SVC:MBAM Rootkit FP ?

hello,

Avast! & Malwarebytes, both are free version.
Avast says today SVC:MBAM Rootkit:
It seems to be a false positive but how I can report ?

Version 7.0.1426
VPS: 120407

thanks :slight_smile:

Have You moved the file to chest?

If so, right click the file in chest and Upload as false positive…

If not, put in a password protester zip file and send to virus @ avast.com
Mail subject: false positive
Zip password: infected

You may add a link to this topic

@ kalimusic
What is the file name and location given in the avast detection ?

When does this alert happen (e.g. roughly 8 minutes after boot, during a scan) ?

thanks folks,

First, it’s not on my computer.

This detection was at the end of the scan of avast.
No file and no location seemed to be mentioned.

After a new scan, no more alert.
I’ll give you more informations later if I can.

You’re very reactive here :slight_smile:

You’re welcome.

You might also ask if this was a Custom scan and did he have scan Memory selected also ?
He could also check the avastUI, Scan Computer, Scan Logs, for the scan in which the detection was made.

ok,

So far no new information from the user.
This thing was very interesting one, I hope having some news.

good evening

hello,

Some news from SVC:MBAM Rootkit

No scan in progress

http://nsa22.casimages.com/img/2012/04/15/120415072115370272.png

No action can be taken or nothing change.
Nothing found in the logs.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-15 20:53:34
-----------------------------
20:53:34.296 OS Version: Windows 6.1.7600
20:53:34.296 Number of processors: 2 586 0x603
20:53:34.296 ComputerName: Jacques UserName: Jacques
20:53:35.390 Initialize success
20:53:36.015 AVAST engine defs: 12041501
20:53:37.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005c
20:53:37.765 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
20:53:37.765 Disk 0 MBR read successfully
20:53:37.781 Disk 0 MBR scan
20:53:38.140 Disk 0 Windows 7 default MBR code
20:53:38.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:53:38.484 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
20:53:38.531 Disk 0 scanning sectors +625139712
20:53:38.890 Disk 0 scanning C:\Windows\system32\drivers
20:53:50.750 Service scanning
20:54:05.062 Modules scanning
20:54:08.843 Module: C:\Windows\System32\user32.dll **SUSPICIOUS**
20:54:09.890 Disk 0 trace - called modules:
20:54:09.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
20:54:09.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853be398]
20:54:09.937 3 CLASSPNP.SYS[8a2b459e] -> nt!IofCallDriver -> [0x85081ab8]
20:54:09.937 5 ACPI.sys[89b723b2] -> nt!IofCallDriver -> \Device\0000005c[0x851c3c00]
20:54:10.843 AVAST engine scan C:\Windows
20:54:12.640 AVAST engine scan C:\Windows\system32
20:55:29.140 Disk 0 MBR has been saved successfully to "C:\Users\mehdi\Desktop\MBR.dat"
20:55:29.156 The log file has been saved successfully to "C:\Users\mehdi\Desktop\aswMBR. 

user32.dll is 0/42 in Virus total

thanks