detection icon

Short bio

Rootkit. is Malwarebytes detection name for a category of malware that provides threat actors the means to remotely access to and gain full control of affected systems without users knowing. To learn more about rootkits, read our related blog content.

Type and source of infection

Depending on its method of infection, operation, and persistence, rootkits can be divided into the following types:

User mode (Ring 3): A user-mode rootkit is the most common and the easiest to implement. It uses relatively simple techniques, such as the import address table (IAT) and inline hooks, to alter the behavior of called functions.

Kernel mode (Ring 0): A kernel mode rootkit live in the kernel space, altering the behavior of kernel-mode functions. A specific variant of kernel-mode rootkit that attacks a bootloader is called a bootkit.

Hypervisor (Ring -1): A firmware rootkit runs on the lowest level of the computer rings, the hypervisor, which runs virtual machines. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware but with the environment altered by the rootkit.

There is a rule that states that a rootkit running in the lower layer cannot be detected by any rootkit software running on layers above it.


Malwarebytes protects users from rootkits by using real-time protection.


To remove rootkits you will often need a dedicated tool like Malwarebytes Anti-Malware.

  1. This is a self-extracting file. Double click to run the tool.
  2. Follow the onscreen instructions to extract it to a location of your choice.It will extract to your desktop by default.
  3. MBAR will then open on its own. Note: On some machines, this may take up to a minute, please be patient.
  4. Follow the instructions in the wizard to update the database and allow the program to scan your computer for threats.
  5. Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  6. Wait while the system shuts down and the cleanup process is performed.
  7. Once back in Windows, please run another scan with MBAR to verify that no threats remain. To do so, locate the mbar.exe in the extracted mbar folder which should be on your desktop or location selected previously.
  8. Double click on mbar.exe and once again follow the instruction in the wizard to update the database and allow the program to scan your computer for threats.
  9. If threats are still detected, click Cleanup once more and repeat the process until no further detections remain.
  10. If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
    • Internet access
    • Windows Update
    • Windows Firewall
  11. If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit. It is located in the Plugins folder inside the MBAR folder.
  12. Verify that your system is now functioning normally.