Remove rootkits with Malwarebytes Anti-Rootkit for free.
Malwarebytes is the tool of choice for many, it’s a real life saver when called upon to remove malware, viruses, spyware and many other exploits bent on ruining your day/days…
Recently though Malwarebytes has released MBAR, short for Malwarebytes Anti-Rootkit, which promises to get rid of most if not all types of rootkits like :
- Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
- Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
- Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
- Volume Boot Record/OS Bootstrap infectors like Cidox
- Disk Partition table infectors like SST/Alureon
- User mode patchers/infectors like ZeroAccess.
This tutorial is a guide on how to use MBAR to remove rootkits and how to resolve the issues that may arise from removing them.
Download, Install and Run MBAR
First of all, before you start attempting to remove any rootkits you should do a backup as MBAR could potentially make changes to the MBR or partition tables thus rendering your machine un-bootable.
Secondly download MBAR, form this location, and save it somewhere easy to find like your desktop, extract it and install it by left-clicking on the .exe file.
Once you double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Allow it and MBAR will now start to install any necessary drivers that are required for the program to operate correctly.
If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it.
If so, please click on the Yes button and MBAR will restart your computer. Once the computer is rebooted and you log in, MBAR will automatically start and you will now be at the start screen.
Next step is to update the database, click on Update to have MBAR download the latest definition updates that will then be used to scan your computer. When the update has finished, click Next.
You will now be at the Scan System screen
Make sure the Drivers, Sectors, and System scan targets are selected and then click on the Scan button. MBAR scanner will now start scanning your computer for possible rootkits.
This process could take some time, when it has finished, the program will display a screen showing the results from the scan.
To remove rootkits, make sure everything is selected and that there is a check mark in the Create Restore point option. Click on the Cleanup button, MBAR will then prompt you to reboot your computer. Click Yes to restart your computer.
After reboot you will be back at your normal desktop. You should do another scan with MBAR just to make sure there aren’t any traces left. If MBAR detects any leftovers, let it remove them and reboot again. Once you have rebooted, the detected rookits should now be removed from your computer.
In the mbar folder there will now be two log files called system-log.txt and one that starts with mbar-log. The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program. A new mbar-log is created every time you run MBAR and will contain information about what was detected and removed.
How to restore files that have been quarantined by MBAR
When MBAR quarantines rootkit files it places them in the same folder that Malwarebytes Anti-Malware uses for their quarantine. Unlike Malwarebytes Anti-Malware, though, MBAR cannot restore any files it has deleted.
Instead you must use Malwarebytes Anti-Malware to manage the quarantine. To do this, you must download and install Malwarebytes Anti-Malware, if you don’t already have it. Next go to the Quarantine screen and simply select the entries you wish to restore and then click restore.
It is important to note that if you restore infected files and configuration information, these infections will become active again the next time you reboot your computer. Therefore, only restore files from the quarantine that you know are 100% clean.
How to troubleshoot issues caused by MBAR
Certain rootkits will delete Windows services and change Windows settings which can cause Windows to not operate properly. These problems, which typically appear after the rootkit has been removed, include loss of network connectivity, the Windows Firewall no longer starting, or Windows Update no longer working. To fix these types of issues, Malwarebytes Anti-Rootkit includes a program called fixdamage.exe that can be used to resolve many of these issues.
Fixdamage.exe will scan your computer for deleted or incomplete Windows services and broken Layered Service Providers. It will then recreate any missing or damaged services and repair the Layered Service Provider chain. Fixdamage will also restore all the default Windows Firewall rules if necessary. This will typically resolve most issues with broken network connectivity and Windows services that do not start properly.
Fixdamage.exe should be present in the MBAR folder you extracted earlier.