How to use Malwarebytes Anti-Rootkit to remove rootkits from a ComputerBy Lawrence Abrams on November 13, 2012 @ 09:48 AM | Read 121,768 times.
Table of Contents
In the past malware infections typically consisted of worms, trojans, backdoors, and viruses that were easily detected, and for the most part, removed. To make an anti-virus program's job more difficult, an increasingly popular tactic for malware developers is to use a type of computer infection or technology called rootkits. Rootkits are computer infections that hijack your operating system so that it does not properly report the existence of other malware files, Windows Registry entries, and to make it more difficult to detect other computer infections that it may be protecting.
Malwarebytes Anti-Rootkit, or MBAR, is a rootkit scanner that searches your computer for rootkits and then removes them. Once Malwarebytes Anti-Rootkit removes the rootkit, any files or Windows Registry entries that the rootkit was hiding will then be visible and be easier to remove.
MBAR has the ability to target rootkits that belong to the following families or that use the following rootkit technologies:
This tutorial will walk you through using Malwarebytes Anti-Rootkit to remove rootkits from your computer. It will also provide guidance on how to resolve problems that result from removing these rootkits. If you have any questions regarding this program, please feel free to ask us in the AntiVirus, Firewall and Privacy Products and Protection Methods forum.
The first step before any rootkit removal process should be to backup all of your data. Depending on the rootkit infection, Malwarebytes may make changes to your hard drives's Master Boot Record and partition table when cleaning your computer. As incorrect modification of these locations may cause your computer to not boot properly, it is always wise to perform a complete backup of all of your data before performing any rootkit removal.
Once your data has been backed up, you should then download Malwarebytes Anti-Rootkit from the following download location:
When saving the file, please save it to your desktop. Once the file has been downloaded, right click on the downloaded file and select the Extract menu option. This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and Malwarebytes Anti-Rootkit will be extracted to a folder called mbar-versionnumber on your desktop. For example, Malwarebytes Anti-Rootkit version 1.01.0.1009 will be extracted to a folder named mbar-1.01.0.1009.
Once the file has been extracted, double-click on the folder and when that folder opens, double-click on the mbar folder. You should now see a list of files that are found in the mbar folder. Please double-click on the mbar.exe file to launch the program. The icon for this program looks like:
Once you double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it.
If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen.
Please click on the Next button and you will then be presented with the Update Database screen.
Please click on the Update button to have MBAR download the latest definition updates that will then be used when scanning your computer. When the update has finished, please click on the Next button.
You will now be at the Scan System screen where you can select some basic scanning options.
Make sure the Drivers, Sectors, and System scan targets are selected and then click on the Scan button. Malwarebytes Anti-Rootkit Scanner will now start scanning your computer for possible rootkits. This process can take some time, so please be patient. When it has finished, the program will display a screen showing you the results from the scan.
Make sure everything is selected and that there is a check mark in the Create Restore point option. Then click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer. Please click on Yes button to restart your computer.
After the computer reboots and you login, you will be back at your normal desktop. It is suggested that you do one last scan using Malwarebytes Anti-Rootkit to make sure all traces have been removed. If MBAR detects any leftovers, let it remove them and reboot again. Once you have rebooted, the detected rookits should now be removed from your computer.
There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log. The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run. For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt. The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program. A new mbar-log is created every time you run MBAR and will contain information about what was detected and removed.
When Malwarebytes Anti-Rootkit quarantines rootkit files it will place them in the same folder that Malwarebytes Anti-Malware uses for their quarantine. Unlike Malwarebytes Anti-Malware, though, MBAR does not have the ability to restore any files it has deleted. Instead, if you wish to see the files or restore them you must use Malwarebytes Anti-Malware to manage the quarantine.
To do this, you must download and install Malwarebytes Anti-Malware. You can download the program from the following link:
Once Malwarebytes Anti-Malware has been started, click on the Quarantine tab. Once you click on the tab you will see all the files that have been Quarantined by Malwarebytes Anti-Rootkit.
To restore a file, simply select the entries you wish to restore and click on the Restore button. When you are done restoring files, you can then close Malwarebytes Anti-Malware. It is important to note that if you restore infected files and configuration information, these infections will become active again the next time you reboot your computer. Therefore, only restore files from the quarantine that you know are 100% clean.
Malwarebytes includes some advanced command-line arguments that you can use when starting the program. These arguments allow you to have a bit more control as to how Malwarebytes Anti-Rootkit will work on your computer. The available command line arguments are:
To use a command-line argument you need to append it to the command that you use to start Malwarebytes Anti-Rootkit. This can be done by creating a shortcut to mbar.exe on your desktop, going into the shortcut's properties, and adding the argument you wish to use to the end of the command in the Target field.
The other option is enter the command using a command prompt or via the Run box. When starting MBAR using this method, you can simply add the argument to the end. For example, if MBAR is located in C:\Mbar, and you wanted to disable Chameleon you would use the follow command to start the program.
Notice how we specified the full path to the executable and just added the /z argument to the end. Also note that you must put a space between the executable name and any command line arguments you use.
Certain rootkits will delete Windows services and change Windows settings that can cause Windows not to operate properly. These problems, which typically appear after the rootkit has been removed, include loss of network connectivity, the Windows Firewall no longer starting, or Windows Update no longer working. To fix these types of issues, Malwarebytes Anti-Rootkit includes a program called fixdamage.exe that can be used to resolve many of these issues.
When run, fixdamage.exe will scan your computer for deleted or incomplete Windows services and broken Layered Service Providers. It will then recreate any missing or damaged services and repair the Layered Service Provider chain. Last, but not least, fixdamage will restore all the default Windows Firewall rules if necessary. This will typically resolve most issues with broken network connectivity and Windows services that do not start properly.
To run fixdamage, open the mbar folder that you extracted when you download the program. Inside that folder you should see a program called fixdamage.exe. Double-click on that file and the program will launch as shown below.
Simply press on the Y key on your keyboard and the program will perform any necessary fixes. When it has finished, you be shown a message that says press any key to exit. Press any key on your keyboard and the fixdamage screen will close. For the changes to go into effect, you now need to manually restart your computer.
Once your computer restarts and you log back in, Windows should be operating properly again.
Guide Updates History 11/13/12 - Tutorial created. 11/14/12 - Fixed some typos and added info about rebooting after running fixdamage. 111/15/12 - Misc typos.
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.
|Tech Support Forums | Virus Removal Guides | Downloads | Tutorials | The Computer Glossary | Uninstall List | Startups | The File Database|