Malwarebytes’ Anti-Rootkit Tutorial


Did you know the term ‘malware’ refers to more than just viruses and worms? Did you know that there are types of malware that infect your system at so deep a level that the operating system doesn’t even realize they are there? Did you know that some malware could make the files, services and running processes associated with its operations invisible? This kind of malware is known as a rootkit and it is a serious problem in today’s computer security world.  Many antivirus solutions have a hard time even detecting rootkit activity, let alone removing it.  To answer the call in the fight against rootkits, Malwarebytes has taken up arms and introduced a new soldier in the cyber-war. Meet Malwarebytes Anti-Rootkit.




This is beta software, for consumer and approved partner use only, use at your own risk, and by proceeding you are agreeing
to the terms of our license agreement, enclosed as “License.rtf”.

All Beta versions are non-final products. Malwarebytes does not guarantee the absence of errors which might lead to interruption
in normal computer operations or data loss. Precautions should be taken. The types of infections targeted by Malwarebytes Anti-Rootkit can be very difficult to remove. Please be sure you have any valued data backed up before proceeding, just as a precaution.

While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their own risk. Malwarebytes bears
no responsibility for issues that may arise during use of this tool, however all reasonable efforts will be made by Malwarebytes to
assist in recovery should the need arise.

If you continue experiencing problems or MBAR fails to completely detect and remove a rootkit from your system
then please contact us by filling out the form HERE


MBAR has the ability to target rootkits that belong to the following families or that use the following rootkit technologies:

  • Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
  • Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
  • Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
  • Volume Boot Record/OS Bootstrap infectors like Cidox
  • Disk Partition table infectors like SST/Alureon
  • User mode patchers/infectors like ZeroAccess.


3 Steps prior to using any Rootkit tool:

No.1 Create a New Restore point(Mbar also create’s a new restore point, but better safe than sorry)
No.2 Back-up your registry with EURNT
No.3 Do a normal back-up of your system

Download Malwarebytes Anti-Rootkit    HERE

No.1 Download the ZIP file containing the MBAR files from the link above.

No.2 Save the ZIP file and double click it to open it.

No.3 Extract/Copy the “mbar” to your hard drive; you could put it on the Desktop or just in your root drive like “C:\” it does not
really matter.

No. 4 I recommend you check out the “ReadMe.rtf” file for information on usage instructions and advanced command line parameters
available for the tool in addition to the End-user License Agreement (EULA). It is a very useful resource for using this tool or
if you want to learn even more about what it is capable of.

No.5 To use Malwarebytes Anti-Rootkit simply click on the “mbar.exe” icon. MBAR does not require installation like
Malwarebytes Anti-Malware does and can be used as soon as the files are extracted. If you are using Windows 7 or above,
make sure to allow mbar.exe to use administrative privileges when prompted.

No. 6 Once executed, MBAR will present you with a graphic interface and an introduction about the product and informs you
about the licensing of the tool. To continue, press “Next”.

Mbar 1

No. 7 Next, you are presented with the “Update” interface, which allows you to download the most current definitions from our
Anti-Malware servers to be used to scan the system for rootkits. Click “Update” to download the newest database then click “Next
once it completes the update.

Mbar 2

No. 8 You should now be at the “Scan System” interface; this is where you will allow MBAR to search your system for rootkit activity.
To perform the most complete scan, make sure that the “Scan Targets” are set to all possible options (Drivers/Sectors/System).
Then click “Scan” when you are ready.

Mbar 3

No. 9 Once the scan is complete, MBAR will inform you if it has detected any malware and will advise to you to clean your system.
It also has a “Create Restore Point” option that we highly recommend you select in case something goes wrong with the removal of
the rootkits.


No. 10 After the restore point is created and the rootkit cleanup is scheduled, you will receive a prompt asking for a reboot of your
system. Select “yes” to reboot your system and clean the rootkits.


No. 11 After your reboot, you should run MBAR again to ensure that all infections have been removed from the system.

Mbar 4

No. 12 Once you are rootkit free, in order to ensure that any damage done by removing the rootkit is repaired,
you should run the “fixdamage.exe” application, located in the same MBAR directory as “mbar.exe

No. 13 Clicking on “fixdamage.exe” will open the console application and request confirmation to apply any fixes
to the operating system. Input “Y” to being the fix.

Mbar 5

No. 14  After the fix is complete, it will request you to restart the system again.

No. 15   Run a Quick Scan with Mbam to remove any additional malware

Posted December 17, 2012 by Wide Glide in Malwarebytes' Antimalware

All Things Equal

A fine site

Everything Anti-Malware!

Reviews, Step-by-Step Guides,Toolkits and News

TechNet Blogs

Malware Removal

SUPERAntiSpyware Blog

Malware Removal

Security Garden

Malware Removal


Malware Removal

miekiemoes' Blog

Malware Removal

Malwarebytes Labs

Malware Removal

Metallica's blog

About malware

Malware Removal

Opera News

Malware Removal is the best place for your personal blog or business site.

%d bloggers like this: