Malwarebytes Anti-Rootkit (MBAR) Review and Real World Test at Work

So yesterday I was sitting at my desk and I got an email from one of our Vipre Enterprise Antivirus Agents….

Machine:          PC  (
User:             domain\user
Scan Date:        11/13/2012 2:17 PM
Software Version: 5.0.4464 (we’re in the process of upgrading to version 6.1.22 which has current anti-rootkit tech)
ThreatDB Version: 13968
Policy:           FGWKS


Threat:     Trojan.Win32.Sirefef.pq (v)
Category:   Trojan
Severity:   Moderate Risk (since when are rootkits moderate risks?!?!)
Action:     Quarantined (not true…those rootkits are still very much there)
Traces Found:
Rootkit:       2724,c:\Windows\explorer.exe,c:\windows\system32\z
Rootkit:       916,c:\Windows\System32\svchost.exe,c:\windows\system32\z


So essentially what this email means is that the Vipre agent let a rootkit come through at some point, is now able to detect it, but cannot not remove it.

So, what to do now…I know!!!  I’ll test that new Malwarebytes Anti-Rootkit (MBAR) and then post to results to my blog…and here we are.

Ok, let’s extract the  Here’s what we have.  Let’s double click on MBAR.


Once MBAR has been opened we’ll update the database


Once the database has been updated we’ll do a scan


MBAR finds 18 infections and removes them.


A subsequent scan via MBAR tells us that everything is clean


For a second opinion, we’ll turn to the proven Hitman Pro.  Looks all clean!





, , ,