--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.10.3.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.9200 Windows 10 x64 System is currently in a safe mode Account is Administrative Internet Explorer version: 11.789.19041.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.594000 GHz Memory total: 4236910592, free: 1772593152 Downloaded database version: v2021.05.31.07 Downloaded database version: v2021.05.31.07 Downloaded database version: v2018.01.20.01 ======================================= Initializing... Driver version: 4.3.0.15 ------------ Kernel report ------------ 05/31/2021 13:07:42 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kd.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\System32\drivers\CLFS.SYS \SystemRoot\System32\drivers\tm.sys \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\System32\drivers\FLTMGR.SYS \SystemRoot\System32\drivers\msrpc.sys \SystemRoot\System32\drivers\ksecdd.sys \SystemRoot\System32\drivers\clipsp.sys \SystemRoot\System32\drivers\cmimcext.sys \SystemRoot\System32\drivers\werkernel.sys \SystemRoot\System32\drivers\ntosext.sys \SystemRoot\system32\CI.dll \SystemRoot\System32\drivers\cng.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\WppRecorder.sys \SystemRoot\system32\drivers\SleepStudyHelper.sys \SystemRoot\System32\Drivers\acpiex.sys \SystemRoot\system32\drivers\SgrmAgent.sys \SystemRoot\System32\drivers\ACPI.sys \SystemRoot\System32\drivers\WMILIB.SYS \SystemRoot\System32\drivers\intelpep.sys \SystemRoot\system32\drivers\WindowsTrustedRT.sys \SystemRoot\System32\drivers\IntelTA.sys \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\drivers\msisadrv.sys \SystemRoot\System32\drivers\isapnp.sys \SystemRoot\System32\drivers\pci.sys \SystemRoot\System32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\ucx01000.sys \SystemRoot\system32\drivers\pdc.sys \SystemRoot\system32\drivers\CEA.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\System32\drivers\evbda.sys \SystemRoot\System32\drivers\pcmcia.sys \SystemRoot\System32\drivers\pciide.sys \SystemRoot\System32\drivers\PCIIDEX.SYS \SystemRoot\System32\drivers\spaceport.sys \SystemRoot\System32\drivers\intelide.sys \SystemRoot\System32\drivers\volmgr.sys \SystemRoot\System32\drivers\sdbus.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\vmbus.sys \SystemRoot\System32\drivers\NDIS.SYS \SystemRoot\System32\drivers\NETIO.SYS \SystemRoot\System32\drivers\hvsocket.sys \SystemRoot\System32\drivers\vmbkmcl.sys \SystemRoot\System32\drivers\winhv.sys \SystemRoot\System32\drivers\vpci.sys \SystemRoot\System32\drivers\bxvbda.sys \SystemRoot\System32\drivers\nvraid.sys \SystemRoot\System32\drivers\CLASSPNP.SYS \SystemRoot\system32\drivers\urscx01000.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\System32\drivers\iaStorV.sys \SystemRoot\System32\drivers\vsmraid.sys \SystemRoot\System32\drivers\storport.sys \SystemRoot\System32\drivers\3ware.sys \SystemRoot\System32\drivers\amdsata.sys \SystemRoot\System32\drivers\amdxata.sys \SystemRoot\System32\drivers\amdsbs.sys \SystemRoot\System32\drivers\arcsas.sys \SystemRoot\System32\drivers\ItSas35i.sys \SystemRoot\System32\drivers\lsi_sas.sys \SystemRoot\System32\drivers\lsi_sas2i.sys \SystemRoot\System32\drivers\lsi_sas3i.sys \SystemRoot\System32\drivers\lsi_sss.sys \SystemRoot\System32\drivers\megasas.sys \SystemRoot\System32\drivers\MegaSas2i.sys \SystemRoot\System32\drivers\megasas35i.sys \SystemRoot\System32\drivers\megasr.sys \SystemRoot\System32\drivers\mvumis.sys \SystemRoot\System32\drivers\nvstor.sys \SystemRoot\System32\drivers\percsas2i.sys \SystemRoot\System32\drivers\percsas3i.sys \SystemRoot\System32\drivers\SiSRaid2.sys \SystemRoot\System32\drivers\sisraid4.sys \SystemRoot\System32\drivers\vstxraid.sys \SystemRoot\System32\drivers\stexstor.sys \SystemRoot\System32\drivers\cht4sx64.sys \SystemRoot\System32\drivers\iaStorAVC.sys \SystemRoot\System32\drivers\atapi.sys \SystemRoot\System32\drivers\ataport.SYS \SystemRoot\System32\drivers\storahci.sys \SystemRoot\System32\drivers\stornvme.sys \SystemRoot\System32\drivers\ADP80XX.SYS \SystemRoot\System32\drivers\HpSAMD.sys \SystemRoot\System32\drivers\SmartSAMD.sys \SystemRoot\System32\drivers\nvdimm.sys \SystemRoot\System32\drivers\EhStorTcgDrv.sys \SystemRoot\System32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Wof.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\drivers\usbccgp.sys \SystemRoot\System32\drivers\USBD.SYS \SystemRoot\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys \SystemRoot\System32\drivers\storvsc.sys \SystemRoot\System32\drivers\usbehci.sys \SystemRoot\System32\drivers\USBPORT.SYS \SystemRoot\System32\drivers\usbhub.sys \SystemRoot\System32\drivers\UsbHub3.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\drivers\wfplwfs.sys \SystemRoot\System32\drivers\vmstorfl.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\System32\drivers\bttflt.sys \SystemRoot\System32\drivers\volume.sys \SystemRoot\System32\drivers\volsnap.sys \SystemRoot\System32\drivers\USBXHCI.SYS \SystemRoot\System32\drivers\uaspstor.sys \SystemRoot\System32\drivers\storufs.sys \SystemRoot\System32\drivers\sdstor.sys \SystemRoot\System32\drivers\scmbus.sys \SystemRoot\System32\drivers\sbp2port.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\system32\DRIVERS\ramdisk.sys \SystemRoot\System32\drivers\pmem.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\system32\drivers\iorate.sys \SystemRoot\System32\drivers\disk.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\system32\DRIVERS\GeneStor.sys \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_65ab9a260dbf7467\BasicDisplay.sys \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_df49c4daa6251397\BasicRender.sys \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\CimFS.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afunix.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\drivers\vwififlt.sys \SystemRoot\System32\drivers\pacer.sys \SystemRoot\System32\drivers\ndiscap.sys \SystemRoot\system32\drivers\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\ahcache.sys \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys \SystemRoot\System32\drivers\kdnic.sys \SystemRoot\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys \SystemRoot\System32\drivers\TeeDriverW8x64.sys \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\System32\drivers\hidusb.sys \SystemRoot\System32\drivers\HIDCLASS.SYS \SystemRoot\System32\drivers\HIDPARSE.SYS \SystemRoot\System32\drivers\HDAudBus.sys \SystemRoot\System32\drivers\portcls.sys \SystemRoot\System32\drivers\drmk.sys \SystemRoot\System32\drivers\netr28x.sys \SystemRoot\System32\drivers\vwifibus.sys \SystemRoot\System32\drivers\rt640x64.sys \SystemRoot\System32\drivers\cdrom.sys \SystemRoot\System32\drivers\NdisVirtualBus.sys \SystemRoot\System32\drivers\mssmbios.sys \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys \SystemRoot\System32\drivers\rdpbus.sys \SystemRoot\System32\drivers\mouhid.sys \SystemRoot\System32\drivers\mouclass.sys \SystemRoot\System32\drivers\kbdhid.sys \SystemRoot\System32\drivers\kbdclass.sys \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\drivers\dump_storahci.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\win32kbase.sys \SystemRoot\System32\win32kfull.sys \SystemRoot\System32\drivers\dxgmms2.sys \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\ndisuio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\drivers\msquic.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\drivers\vwifimp.sys \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\System32\drivers\USBSTOR.SYS \SystemRoot\System32\drivers\condrv.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\3623522A.sys ----------- End ----------- Done! IRP handler 14 of \Driver\storahci points to an unknown module Unhooking enabled. Scan started Database versions: main: v2021.05.31.07 rootkit: v2021.05.31.07 <<<1>>> Upper Device Name: \Device\Harddisk1\DR4 Upper Device Object: 0xffffdd821e1b90a0 Upper Device Driver Name: \Driver\disk\ Lower Device Name: \Device\00000050\ Lower Device Object: 0xffffdd82183eaa70 Lower Device Driver Name: \Driver\USBSTOR\ Driver name found: USBSTOR Initialization returned 0x0 Load Function returned 0x0 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffdd82183c2060 Upper Device Driver Name: \Driver\disk\ Lower Device Name: \Device\00000028\ Lower Device Object: 0xffffdd8218222050 Lower Device Driver Name: \Driver\storahci\ Driver name found: storahci Initialization returned 0x0 Port sub-driver loaded: \??\C:\Windows\System32\drivers\storport.sys (0x0) Load Function returned 0x0 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffdd82183c2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ --------- Disk Stack ------ DevicePointer: 0xffffdd8218382040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffdd82183c2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ DevicePointer: 0xffffdd8218222050, DeviceName: \Device\00000028\, DriverName: \Driver\storahci\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ Upper DeviceData: 0xffffb802da06d9a0, 0xffffdd82183c2060, 0xffffdd821e415090 Lower DeviceData: 0xffffb802da06da00, 0xffffdd8218222050, 0xffffdd821e141cf0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 1DEDF7A Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 1185792 Partition is bootable Partition file system is NTFS Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 1187840 Numsec = 974485445 Partition is not bootable Partition file system is NTFS Partition 2 type is Other (0x27) Partition is NOT ACTIVE. Partition starts at LBA: 975673344 Numsec = 1095680 Partition is not bootable Partition file system is NTFS Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition is not bootable Infected: MBR on Drive 0 --> [Bootkit.Pitou.MBR] <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes MBR structure for a drive 0 has been fixed successfully MBR infection found on drive 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffdd821e1b90a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\disk\ --------- Disk Stack ------ DevicePointer: 0xffffdd821e492040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffdd821e1b90a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\disk\ DevicePointer: 0xffffdd82183eaa70, DeviceName: \Device\00000050\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\disk\ Upper DeviceData: 0xffffb802da06dc10, 0xffffdd821e1b90a0, 0xffffdd821e326760 Lower DeviceData: 0xffffb802da06d9d0, 0xffffdd82183eaa70, 0xffffdd821e4944e0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 4030201 Partition information: Partition 0 type is Other (0xb) Partition is NOT ACTIVE. Partition starts at LBA: 240 Numsec = 1994512 Partition is not bootable Partition file system is FAT32 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition is not bootable Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition is not bootable Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition is not bootable Disk Size: 1021313024 bytes Sector size: 512 bytes Done! Infected: HKU\S-1-5-21-2251894981-3858074833-453683670-1001\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} --> [Trojan.Agent] Infected: C:\Users\josev\AppData\Roaming\tdbtwcr --> [Trojan.MalPack] Infected: C:\Users\josev\Desktop\Malwarebytes.Premium.4.2.0.82\LicenseMalwareBytes.exe --> [RiskWare.DontStealOurSoftware] Scan Interrupted Scan was aborted. Creating System Restore point... Could not create restore point... Cleaning up... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Removal scheduling successful. System shutdown needed. =======================================