Malwarebytes Anti-Rootkit Documentation

The purpose of this document is to provide basic documentation for the use of Malwarebytes Anti-Rootkit
BETA. Use of Malwarebytes Anti-Rookit BETA MBAR! re"uires that you a#ree to and accept the terms of use
described in the accompanyin# $license.rtf% file included within the archive.
Contents
Introduction:
Malwarebytes Anti-Rootkit MBAR! is a tool desi#ned by Malwarebytes &orporation to detect and remove
sophisticated' stealthy forms of malware called $Rootkits%. Rootkits are hidden forms of malware which most
normal malware scannin# tools cannot detect or remove.
Background:
Rootkits have the ability to infect the very core or (root) of an operatin# system and hide the e*istence of certain
processes and malicious pro#rams from normal methods of detection. Rootkits can also enable continued
privile#ed access to a computer to make system level modifications' leavin# the system heavily compromised.
Malwarebytes Anti-Rootkit MBAR! is desi#ned to counteract malicious attempts to subvert base core
subsystems of an +, which usually make it impossible to detect rootkits usin# conventional methods. Besides the
#eneral functionality of allowin# a user to detect and remove rootkits automatically' MBAR contains a set of tools
allowin# to an e*perienced user to perform some actions to locate unknown rootkits and remove them manually.
To protect itself from bein# terminated by a rootkit or other malware' MBAR uses Malwarebytes &hameleon
technolo#ies which prevent modification or removal or MBAR by malware which may reside on the system. This
allows MBAR to complete the detection and removal process re#ardless of such attacks. MBAR uses an active
internet connection to keep its database up to ensure that the most current definitions are used in order to detect
and remove the latest --day rootkits.
Scope of Malwarebytes Anti-Rootkit:
Malwarebytes Anti-Rootkit MBAR! has been tested and proven to be effective a#ainst the followin# types of
rootkits.
- /ernel mode drivers hidin# themselves' like T012' T0134T0,,' Ma*,,' ,ri5bi' 6ecurs' &utwail' etc.
- /ernel mode driver patchers4infectors' embeddin# malicious code into core files of an +peratin# ,ystem'
such as T017' 8eroAccess' Rloader' etc.
- Master Boot Record infectors such as T019' Mebroot4,inowal' MoastBoot' :urn' ;ihar' etc.
- <olume Boot Record4+, Bootstrap infectors like &ido*
- 0isk ;artition table infectors like ,,T4Elureon
- User mode patchers4infectors like 8eroAccess.
- And many more=
MBAR provides a comprehensive system scan to check for rootkits that includes drivers' MBRs Master Boot
Records! and <BRs <olume Boot Records!.
sage Instructions:
Malwarebytes Anti-Rootkit MBAR! is provided as an archive packa#e and does not re"uire installation. Users
simply need to download the packa#e and e*tract it into a folder on the local hard drive keepin# the archive)s
directory structure intact >t is possible to unpack all files directly to the system desktop althou#h it is not
recommended and if possible' you should instead e*tract it to its own folder' for e*ample a folder called (MBAR)
on the desktop. A sample folder $&.?MBAR?% as a home directory is used in all of the followin# e*amples!. The
current MBAR implementation is based on a simple to use wi5ard. To perform a normal system scan and cleanup
a user should @ust run the pro#ram and follow the onscreen instructionsA no other options are necessary.
Administrative privile#es are re"uired. MBAR will scan the system and will prompt the user to perform
recommended actions.
>f any infections are detected durin# the scan' the user should use the (&leanup) button to remove them' restartin#
the system if prompted.
Important! ,hutdown is an essential part of the threat removal process. A computer should not be hard-reset after
the scan is completed and malware removal scheduled.
+nce you have restarted' it is important that you run another scan to verify that no additional infections remain. >f
the scan comes back infected a#ain' remove any found threats and restart a#ain' runnin# another scan after reboot
to then verify that it comes back clean.
Note:
- +n some hardware the computer may han# at the very end of the reboot process if malware cleanup was
scheduled. >t does not affect the removal process and the computer can be manually restarted usin# the
(Reset) button or by pressin# and holdin# the (;ower) button on the ;& for B seconds if no noticeable disk
activity is present C00 1E0 is not flashin#! within five minutes after restart has been initiated.
- >n some cases additional MBAR scans mi#ht be necessary to cleanup any leftovers which were not
detected or removed durin# the previous scan This is not necessary if the previous scan came back clean
with no threats of any kind detected!. >t is recommended that a second scan always be performed after
the removal and reboot process to ensure that all active threats have been removed and that no further
threats remained. This should be repeated until the scan comes back with no detections.
- 0on)t remove MBAR)s drivers from memory usin# $4r% option if a cleanup has been scheduled as the
drivers are re"uired for the removal process.
,ome malware may block the loadin# of drivers so anti-rootkit utilities which use kernel-mode drivers are
unable to perform scans. >n this case MBAR may try to load its drivers on boot to complete the scan. >n such
cases you will be prompted to reboot the computer to install the drivers.
00A driver was not installed which may be caused by rootkit activity.
0o you want to reboot the computer to install 00A driver ,can will continue after reboot! :46!D
MBAR will restart a computer and automatically open so that the user may initiate the malware scan after the
system restart is complete.
MBAR is able to work in a ,afe Mode which may be useful if malware is blockin# the tool from functionin# in
normal mode.
fi"damage#e"e:
>ncluded with Malwarebytes Anti-Rootkit is a tool called fi*dama#e. This utility can repair some common
problems which are the result of some rootkit infections. 6ormally as part of the cleanup4removal process'
MBAR will automatically run fi*dama#e for you if re"uired' however you may run it manually if need be should
any problems remain after restartin# your ;& after the removal process is completed such as Eindows Update
problems' the Eindows Firewall not functionin# or a lack of internet connectivity.
To run fi*dama#e manually' simply open MBAR)s folder and open the folder called $;lu#ins% and then double-
click on fi"damage#e"e and then restart your computer' even if not prompted to do so.
Command $ine Synta" and Ad%anced sage:
The available command line synta* and switches for Malwarebytes Anti-Rootkit are as follows.
Usa#e. MBAMAntiRootkit.e*e G4rH G4uH G45H
I 4r - Remove driver. This option will remove drivers from memory which were installed by MBAR.
Usually MBAR removes its drivers after use when they are no lon#er re"uired' but in some cases when
MBAR was abruptly terminated' some drivers may remain loaded. MBAR keeps drivers in memory if
malware was found and system cleanup on reboot is necessary. To completely remove them from memory
use this option. This will terminate a scheduled cleanup task as well.
I 4u - 0isable rootkit unhookin# mechanism. MBAR uses a sophisticated mechanism to counteract
malicious chan#es on the ,ystem $Cooks%! and it is still e*perimental. >n some rare cases this
mechanism may prove unstable. Usin# this option disables this mechanism but makes detection less
reliable.
I 45 - 0o not activate protection driver. 6ormally MBAR installs the &hameleon self-protection driver ri#ht
before a scan is started. >n some cases this driver may conflict with other software on the system and
should be disabled usin# this option should such a conflict occur.
$og &iles:
Malwarebytes Anti-Rootkit MBAR! creates two lo# files to save all valuable information about a malware scan
and the hardware used. The malware scan lo# is created in the current directory in a format similar to that used by
Malwarebytes Anti-Malware. The followin# is an e*ample of the namin# scheme for this scan lo#.
mbar-log-2012-06-25 (16-30-00).txt
A lo# file with detections mi#ht look like this' containin# info about all detected items.
Malwarebytes Anti-Rootkit 1.1.0.1000
www.malwarebytes.org
Database ersion! 2012.06.25.10
"in#ows $% &eri'e %a'k 3 x(6 )*+&
,nternet -x.lorer (.0.6001.1(/02
!! "M$%32 0a#ministrator1
622522012 3!30!00 %M
mbar-log-2012-06-25 (16-30-00).txt
&'an ty.e! 45i'k s'an
&'an o.tions enable#! Memory 6 &tart5. 6 Registry 6 +ile &ystem 6 7e5risti's2-xtra 6 7e5risti's2&85riken
&'an o.tions #isable#! %9% 6 %9M 6 %2%
:b;e'ts s'anne#! 2363<
*ime ela.se#! 6 min5te(s)= 3( se'on#(s)
Memory %ro'esses Dete'te#! 0
()o mali'io5s items #ete'te#)
Memory Mo#5les Dete'te#! 0
()o mali'io5s items #ete'te#)
Registry >eys Dete'te#! 3
7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M- (Rootkit.Agent) -E Delete on reboot.
0a3#<b330F/656/'F5ae<a(35('//3#b31
7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M-2 (Rootkit.Agent) -E Delete on reboot.
0b#bFb330/5e/53e36(#'6a(3(a/<'a361
7>?M@&ystem@A5rrentAontrol&et@&eri'es@r5ntime (Rootkit.Agent) -E Delete on reboot.
0<##F'132e1/b33F256/2eb06/0<35Fa11
Registry Gal5es Dete'te#! 0
()o mali'io5s items #ete'te#)
Registry Data ,tems Dete'te#! 0
()o mali'io5s items #ete'te#)
+ol#ers Dete'te#! 0
()o mali'io5s items #ete'te#)
+iles Dete'te#! 3
A!@",)D:"&@system32@#riers@r5ntime2.sys (Rootkit.A5twail) -E Delete on reboot.
0/63b#30'5323(2a03a<0(1F#63'2b#3<1
A!@Do'5ments an# &ettings@A#ministrator@Deskto.@rea#me(30).exe (Rootkit.0A''ess) -E Delete on reboot.
0'bb1e(0ba1bb3/eF('a35'2(1Fe155ab1
A!@",)D:"&@system32@(Dex'e.tion.nls (*ro;an.*ibs) -E Delete on reboot.
01F5#ae3561Fb3ee(0#31<a#322e13#b31
(en#)
,can lo#s are created as a separate file for each scan performed. >n addition to the scan lo#' MBAR creates
another lo# file with environmental information in it. >ts name is always $system-lo#.t*t% and the file is appended
to every time Malwarebytes Anti-Rootkit is e*ecuted.
'uarantine and Ignore $ist:
Malwarebytes Anti-Rootkit MBAR! is a stand-alone application but it shares some features of Malwarebytes
Anti-Malware MBAM! which may or may not be already installed on the computer' thou#h certain functions
dealin# with i#nore listin# and mana#in# the "uarantine may only be available if Malwarebytes Anti-Rootkit is
installed.
2.2 'uarantine - MBAR uses the same format for "uarantined items as MBAM and stores
"uarantined items in the same location that MBAM does so all "uarantined items appear in
the Juarantine tab in MBAM. This makes it possible to mana#e them usin# MBAM. >t
should also be noted that MBAR does not have the capability to mana#e or restore
"uarantined items by itself' so MBAM must be used if an item needs to be restored.
6ote. some items like MBR' <BR and patched drivers are currently "uarantined as binary
files only and cannot be restored usin# MBAM.
2.3 Ignore $ist - MBAR uses the same i#nore list used by MBAM so e*clusions may be
mana#ed usin# the >#nore 1ist tab in MBAM. >n order to add or remove an item to be i#nored
by MBAR' MBAM must be installed as MBAR currently cannot add or remove any items to
or from the >#nore 1ist on its own.
Contact s:
>f you continue e*periencin# problems or MBAR fails to completely detect and remove a rootkit from your
system then please contact us by fillin# out the form at http.44www.malwarebytes.or#4contactKconsumer.