rhabdomantist

MBAR invokes MBAM on restart

7 posts in this topic

On reboot for cleaning after MBAR scan MBAM gui sans Taskbar and Desktop icons rather than MBAR gui. Should I assume this because of shared Quarantine when MBAM (Pro) is presently installed? I had expected MBAR gui to appear with results of cleaning and/or suugesting a another scan. Should a subsequent scan be performed with MBAM or MBAR as recommended here.

The item detected and removed (and remediated by replacement according to scan results) was a sound driver.

C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Unknown Rootkit Driver Infection) -> Delete on reboot. [95751a1fd5965a72caafd18162c00ef5]

The scan results displayed in MBAR gui indicated the detected file was a forged version yet it was OEM.

Does MBAR repair similarly repair other detections?

There were several items in the system-log.txt I thought quite strange as follows:

\??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D87FB469-69B2-41F4-8BD7-49C3552EA8B9}\MpKslc1177ee8.sys

I suspect this is because of detections for MSE (resident AV/AM) not yet included with MBAM?

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

Similarly strange stuff.

sshot50a6783e2bd0c.jpg

Share this post


Link to post
Share on other sites

The image shows Avast! blocking its own setup file from the looks of it assuming that this is the URL of the image as your post indicates. That has nothing to do with MBAR or MBAM (or MSE for that matter).

Now, regarding the entries in the system-log.txt, I don't see anything odd about them. MSE often drops a driver in its definitions updates folder (I know this because I myself use MSE). MBAR isn't detecting that driver as an infection, it's simply logging that it is a driver on the system.

The twi drivers mbamchameleon.sys and mbamswissarmy.sys are likewise not malicious, they're used by MBAR when it scans.

Now, as for seeing the user interface for Malwarebytes Anti-Malware opening on reboot, no, that's not normal and Malwarebytes Anti-Rootkit shouldn't be causing that, if it is then it's a bug and I'd recommend that you contact Consumer Support directly so that they can assist you with diagnosing it further so that our developers can look into it.

Share this post


Link to post
Share on other sites

Thanks for the quick response. Only posted image (Avast) jokingly.

The log entries I noted differred in that they started with \?? There were several others but nothing of similar curiousity.

It was suggested (Unpacked blog) that I could put extracted MBAR folder in MBAM folder, which I did, but naming it MBAM Rootkit instead of the suggested MBAR. Would this possibly be the issue of MBAM opening at reboot? Should I expect to see MBAR gui instead with cleaning confirmation and recommendation for further scanning?

The item removed is in MBAM quarantine (a shared file with MBAR if MBAM is installed as I understand the blog article)

Will there be a MBAR specific forum category or should MBAR questions be posted here?

~rhab

Share this post


Link to post
Share on other sites

The log entries I noted differred in that they started with \?? There were several others but nothing of similar curiousity.

I don't recall what the ?? indicates, but it is commonly used for some files/paths in the logs of many tools. I'm not sure what makes those paths/files different from others.
It was suggested (Unpacked blog) that I could put extracted MBAR folder in MBAM folder, which I did, but naming it MBAM Rootkit instead of the suggested MBAR. Would this possibly be the issue of MBAM opening at reboot? Should I expect to see MBAR gui instead with cleaning confirmation and recommendation for further scanning?
No, it still should not be opening mbam.exe on reboot nor mbar.exe. In fact, the only time mbar.exe will open on reboot is if it says that it can't install its driver and it prompts you to reboot to allow it to try and load on reboot at which point MBAR will be the first thing to load.

The item removed is in MBAM quarantine (a shared file with MBAR if MBAM is installed as I understand the blog article)

Will there be a MBAR specific forum category or should MBAR questions be posted here?

No, actually we really prefer to only support MBAR via the helpdesk which I linked you to earlier. It's important to deal with each issue and question on an individual basis instead of ending up with topics cluttered with 'me too' replies from other users who may or may not be seeing the same issues. It's beta software so we want to make certain that both support for it and diagnostics reports from Support to our developers are handled correctly so that we can rapidly get to work on making the tool better and more stable.

Share this post


Link to post
Share on other sites

By the way, in general it's a bad idea to put any files into a program's folder that do not belong there. I've contacted the author of the article to have them correct that. The %PROGRAMFILES%\Malwarebytes' Anti-Malware folder is for Malwarebytes Anti-Malware. Malwarebytes Anti-Rootkit's files shouldn't be extracted there.

Share this post


Link to post
Share on other sites

Thanks again. I neglected to mention I added mbar.exe and fixdamage.exe shortcuts to MBAM start menu, will pull out of MBAM program folder and create C:\MBAR

Being a MSE beta tester since '09 understand related support issues for all "in tents and porpoises"

Share this post


Link to post
Share on other sites

By the way, in general it's a bad idea to put any files into a program's folder that do not belong there. I've contacted the author of the article to have them correct that. The %PROGRAMFILES%\Malwarebytes' Anti-Malware folder is for Malwarebytes Anti-Malware. Malwarebytes Anti-Rootkit's files shouldn't be extracted there.

Wouldn't it be possible to place Mbar in the Malwarebytes' Tools folder (After extraction) and of course separate from Chameleon. This is going by the assumption that since Mbar can not restore files, but does place them in the same location that Mbam uses, It would make things a bit more convenient

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.