers and tried and see what happens if I decided to clean.. Nothing happened... 

 

And the Master Boot Sector's 'Forged physical sector' warning are definitely coming from RolloverRX 

Link to post
Share on other sites

Okay I see how that sounds.. It's look like I'm being sarcastic.. Well I am not. But  the idea of changing the Rollback RX sounds like changing the car because of a flat tire...

 

 

However my question is still valid... That is if you have an answer for me... 

Link to post
Share on other sites

  • Staff

You can try to uninstall rollback rx. Reboot and then reinstall rollback rx.  A lot of time that will resolve the issue. Its not 100% though.

 

The problem with rollback rx is it uses rootkit techniques to protect drivers. So when searching for rootkits this causes problems.

 

Uninstall and reinstall reinitializes rollback rx and that usually resolves the issue.

 

 

Unknown rootkit driver is a generic detection where there is a file difference from what explorer sees and what the kernal sees which is what a rootkit is basically.

 

It can be any newer driver since rollback rx was installed.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.