--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.05.0.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_32 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED CPU speed: 3.059000 GHz Memory total: 1878372352, free: 1040744448 ------------ Kernel report ------------ 04/16/2013 00:56:50 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS kl1.sys aliide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys m5287.sys \WINDOWS\system32\DRIVERS\SCSIPORT.SYS disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltMgr.sys sr.sys KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys Mup.sys \SystemRoot\system32\DRIVERS\tunmp.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\ati2mtag.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\yk51x86.sys \SystemRoot\system32\DRIVERS\ubohci.sys \SystemRoot\system32\DRIVERS\UB1394.SYS \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\DRIVERS\fdc.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\VClone.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\RtkHDAud.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\klif.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\kl2.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\tcpip6.sys \SystemRoot\System32\vsdatant.sys \SystemRoot\system32\DRIVERS\Ip6Fw.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\ssmdrv.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\System32\Drivers\ElbyCDIO.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\avkmgr.sys \SystemRoot\system32\DRIVERS\avipbb.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\Drivers\dump_m5287.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ati2dvag.dll \SystemRoot\System32\ati2cqag.dll \SystemRoot\System32\atikvmag.dll \SystemRoot\System32\ati3duag.dll \SystemRoot\System32\ativvaxx.dll \SystemRoot\system32\DRIVERS\avgntflt.sys \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\nwlnkipx.sys \SystemRoot\system32\DRIVERS\nwlnknb.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\DRIVERS\nwlnkspx.sys \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\ParVdm.SYS \SystemRoot\System32\Drivers\StarOpen.SYS \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\ubsbm.sys \SystemRoot\system32\DRIVERS\ubumapi.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk5\DR8 Upper Device Object: 0xffffffff8992c998 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000080\ Lower Device Object: 0xffffffff89781798 Lower Device Driver Name: \Driver\usbstor\ Driver name found: usbstor Initialization returned 0x0 Load Function returned 0x0 <<<1>>> Upper Device Name: \Device\Harddisk4\DR7 Upper Device Object: 0xffffffff89779200 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007f\ Lower Device Object: 0xffffffff89798ea0 Lower Device Driver Name: \Driver\usbstor\ Driver name found: usbstor <<<1>>> Upper Device Name: \Device\Harddisk3\DR6 Upper Device Object: 0xffffffff897912d0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007e\ Lower Device Object: 0xffffffff89782ea0 Lower Device Driver Name: \Driver\usbstor\ Driver name found: usbstor <<<1>>> Upper Device Name: \Device\Harddisk2\DR5 Upper Device Object: 0xffffffff897902d0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007d\ Lower Device Object: 0xffffffff89796278 Lower Device Driver Name: \Driver\usbstor\ Driver name found: usbstor <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xffffffff8a358030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Scsi\m52871Port2Path0Target6Lun0\ Lower Device Object: 0xffffffff8a359030 Lower Device Driver Name: \Driver\m5287\ Driver name found: m5287 Initialization returned 0x0 Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0) Load Function returned 0x0 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8a359ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Scsi\m52871Port2Path0Target0Lun0\ Lower Device Object: 0xffffffff8a2c0a38 Lower Device Driver Name: \Driver\m5287\ Driver name found: m5287 Downloaded database version: v2013.04.15.13 Downloaded database version: v2013.03.25.01 Initializing... Done! <<<2>>> Device number: 0, partition: 1 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8a359ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a359890, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a359ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a2c0a38, DeviceName: \Device\Scsi\m52871Port2Path0Target0Lun0\, DriverName: \Driver\m5287\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0xffffffffe237e588, 0xffffffff8a359ab8, 0xffffffff8a265ab8 Lower DeviceData: 0xffffffffe2e51798, 0xffffffff8a2c0a38, 0xffffffff884ae510 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\WINDOWS\system32\drivers... <<<2>>> Device number: 0, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 67DF67DF Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 155653722 Partition is not bootable Partition 1 type is Extended with LBA (0xf) Partition is NOT ACTIVE. Partition starts at LBA: 155653785 Numsec = 156906855 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 160041884672 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561806-312581806)... Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8a358030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a359678, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a358030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a359030, DeviceName: \Device\Scsi\m52871Port2Path0Target6Lun0\, DriverName: \Driver\m5287\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ Upper DeviceData: 0xffffffffe1165880, 0xffffffff8a358030, 0xffffffff89144500 Lower DeviceData: 0xffffffffe2ffc080, 0xffffffff8a359030, 0xffffffff88f27f18 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 572C4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition file system is NTFS Partition is not bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500106779136 bytes Sector size: 512 bytes Physical Sector Size: 0 Drive: 2, DevicePointer: 0xffffffff897902d0, DeviceName: \Device\Harddisk2\DR5\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff897899a0, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff897902d0, DeviceName: \Device\Harddisk2\DR5\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff89796278, DeviceName: \Device\0000007d\, DriverName: \Driver\usbstor\ ------------ End ---------- Physical Sector Size: 0 Drive: 3, DevicePointer: 0xffffffff897912d0, DeviceName: \Device\Harddisk3\DR6\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8977a560, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff897912d0, DeviceName: \Device\Harddisk3\DR6\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff89782ea0, DeviceName: \Device\0000007e\, DriverName: \Driver\usbstor\ ------------ End ---------- Physical Sector Size: 0 Drive: 4, DevicePointer: 0xffffffff89779200, DeviceName: \Device\Harddisk4\DR7\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff897799d0, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff89779200, DeviceName: \Device\Harddisk4\DR7\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff89798ea0, DeviceName: \Device\0000007f\, DriverName: \Driver\usbstor\ ------------ End ---------- Physical Sector Size: 0 Drive: 5, DevicePointer: 0xffffffff8992c998, DeviceName: \Device\Harddisk5\DR8\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff89791a48, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8992c998, DeviceName: \Device\Harddisk5\DR8\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff89781798, DeviceName: \Device\00000080\, DriverName: \Driver\usbstor\ ------------ End ---------- Done! Performing system, memory and registry scan... Infected: c:\WINDOWS\system32\ctfmon.exe --> [Trojan.FakeMS] <<<1>>> Upper Device Name: \Device\Harddisk5\DR8 Upper Device Object: 0xffffffff8992c998 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000080\ Lower Device Object: 0xffffffff89781798 Lower Device Driver Name: \Driver\usbstor\ Device already Exists: 0xffffffff88f4c0e8 <<<1>>> Upper Device Name: \Device\Harddisk4\DR7 Upper Device Object: 0xffffffff89779200 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007f\ Lower Device Object: 0xffffffff89798ea0 Lower Device Driver Name: \Driver\usbstor\ Device already Exists: 0xffffffff8969eb98 <<<1>>> Upper Device Name: \Device\Harddisk3\DR6 Upper Device Object: 0xffffffff897912d0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007e\ Lower Device Object: 0xffffffff89782ea0 Lower Device Driver Name: \Driver\usbstor\ Device already Exists: 0xffffffff8921e4b8 <<<1>>> Upper Device Name: \Device\Harddisk2\DR5 Upper Device Object: 0xffffffff897902d0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000007d\ Lower Device Object: 0xffffffff89796278 Lower Device Driver Name: \Driver\usbstor\ Device already Exists: 0xffffffff892e4518 <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xffffffff8a358030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Scsi\m52871Port2Path0Target6Lun0\ Lower Device Object: 0xffffffff8a359030 Lower Device Driver Name: \Driver\m5287\ Device already Exists: 0xffffffff88f27f18 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8a359ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Scsi\m52871Port2Path0Target0Lun0\ Lower Device Object: 0xffffffff8a2c0a38 Lower Device Driver Name: \Driver\m5287\ Device already Exists: 0xffffffff884ae510 Infected file c:\WINDOWS\system32\ctfmon.exe could not be remediated because backup file is not available Done! Scan finished =======================================