Documente Academic
Documente Profesional
Documente Cultură
The purpose of this document is to provide basic documentation for the use of Malwarebytes Anti-Rootkit BETA. Use of Malwarebytes Anti-Rookit BETA MBAR! re"uires that you a#ree to and accept the terms of use described in the accompanyin# $license.rtf% file included within the archive.
Contents
Introduction:
Malwarebytes Anti-Rootkit MBAR! is a tool desi#ned by Malwarebytes &orporation to detect and remove sophisticated' stealthy forms of malware called $Rootkits%. Rootkits are hidden forms of malware which most normal malware scannin# tools cannot detect or remove.
Background:
Rootkits have the ability to infect the very core or (root) of an operatin# system and hide the e*istence of certain processes and malicious pro#rams from normal methods of detection. Rootkits can also enable continued privile#ed access to a computer to make system level modifications' leavin# the system heavily compromised. Malwarebytes Anti-Rootkit MBAR! is desi#ned to counteract malicious attempts to subvert base core subsystems of an +, which usually make it impossible to detect rootkits usin# conventional methods. Besides the #eneral functionality of allowin# a user to detect and remove rootkits automatically' MBAR contains a set of tools allowin# to an e*perienced user to perform some actions to locate unknown rootkits and remove them manually. To protect itself from bein# terminated by a rootkit or other malware' MBAR uses Malwarebytes &hameleon technolo#ies which prevent modification or removal or MBAR by malware which may reside on the system. This allows MBAR to complete the detection and removal process re#ardless of such attacks. MBAR uses an active internet connection to keep its database up to ensure that the most current definitions are used in order to detect and remove the latest --day rootkits.
MBAR provides a comprehensive system scan to check for rootkits that includes drivers' MBRs Master Boot Records! and <BRs <olume Boot Records!.
sage Instructions:
Malwarebytes Anti-Rootkit MBAR! is provided as an archive packa#e and does not re"uire installation. Users simply need to download the packa#e and e*tract it into a folder on the local hard drive keepin# the archive)s directory structure intact >t is possible to unpack all files directly to the system desktop althou#h it is not recommended and if possible' you should instead e*tract it to its own folder' for e*ample a folder called (MBAR) on the desktop. A sample folder $&.?MBAR?% as a home directory is used in all of the followin# e*amples!. The current MBAR implementation is based on a simple to use wi5ard. To perform a normal system scan and cleanup a user should @ust run the pro#ram and follow the onscreen instructionsA no other options are necessary. Administrative privile#es are re"uired. MBAR will scan the system and will prompt the user to perform recommended actions. >f any infections are detected durin# the scan' the user should use the (&leanup) button to remove them' restartin# the system if prompted. Important! ,hutdown is an essential part of the threat removal process. A computer should not be hard-reset after the scan is completed and malware removal scheduled. +nce you have restarted' it is important that you run another scan to verify that no additional infections remain. >f the scan comes back infected a#ain' remove any found threats and restart a#ain' runnin# another scan after reboot to then verify that it comes back clean. Note: +n some hardware the computer may han# at the very end of the reboot process if malware cleanup was scheduled. >t does not affect the removal process and the computer can be manually restarted usin# the (Reset) button or by pressin# and holdin# the (;ower) button on the ;& for B seconds if no noticeable disk activity is present C00 1E0 is not flashin#! within five minutes after restart has been initiated. >n some cases additional MBAR scans mi#ht be necessary to cleanup any leftovers which were not detected or removed durin# the previous scan This is not necessary if the previous scan came back clean with no threats of any kind detected!. >t is recommended that a second scan always be performed after the removal and reboot process to ensure that all active threats have been removed and that no further threats remained. This should be repeated until the scan comes back with no detections. 0on)t remove MBAR)s drivers from memory usin# $4r% option if a cleanup has been scheduled as the drivers are re"uired for the removal process.
,ome malware may block the loadin# of drivers so anti-rootkit utilities which use kernel-mode drivers are unable to perform scans. >n this case MBAR may try to load its drivers on boot to complete the scan. >n such cases you will be prompted to reboot the computer to install the drivers. 00A driver was not installed which may be caused by rootkit activity. 0o you want to reboot the computer to install 00A driver ,can will continue after reboot! :46!D
MBAR will restart a computer and automatically open so that the user may initiate the malware scan after the system restart is complete. MBAR is able to work in a ,afe Mode which may be useful if malware is blockin# the tool from functionin# in normal mode.
fi"damage#e"e:
>ncluded with Malwarebytes Anti-Rootkit is a tool called fi*dama#e. This utility can repair some common problems which are the result of some rootkit infections. 6ormally as part of the cleanup4removal process' MBAR will automatically run fi*dama#e for you if re"uired' however you may run it manually if need be should any problems remain after restartin# your ;& after the removal process is completed such as Eindows Update problems' the Eindows Firewall not functionin# or a lack of internet connectivity. To run fi*dama#e manually' simply open MBAR)s folder and open the folder called $;lu#ins% and then doubleclick on fi"damage#e"e and then restart your computer' even if not prompted to do so.
$og &iles:
Malwarebytes Anti-Rootkit MBAR! creates two lo# files to save all valuable information about a malware scan and the hardware used. The malware scan lo# is created in the current directory in a format similar to that used by Malwarebytes Anti-Malware. The followin# is an e*ample of the namin# scheme for this scan lo#. mbar-log-2012-06-25 (16-30-00).txt A lo# file with detections mi#ht look like this' containin# info about all detected items. Malwarebytes Anti-Rootkit 1.1.0.1000 www.malwarebytes.org Database ersion! 2012.06.25.10 "in#ows $% &er i'e %a'k 3 x(6 )*+& ,nternet -x.lorer (.0.6001.1(/02 !! "M$%32 0a#ministrator1 622522012 3!30!00 %M mbar-log-2012-06-25 (16-30-00).txt &'an ty.e! 45i'k s'an &'an o.tions enable#! Memory 6 &tart5. 6 Registry 6 +ile &ystem 6 7e5risti's2-xtra 6 7e5risti's2&85riken &'an o.tions #isable#! %9% 6 %9M 6 %2% :b;e'ts s'anne#! 2363< *ime ela.se#! 6 min5te(s)= 3( se'on#(s) Memory %ro'esses Dete'te#! 0 ()o mali'io5s items #ete'te#) Memory Mo#5les Dete'te#! 0 ()o mali'io5s items #ete'te#) Registry >eys Dete'te#! 3 7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M- (Rootkit.Agent) -E Delete on reboot. 0a3#<b330F/656/'F5ae<a(35('//3#b31 7>?M@&ystem@A5rrentAontrol&et@-n5m@Root@?-BAACDR9)*,M-2 (Rootkit.Agent) -E Delete on reboot. 0b#bFb330/5e/53e36(#'6a(3(a/<'a361 7>?M@&ystem@A5rrentAontrol&et@&er i'es@r5ntime (Rootkit.Agent) -E Delete on reboot. 0<##F'132e1/b33F256/2eb06/0<35Fa11 Registry Gal5es Dete'te#! 0 ()o mali'io5s items #ete'te#) Registry Data ,tems Dete'te#! 0 ()o mali'io5s items #ete'te#) +ol#ers Dete'te#! 0
()o mali'io5s items #ete'te#) +iles Dete'te#! 3 A!@",)D:"&@system32@#ri ers@r5ntime2.sys (Rootkit.A5twail) -E Delete on reboot. 0/63b#30'5323(2a03a<0(1F#63'2b#3<1 A!@Do'5ments an# &ettings@A#ministrator@Deskto.@rea#me(30).exe (Rootkit.0A''ess) -E Delete on reboot. 0'bb1e(0ba1bb3/eF('a35'2(1Fe155ab1 A!@",)D:"&@system32@(Dex'e.tion.nls (*ro;an.*ibs) -E Delete on reboot. 01F5#ae3561Fb3ee(0#31<a#322e13#b31 (en#) ,can lo#s are created as a separate file for each scan performed. >n addition to the scan lo#' MBAR creates another lo# file with environmental information in it. >ts name is always $system-lo#.t*t% and the file is appended to every time Malwarebytes Anti-Rootkit is e*ecuted.
Contact s:
>f you continue e*periencin# problems or MBAR fails to completely detect and remove a rootkit from your system then please contact us by fillin# out the form at http.44www.malwarebytes.or#4contactJconsumer.