Malwarebytes Anti-Rootkit Documentation

The purpose of this document is to provide basic documentation for the use of Malwarebytes Anti-Rootkit BETA.
Use of Malwarebytes Anti-Rookit BETA (MBAR) requires that you agree to and accept the terms of use described
in the accompanying “license.rtf” file included within the archive.
Contents
Introduction:............................................................................................................................................................2
Background:.............................................................................................................................................................3
Scope of Malwarebytes Anti-Rootkit:.......................................................................................................................4
Usage Instructions:...................................................................................................................................................5
fixdamage.exe:.........................................................................................................................................................6
Command Line Syntax and Advanced Usage:...........................................................................................................6
Log Files:................................................................................................................................................................... 7
Quarantine and Ignore List:......................................................................................................................................9
Contact Us:...............................................................................................................................................................9
Introduction:
Malwarebytes Anti-Rootkit (MBAR) is a tool designed by Malwarebytes Corporation to detect and remove
sophisticated, stealthy forms of malware called “Rootkits”. Rootkits are hidden forms of malware which most
normal malware scanning tools cannot detect or remove.
Background:
Rootkits have the ability to infect the very core or ‘root’ of an operating system and hide the existence of certain
processes and malicious programs from normal methods of detection. Rootkits can also enable continued
privileged access to a computer to make system level modifications, leaving the system heavily compromised.

Malwarebytes Anti-Rootkit (MBAR) is designed to counteract malicious attempts to subvert base core
subsystems of an OS which usually make it impossible to detect rootkits using conventional methods. Besides the
general functionality of allowing a user to detect and remove rootkits automatically, MBAR contains a set of tools
allowing to an experienced user to perform some actions to locate unknown rootkits and remove them
manually. To protect itself from being terminated by a rootkit or other malware, MBAR uses Malwarebytes
Chameleon technologies which prevent modification or removal of MBAR by malware which may reside on the
system. This allows MBAR to complete the detection and removal process regardless of such attacks. MBAR uses
an active internet connection to keep its database up to ensure that the most current definitions are used in
order to detect and remove the latest 0-day rootkits.
Scope of Malwarebytes Anti-Rootkit:
Malwarebytes Anti-Rootkit (MBAR) has been tested and proven to be effective against the following types of
rootkits:

- Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
- Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System,
such as TDL3, ZeroAccess, Rloader, etc.
- Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
- Volume Boot Record/OS Bootstrap infectors like Cidox
- Disk Partition table infectors like SST/Elureon
- User mode patchers/infectors like ZeroAccess.
- And many more!

MBAR provides a comprehensive system scan to check for rootkits that includes drivers, MBRs (Master Boot
Records) and VBRs (Volume Boot Records).
Usage Instructions:
Malwarebytes Anti-Rootkit (MBAR) is provided as an archive package and does not require installation. Users
simply need to download the package and extract it into a folder on the local hard drive keeping the archive’s
directory structure intact (It is possible to unpack all files directly to the system desktop although it is not
recommended and if possible, you should instead extract it to its own folder, for example a folder called ‘MBAR’
on the desktop. A sample folder “C:\MBAR\” as a home directory is used in all of the following examples). The
current MBAR implementation is based on a simple to use wizard. To perform a normal system scan and cleanup
a user should just run the program and follow the onscreen instructions; no other options are necessary.
Administrative privileges are required. MBAR will scan the system and will prompt the user to perform
recommended actions.

If any infections are detected during the scan, the user should use the ‘Cleanup’ button to remove them,
restarting the system if prompted.

Important! Shutdown is an essential part of the threat removal process. A computer should not be hard-reset
after the scan is completed and malware removal scheduled.

Once you have restarted, it is important that you run another scan to verify that no additional infections remain.
If the scan comes back infected again, remove any found threats and restart again, running another scan after
reboot to then verify that it comes back clean.

Note:

- On some hardware the computer may hang at the very end of the reboot process if malware cleanup
was scheduled. It does not affect the removal process and the computer can be manually restarted using
the ‘Reset’ button or by pressing and holding the ‘Power’ button on the PC for 5 seconds if no noticeable
disk activity is present (HDD LED is not flashing) within five minutes after restart has been initiated.
- In some cases additional MBAR scans might be necessary to cleanup any leftovers which were not
detected or removed during the previous scan (This is not necessary if the previous scan came back
clean with no threats of any kind detected). It is recommended that a second scan always be performed
after the removal and reboot process to ensure that all active threats have been removed and that no
further threats remained. This should be repeated until the scan comes back with no detections.
- Don’t remove MBAR’s drivers from memory using “/r” option if a cleanup has been scheduled as the
drivers are required for the removal process.

Some malware may block the loading of drivers so anti-rootkit utilities which use kernel-mode drivers are
unable to perform scans. In this case MBAR may try to load its drivers on boot to complete the scan. In such
cases you will be prompted to reboot the computer to install the drivers:

DDA driver was not installed which may be caused by rootkit activity.
Do you want to reboot the computer to install DDA driver (Scan will continue after reboot) (Y/N)?
MBAR will restart a computer and automatically open so that the user may initiate the malware scan after the
system restart is complete.

MBAR is able to work in a Safe Mode which may be useful if malware is blocking the tool from functioning in
normal mode.

fixdamage.exe:
Included with Malwarebytes Anti-Rootkit is a tool called fixdamage. This utility can repair some common
problems which are the result of some rootkit infections. Normally as part of the cleanup/removal process,
MBAR will automatically run fixdamage for you if required, however you may run it manually if need be should
any problems remain after restarting your PC after the removal process is completed such as Windows Update
problems, the Windows Firewall not functioning or a lack of internet connectivity.

To run fixdamage manually, simply open MBAR’s folder and open the folder called “Plugins” and then double-
click on fixdamage.exe and then restart your computer, even if not prompted to do so.

Command Line Syntax and Advanced Usage:

The available command line syntax and switches for Malwarebytes Anti-Rootkit are as follows:

Usage: MBAR.exe [/r] [/u] [/z]

 /r - Remove driver. This option will remove drivers from memory which were installed by MBAR. Usually
MBAR removes its drivers after use when they are no longer required, but in some cases when MBAR
was abruptly terminated, some drivers may remain loaded. MBAR keeps drivers in memory if malware
was found and system cleanup on reboot is necessary. To completely remove them from memory use
this option. This will terminate a scheduled cleanup task as well.
 /u - Disable rootkit unhooking mechanism. MBAR uses a sophisticated mechanism to counteract
malicious changes on the System (“Hooks”) and it is still experimental. In some rare cases this
mechanism may prove unstable. Using this option disables this mechanism but makes detection less
reliable.
 /z - Do not activate protection driver. Normally MBAR installs the Chameleon self-protection driver right
before a scan is started. In some cases this driver may conflict with other software on the system and
should be disabled using this option should such a conflict occur.
 

Log Files:
Malwarebytes Anti-Rootkit (MBAR) creates two log files to save all valuable information about a malware scan
and the hardware used. The malware scan log is created in the current directory in a format similar to that used
by Malwarebytes Anti-Malware. The following is an example of the naming scheme for this scan log:

mbar-log-2012-06-25 (16-30-00).txt

A log file with detections might look like this, containing info about all detected items:

Malwarebytes Anti-Rootkit 1.1.0.1000

www.malwarebytes.org

Database version: v2012.06.25.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
:: WMXP32 [administrator]

6/25/2012 4:30:00 PM
mbar-log-2012-06-25 (16-30-00).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 24649
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 3

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Delete on reboot.
[a3d9b340f76567cf5ae9a8458c774db3]
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2 (Rootkit.Agent) -> Delete on reboot.
[bdbfb34075e753e368dc6a838a79ca36]
HKLM\System\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Delete on reboot.
[9ddfc132e17b44f25672eb0670935fa1]

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\drivers\runtime2.sys (Rootkit.Cutwail) -> Delete on reboot.
[763bd40c542382a03a9081fd64c2bd49]
C:\Documents and Settings\Administrator\Desktop\readme(30).exe (Rootkit.0Access) -> Delete on reboot.
[cbb1e80ba1bb47ef8ca45c281fe155ab]
C:\WINDOWS\system32\8_exception.nls (Trojan.Tibs) -> Delete on reboot.
[1f5dae4561fb4ee80d419ad422e14db3]

(end)

Scan logs are created as a separate file for each scan performed. In addition to the scan log, MBAR creates
another log file with environmental information in it. Its name is always “system-log.txt” and the file is appended
to every time Malwarebytes Anti-Rootkit is executed.
Quarantine and Ignore List:
Malwarebytes Anti-Rootkit (MBAR) is a stand-alone application but it shares some features of Malwarebytes
Anti-Malware (MBAM) which may or may not be already installed on the computer, though certain functions
dealing with ignore listing and managing the quarantine may only be available if Malwarebytes Anti-Malware is
installed.

1.1 Quarantine - MBAR uses the same format for quarantined items as MBAM and stores
quarantined items in the same location that MBAM does so all quarantined items appear in
the Quarantine tab in MBAM. This makes it possible to manage them using MBAM. It should
also be noted that MBAR does not have the capability to manage or restore quarantined
items by itself, so MBAM must be used if an item needs to be restored.

Note: some items like MBR, VBR and patched drivers are currently quarantined as binary files
only and cannot be restored using MBAM.

1.2 Ignore List - MBAR uses the same ignore list used by MBAM so exclusions may be managed
using the Ignore List tab in MBAM. In order to add or remove an item to be ignored by
MBAR, MBAM must be installed as MBAR currently cannot add or remove any items to or
from the Ignore List on its own.

Contact Us:
If you continue experiencing problems or MBAR fails to completely detect and remove a rootkit from your
system then please contact us by filling out the form at http://www.malwarebytes.org/contact_consumer.