Rootkit False Alarm?: mbamswissarmy.sys I deleted it

Hello. I apparently may have a rootkit. HOWEVER! I have had this happen before, the file that Avast! thinks is a rootkit is the “mbamswissarmy.sys” which is a MBAM file correct?
I did a up-to-date MBAM scan before the Avast! warning and it found nothing.

This is a false alarm? I’ve had this happen before a while back.

Uh-oh I chose “Delete” when the Avast warning popped up because I panicked, will this effect MBAM in some bad way?

EDIT: Hm, I accidentally tried to attach the wrong (and large) picture so I was resent back to “Post a New Topic Page” however, it wouldn’t let me type, cut, paste. But it did let me refresh the page. Is this a sign of malware?

Thanks

Sorry a few more questions:

In a nutshell here are all my questions:

  1. Is this a false positive? This has happened to me before. Same file and everything.

  2. I deleted the file out of panicking, it is a MBAM file correct? So will this negatively effect MBAM?

NEW IMPORTANT QUESTION: 3. I found malware quarantined in Avast’s virus chest that I did not quarantine with Avast! However, if you check my last topic, the files that are quarantined in Avast’s virus chest is the malware I quarantined with MBAM a few days ago (It was called “Tpv.exe”). However, there are more malware in there (Avast’s Virus Chest) that has similar names to Tpv.exe and they are called “Tpw.exe” but both malwares are from the same place. I put a picture of this below.

Does MBAM and Avast share the same quarantine “box/chest”? Because something I quarantined with MBAM is now in Avast’s Virus Chest. (And I supposedly only quarantined ONE thing, not 8 things with half of them named the same thing (4 are named Tpv.exe and 4 are named Tpw.exe)?

P.S.: The blanked out black box in the picture below is just to hide my name

“What is a rootkit” has a complicated answer,
here are 2 sources>>http://en.wikipedia.org/wiki/Rootkit
http://netsecurity.about.com/od/frequentlyaskedquestion/f/faq_rootkit.htm

Its probably false, can’t say for sure now that its deleted though. Couple other posts the last day or two ended up pointing to this being false.
If it does hurt Mbam, worst case is a re-install of it.
Instructions for removing Mbam below, if needed, then re-install it
http://forums.malwarebytes.org/lofiversion/index.php/t48511.html

As far as whats going on with Mbam’s quarantines in Avast!'s chest, I have no idea.

On a side note, I see you have WindowsDefender in your sig, that might be over-redundant since you have Mbam Pro already. Its going to do everything WD does, and more, but better.

I don’t have the professional/Official/Pro/Bought version of MBAM.

But what do you mean by “Its probably false, can’t say for sure now that its deleted though”?
Is it really maybe a rootkit? Can rootkits infect the mbamswissarmy.sys file? (Or any file for that matter)

And will running MBAM with a missing file hurt my computer or mess something up somehow?

Thank you for the reply though.

Sorry double post:
I looked at processes on the Task Manager and noticed one I haven’t seen before (Well I could have forgotten it):
iaanotif.exe

Is this safe? I researched it but only googled it and read the results. But is this safe?
I also attached a picture of my task manager so you guys can check it out.

Sorry, I’m kind of freaked out about malware lately. :cry:

Also, once again, I blanked out my name. Sorry about the big black box on the attachment.

As per the links I showed you, not all rootkits are bad.
Give them a read when you get time. Basically, it is what a rootkit does that makes it evil, not what it is.
I’ve seen this detection twice, maybe 3? times here last couple days.
here is 2 of them>>http://forum.avast.com/index.php?topic=60801.0
http://forum.avast.com/index.php?topic=60915.0
By all means reinstall Mbam, its relatively quick/hassle free unless you have dail-up or slow connect, or wait for someone more knowledgeable to tell you if its vital or not, I cant say for sure

Google the process, if you are worried, find out what program its related to, then see if its operating in the right place/folder.

http://www.what-is-exe.com/filenames/iaanotif-exe.html

Thank you both for your replies.

@Marc57:
My iaanotif.exe is not in the same place as: C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
It’s here: C:\Program Files\Intel\Intel Matrix Storage Manager

I believe it’s in “Intel Matrix Storage Manager” as I see no folder named “Intel Application Accelerator”.

Anyway, will running MBAM after I deleted one of it’s files hurt something? (As in a program or my computer?)

Thank you for the replies.

Any guess I venture would be completely uneducated, thus doing you more harm than good. :wink:
All I can recommend is the safe move,
re-installing Mbam before you use it again.

June 15, 2010
Avast marks mbamswissarmy.sys as rootkit
http://forum.avast.com/index.php?topic=60801.0

This is why Move to chest should always be your first choice, That way if it’s a false positive, you can restore it.

Thanks for the replies again guys.
So this is a FP? I assumed it was.

Yeah I know. I panicked and accidentally deleted it.

On another note, I checked on my new Windows 7 computer and the mbamswissarmy.sys file is in a different location than where it is on the other computers… Is that bad? It’s at something like: OS (C:) > Windows > System > SysBox64 (It was something similar to this) > Drivers (This is just from my memory though, so I could be wrong)

And does anyone know the answer to his question?:

I found malware quarantined in Avast's virus chest that I did not quarantine with Avast! However, if you check my last topic, the files that are quarantined in Avast's virus chest is the malware I quarantined with MBAM a few days ago (It was called "Tpv.exe"). However, there are more malware in there (Avast's Virus Chest) that has similar names to Tpv.exe and they are called "Tpw.exe" but both malwares are from the same place. I put a picture of this below.

Does MBAM and Avast share the same quarantine “box/chest”? Because something I quarantined with MBAM is now in Avast’s Virus Chest. (And I supposedly only quarantined ONE thing, not 8 things with half of them named the same thing (4 are named Tpv.exe and 4 are named Tpw.exe)?

Something to add to what I just quoted myself on: My family member did say they seen alerts from Avast! telling them that a virus was detected but just ignored it. They way they said it, I didn’t really understand. He said it slid up the bottom right corner of the screen. So to check to see what might have popped up would someone mind posting a picture of Avast 5’s warning when your on the internet?

This may be why there are malware quarantined in Avast’s Virus Chest that I didn’t quarantine myself… However, why would this be the same malware I quarantined with MBAM? Or is that just coincidental?
EDIT: I realized that Avast! HAS been quarantining Tpv.exe and Tpw.exe and maybe one Tpv.exe got by it and MBAM detected it. Is this possible?

One last thing (Sorry), what will uninstalling MBAM do to the malware it has quarantined?

I’m sorry for all these questions. And thanks for all you guys’ help.

He said it slid up the bottom right corner of the screen.
you can right click the orange ikon by the clock and " show last pop up "
One last thing (Sorry), what will uninstalling MBAM do to the malware it has quarantined?
Deleted , but why uninstall MBAM ?

Okay thank you.
EDIT: Just checked and the “Show Last Popup” is blanked out.

One last thing (Sorry), what will uninstalling MBAM do to the malware it has quarantined?
Deleted , but why uninstall MBAM ?

I assumed it would be deleted, but I wanted to make sure.

but why uninstall MBAM ?
Because I stupidly deleted the mbamswissarmy.sys file. I'm not so sure if MBAM will work now or what it might do if I try to run it. I will be re-installing it again soon, however with help from the link that Gargamel360 posted.
Because I stupidly deleted the mbamswissarmy.sys file. I'm not so sure if MBAM will work now or what it might do if I try to run it. I will be re-installing it again however with help from the link that Gargamel360 posted.
ahaaaa....OK if something is wrong with MBAM then they sometimes advice to use the uninstaller before installing it again..... http://forums.malwarebytes.org/lofiversion/index.php/t48511.html

Yes I was going to uninstall it first.
I’ll actually be doing a “clean Install” on MBAM very soon. Is there anything else I should know?

I followed the instructions here: http://forums.malwarebytes.org/lofiversion/index.php/t48511.html that Pondus posted.
I uninstalled it first as well. Now it works! Thanks for you guys’ help! :smiley:

However, I tried to add mbamswissarmy.sys to Avast’s Exclusions. What I typed in was:
C:\Windows\System32\drivers\mbamswissarmy.sys

Did I put it in right?

Yes, but that is only for manual and scheduled scannings.
You need to add it also to the resident shields (at least File Shield).

How do I do that?
Sorry I’m not to knowledgeable at this stuff.

Expert settings of File Shield.
You can exclude all operations of that file (R, W, X)