Malwarebytes Anti-Rootkit BETA

hello i don't have any malware experience

but i tried this malware :
RKdemo1.2 by EP_X0FF & MP_ART
hxxp://www.kernelmode.info/forum/viewtopic.php?f=11&t=624

MBAR didn't detect it nor MBAM

 

very bad

 

All that proves is that a non-malicious rootkit from more than a year before MBAR existed was not detected.

That has nothing to do with any malware that exists today.

We can add detection for this demo but do not be fooled into thinking that this will protect you from anything today better than before.

 

There is no test to determine if a change is made intentionally or by malware so we always opt to help the novice user assuming that the experienced user will understand and dismiss the detection.

 

Yes, I don't understand the objection to this, other than the semantics of referring to the changes as malware instead of as possibly caused by malware. It is not sufficient for any security product to only remove malware. It is also necessary to reverse any changes to the system made by the malware. After cleaning a system I typically have to go through additional steps to manually fix things such as Windows Updates and the Security Center, so I appreciate that MBAR can do this directly.

 

Hi

Malwarebytes Anti-Rootkit 1.7.0.1008 Beta

http://www.malwarebytes.org/products/mbar/

 

Latest scan...



P.S. I ran these earlier today, but they were not flagged by the new MBAM v2.0 beta that is still under restricted testing.

I have posted about that experience in the beta testing sub-forum, earlier today.

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.25.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
<My Name> :: Removed identifying info [limited]

25/12/2013 9:37:37 PM
mbar-log-2013-12-25 (21-37-37).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 231555
Time elapsed: 1 hour(s), 8 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\AlterHostsFile.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_Run.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_RunOnce.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_RunOnceEx.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_Run.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_RunOnce.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_RunOnceEx.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-HomePageLock.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-KillAdvancedTab.exe (Simulation.Spycar) -> No action taken.
C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-KillConnectionsTab.exe (Simulation.Spycar) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

does the 2.00 have the same option to not show pup's?

also none of thode spycar tests are signed so ie will give opyion to not run them. they need a fake sig too?

 

Hi all

Malwarebytes Anti-Rootkit 1.7.0.1009 Beta

https://www.malwarebytes.org/antirootkit/

 

Version 1.07.0.1009 of MBAR BETA is now available for download.

Highlights of this release:

Error code 20026 is no longer displayed after removing certain rootkits
Eliminated BSODs under certain scenarios when using MBAR
Fixed issue where MBAR did not unload its drivers properly when done running under certain scenarios
Fixed false positives under certain scenarios when system files were compressed on the drive being scanned

https://forums.malwarebytes.org/index.php?showtopic=140916

 

1.7.0.1012 Beta is available.

 

I am still running MBAM v1.75 here, even though I have updated my other snapshot to v2.00.

Also, one can tell I haven't run an MBAM scan in this snapshot in quite awhile.

....

 

Database updated successfully, but ends up being different. Maybe it is the anti-rootkit DB that is showing, now? This wouldn't be updated, so often.

 

Scanning has been underway for half an hour...

 

Getting close to the end of the scan....I think.

 

I was right!

 

Get these to alerts, One from Voodoshirld and one from my WIm 81. system while trying to run this new beta.

 

---------------------------
Probable rootkit activity detected
---------------------------
Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.
Note: Press "No" button if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.
Do you want to remove this value and restart the tool?
---------------------------
Yes No
---------------------------

 

Good thing, that I have tried it out, it gave some false positive, most likely a leftover from IoBit software, but it saved me 343 MB.

 

I got this when running XP as well.
I Didnt remove it.

What did you do?

 

Hi all

Malwarebytes Anti-Rootkit 1.8.3.1004 Beta

https://www.malwarebytes.org/antirootkit/

With Best Regards
Mops21

 

Just tried the latest beta earlier today, and got a BSOD on XP

Spoiler: screenshot

 

Hi all

Malwarebytes Anti-Rootkit 1.9.1.1004 Beta

https://www.malwarebytes.org/antirootkit/

 

Running now...

Spoiler: screenshots