hello i don't have any malware experience but i tried this malware : RKdemo1.2 by EP_X0FF & MP_ART hxxp://www.kernelmode.info/forum/viewtopic.php?f=11&t=624 MBAR didn't detect it nor MBAM
All that proves is that a non-malicious rootkit from more than a year before MBAR existed was not detected. That has nothing to do with any malware that exists today. We can add detection for this demo but do not be fooled into thinking that this will protect you from anything today better than before.
There is no test to determine if a change is made intentionally or by malware so we always opt to help the novice user assuming that the experienced user will understand and dismiss the detection.
Yes, I don't understand the objection to this, other than the semantics of referring to the changes as malware instead of as possibly caused by malware. It is not sufficient for any security product to only remove malware. It is also necessary to reverse any changes to the system made by the malware. After cleaning a system I typically have to go through additional steps to manually fix things such as Windows Updates and the Security Center, so I appreciate that MBAR can do this directly.
Latest scan... P.S. I ran these earlier today, but they were not flagged by the new MBAM v2.0 beta that is still under restricted testing. I have posted about that experience in the beta testing sub-forum, earlier today.
Malwarebytes Anti-Rootkit BETA 1.07.0.1008 www.malwarebytes.org Database version: v2013.12.25.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 6.0.2900.5512 <My Name> :: Removed identifying info [limited] 25/12/2013 9:37:37 PM mbar-log-2013-12-25 (21-37-37).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 231555 Time elapsed: 1 hour(s), 8 minute(s), 3 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 10 C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\AlterHostsFile.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_Run.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_RunOnce.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKCU_RunOnceEx.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_Run.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_RunOnce.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\HKLM_RunOnceEx.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-HomePageLock.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-KillAdvancedTab.exe (Simulation.Spycar) -> No action taken. C:\Documents and Settings\<My Name>\Desktop\Spycar_tests\IE-KillConnectionsTab.exe (Simulation.Spycar) -> No action taken. Physical Sectors Detected: 0 (No malicious items detected) (end)
does the 2.00 have the same option to not show pup's? also none of thode spycar tests are signed so ie will give opyion to not run them. they need a fake sig too?
Version 1.07.0.1009 of MBAR BETA is now available for download. Highlights of this release: Error code 20026 is no longer displayed after removing certain rootkits Eliminated BSODs under certain scenarios when using MBAR Fixed issue where MBAR did not unload its drivers properly when done running under certain scenarios Fixed false positives under certain scenarios when system files were compressed on the drive being scanned https://forums.malwarebytes.org/index.php?showtopic=140916
I am still running MBAM v1.75 here, even though I have updated my other snapshot to v2.00. Also, one can tell I haven't run an MBAM scan in this snapshot in quite awhile. ....
Database updated successfully, but ends up being different. Maybe it is the anti-rootkit DB that is showing, now? This wouldn't be updated, so often.
Get these to alerts, One from Voodoshirld and one from my WIm 81. system while trying to run this new beta.
--------------------------- Probable rootkit activity detected --------------------------- Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. Note: Press "No" button if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again. Do you want to remove this value and restart the tool? --------------------------- Yes No ---------------------------
Good thing, that I have tried it out, it gave some false positive, most likely a leftover from IoBit software, but it saved me 343 MB.
Hi all Malwarebytes Anti-Rootkit 1.8.3.1004 Beta https://www.malwarebytes.org/antirootkit/ With Best Regards Mops21