Malwarebytes Anti-Rootkit Documentation

The purpose of this document is to provide basic documentation for the use of Malwarebytes Anti-Rootkit BETA. Use of Malwarebytes Anti-Rookit BETA MBAR! re"uires that you a#ree to and accept the terms of use described in the accompanyin# $license.rtf% file included within the archive.

Contents

Introduction:
Malwarebytes Anti-Rootkit MBAR! is a tool desi#ned by Malwarebytes &orporation to detect and remove sophisticated' stealthy forms of malware called $Rootkits%. Rootkits are hidden forms of malware which most normal malware scannin# tools cannot detect or remove.

Background:
Rootkits have the ability to infect the very core or (root) of an operatin# system and hide the e*istence of certain processes and malicious pro#rams from normal methods of detection. Rootkits can also enable continued privile#ed access to a computer to make system level modifications' leavin# the system heavily compromised. Malwarebytes Anti-Rootkit MBAR! is desi#ned to counteract malicious attempts to subvert base core subsystems of an +, which usually make it impossible to detect rootkits usin# conventional methods. Besides the #eneral functionality of allowin# a user to detect and remove rootkits automatically' MBAR contains a set of tools allowin# to an e*perienced user to perform some actions to locate unknown rootkits and remove them manually. To protect itself from bein# terminated by a rootkit or other malware' MBAR uses Malwarebytes &hameleon technolo#ies which prevent modification or removal or MBAR by malware which may reside on the system. This allows MBAR to complete the detection and removal process re#ardless of such attacks. MBAR uses an active internet connection to keep its database up to ensure that the most current definitions are used in order to detect and remove the latest --day rootkits.

Scope of Malwarebytes Anti-Rootkit:

Malwarebytes Anti-Rootkit MBAR! has been tested and proven to be effective a#ainst the followin# types of rootkits. /ernel mode drivers hidin# themselves' like T012' T0134T0,,' Ma*,,' ,ri5bi' 6ecurs' &utwail' etc. /ernel mode driver patchers4infectors' embeddin# malicious code into core files of an +peratin# ,ystem' such as T017' 8eroAccess' Rloader' etc. Master Boot Record infectors such as T019' Mebroot4,inowal' MoastBoot' :urn' ;ihar' etc. <olume Boot Record4+, Bootstrap infectors like &ido* 0isk ;artition table infectors like ,,T4Elureon User mode patchers4infectors like 8eroAccess. And many more=

MBAR provides a comprehensive system scan to check for rootkits that includes drivers' MBRs Master Boot Records! and <BRs <olume Boot Records!.

sage Instructions:
Malwarebytes Anti-Rootkit MBAR! is provided as an archive packa#e and does not re"uire installation. Users simply need to download the packa#e and e*tract it into a folder on the local hard drive keepin# the archive)s directory structure intact >t is possible to unpack all files directly to the system desktop althou#h it is not recommended and if possible' you should instead e*tract it to its own folder' for e*ample a folder called (MBAR) on the desktop. A sample folder $&.?MBAR?% as a home directory is used in all of the followin# e*amples!. The current MBAR implementation is based on a simple to use wi5ard. To perform a normal system scan and cleanup a user should @ust run the pro#ram and follow the onscreen instructionsA no other options are necessary. Administrative privile#es are re"uired. MBAR will scan the system and will prompt the user to perform recommended actions. >f any infections are detected durin# the scan' the user should use the (&leanup) button to remove them' restartin# the system if prompted. Important! ,hutdown is an essential part of the threat removal process. A computer should not be hard-reset after the scan is completed and malware removal scheduled. +nce you have restarted' it is important that you run another scan to verify that no additional infections remain. >f the scan comes back infected a#ain' remove any found threats and restart a#ain' runnin# another scan after reboot to then verify that it comes back clean. Note: +n some hardware the computer may han# at the very end of the reboot process if malware cleanup was scheduled. >t does not affect the removal process and the computer can be manually restarted usin# the (Reset) button or by pressin# and holdin# the (;ower) button on the ;& for B seconds if no noticeable disk activity is present C00 1E0 is not flashin#! within five minutes after restart has been initiated. >n some cases additional MBAR scans mi#ht be necessary to cleanup any leftovers which were not detected or removed durin# the previous scan This is not necessary if the previous scan came back clean with no threats of any kind detected!. >t is recommended that a second scan always be performed after the removal and reboot process to ensure that all active threats have been removed and that no further threats remained. This should be repeated until the scan comes back with no detections. 0on)t remove MBAR)s drivers from memory usin# $4r% option if a cleanup has been scheduled as the drivers are re"uired for the removal process.

,ome malware may block the loadin# of drivers so anti-rootkit utilities which use kernel-mode drivers are unable to perform scans. >n this case MBAR may try to load its drivers on boot to complete the scan. >n such cases you will be prompted to reboot the computer to install the drivers. 00A driver was not installed which may be caused by rootkit activity. 0o you want to reboot the computer to install 00A driver ,can will continue after reboot! :46!D

MBAR will restart a computer and automatically open so that the user may initiate the malware scan after the system restart is complete. MBAR is able to work in a ,afe Mode which may be useful if malware is blockin# the tool from functionin# in normal mode.

fi"damage#e"e:
>ncluded with Malwarebytes Anti-Rootkit is a tool called fi*dama#e. This utility can repair some common problems which are the result of some rootkit infections. 6ormally as part of the cleanup4removal process' MBAR will automatically run fi*dama#e for you if re"uired' however you may run it manually if need be should any problems remain after restartin# your ;& after the removal process is completed such as Eindows Update problems' the Eindows Firewall not functionin# or a lack of internet connectivity. To run fi*dama#e manually' simply open MBAR)s folder and open the folder called $;lu#ins% and then doubleclick on fi"damage#e"e and then restart your computer' even if not prompted to do so.

Command $ine Synta" and Ad%anced sage:

The available command line synta* and switches for Malwarebytes Anti-Rootkit are as follows. Usa#e. MBAMAntiRootkit.e*e G4rH G4uH G45H 4r - Remove driver. This option will remove drivers from memory which were installed by MBAR. Usually MBAR removes its drivers after use when they are no lon#er re"uired' but in some cases when MBAR was abruptly terminated' some drivers may remain loaded. MBAR keeps drivers in memory if malware was found and system cleanup on reboot is necessary. To completely remove them from memory use this option. This will terminate a scheduled cleanup task as well. 4u - 0isable rootkit unhookin# mechanism. MBAR uses a sophisticated mechanism to counteract malicious chan#es on the ,ystem $Cooks%! and it is still e*perimental. >n some rare cases this mechanism may prove unstable. Usin# this option disables this mechanism but makes detection less reliable. 45 - 0o not activate protection driver. 6ormally MBAR installs the &hameleon self-protection driver ri#ht before a scan is started. >n some cases this driver may conflict with other software on the system and should be disabled usin# this option should such a conflict occur.

$og &iles:
Malwarebytes Anti-Rootkit MBAR! creates two lo# files to save all valuable information about a malware scan and the hardware used. The malware scan lo# is created in the current directory in a format similar to that used by Malwarebytes Anti-Malware. The followin# is an e*ample of the namin# scheme for this scan lo#. mbar-log-2012-06-25 (16-30-00).txt A lo# file with detections mi#ht look like this' containin# info about all detected items. Malwarebytes Anti-Rootkit 1.1.0.1000 www.malwarebytes.org Database ersion! 2012.06.25.10 "in#ows $% &er i'e %a'k 3 x(6 )*+& ,nternet -x.lorer (.0.6001.1(/02 !! "M$%32 0a#ministrator1 622522012 3!30!00 %M mbar-log-2012-06-25 (16-30-00).txt &'an ty.e! 45i'k s'an &'an o.tions enable#! Memory 6 &tart5. 6 Registry 6 +ile &ystem 6 7e5risti's2-xtra 6 7e5risti's2&85riken &'an o.tions #isable#! %9% 6 %9M 6 %2% :b;e'ts s'anne#! 2363< *ime ela.se#! 6 min5te(s)= 3( se'on#(s) Memory %ro'esses Dete'te#! 0 ()o mali'io5s items #ete'te#) Memory Mo#5les Dete'te#! 0 ()o mali'io5s items #ete'te#) Registry >eys Dete'te#! 3 7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M- (Rootkit.Agent) -E Delete on reboot. 0a3#<b330F/656/'F5ae<a(35('//3#b31 7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M-2 (Rootkit.Agent) -E Delete on reboot. 0b#bFb330/5e/53e36(#'6a(3(a/<'a361 7>?M@&ystem@A5rrentAontrol&et@&er i'es@r5ntime (Rootkit.Agent) -E Delete on reboot. 0<##F'132e1/b33F256/2eb06/0<35Fa11 Registry Gal5es Dete'te#! 0 ()o mali'io5s items #ete'te#) Registry Data ,tems Dete'te#! 0 ()o mali'io5s items #ete'te#) +ol#ers Dete'te#! 0

()o mali'io5s items #ete'te#) +iles Dete'te#! 3 A!@",)D:"&@system32@#ri ers@r5ntime2.sys (Rootkit.A5twail) -E Delete on reboot. 0/63b#30'5323(2a03a<0(1F#63'2b#3<1 A!@Do'5ments an# &ettings@A#ministrator@Deskto.@rea#me(30).exe (Rootkit.0A''ess) -E Delete on reboot. 0'bb1e(0ba1bb3/eF('a35'2(1Fe155ab1 A!@",)D:"&@system32@(Dex'e.tion.nls (*ro;an.*ibs) -E Delete on reboot. 01F5#ae3561Fb3ee(0#31<a#322e13#b31 (en#) ,can lo#s are created as a separate file for each scan performed. >n addition to the scan lo#' MBAR creates another lo# file with environmental information in it. >ts name is always $system-lo#.t*t% and the file is appended to every time Malwarebytes Anti-Rootkit is e*ecuted.

'uarantine and Ignore $ist:

Malwarebytes Anti-Rootkit MBAR! is a stand-alone application but it shares some features of Malwarebytes Anti-Malware MBAM! which may or may not be already installed on the computer' thou#h certain functions dealin# with i#nore listin# and mana#in# the "uarantine may only be available if Malwarebytes Anti-Rootkit is installed. 2.2 'uarantine - MBAR uses the same format for "uarantined items as MBAM and stores "uarantined items in the same location that MBAM does so all "uarantined items appear in the Iuarantine tab in MBAM. This makes it possible to mana#e them usin# MBAM. >t should also be noted that MBAR does not have the capability to mana#e or restore "uarantined items by itself' so MBAM must be used if an item needs to be restored. 6ote. some items like MBR' <BR and patched drivers are currently "uarantined as binary files only and cannot be restored usin# MBAM. 2.3 Ignore $ist - MBAR uses the same i#nore list used by MBAM so e*clusions may be mana#ed usin# the >#nore 1ist tab in MBAM. >n order to add or remove an item to be i#nored by MBAR' MBAM must be installed as MBAR currently cannot add or remove any items to or from the >#nore 1ist on its own.

Contact s:
>f you continue e*periencin# problems or MBAR fails to completely detect and remove a rootkit from your system then please contact us by fillin# out the form at http.44www.malwarebytes.or#4contactJconsumer.