--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.0.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 2.304000 GHz Memory total: 8475541504, free: 4754698240 Downloaded database version: v2017.04.07.05 Initializing... ====================== Driver version: 0.3.0.4 ------------ Kernel report ------------ 04/07/2017 13:18:17 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kd.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\System32\drivers\msrpc.sys \SystemRoot\System32\drivers\ksecdd.sys \SystemRoot\System32\drivers\werkernel.sys \SystemRoot\System32\drivers\CLFS.SYS \SystemRoot\System32\drivers\tm.sys \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\System32\drivers\FLTMGR.SYS \SystemRoot\System32\drivers\clipsp.sys \SystemRoot\System32\drivers\cmimcext.sys \SystemRoot\System32\drivers\ntosext.sys \SystemRoot\system32\CI.dll \SystemRoot\System32\drivers\cng.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\SleepStudyHelper.sys \SystemRoot\System32\Drivers\acpiex.sys \SystemRoot\System32\Drivers\WppRecorder.sys \SystemRoot\System32\drivers\ACPI.sys \SystemRoot\System32\drivers\WMILIB.SYS \SystemRoot\System32\drivers\msisadrv.sys \SystemRoot\System32\drivers\pci.sys \SystemRoot\System32\drivers\tpm.sys \SystemRoot\System32\drivers\intelpep.sys \SystemRoot\system32\drivers\WindowsTrustedRT.sys \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\system32\drivers\ndistpr64.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\system32\drivers\NDIS.SYS \SystemRoot\system32\drivers\TDI.SYS \SystemRoot\System32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\pdc.sys \SystemRoot\system32\drivers\CEA.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\System32\drivers\spaceport.sys \SystemRoot\System32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\System32\drivers\iaStorA.sys \SystemRoot\System32\drivers\storport.sys \SystemRoot\System32\drivers\EhStorClass.sys \SystemRoot\System32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Wof.sys \SystemRoot\system32\drivers\mfehidk.sys \SystemRoot\System32\Drivers\NTFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\drivers\wfplwfs.sys \SystemRoot\system32\drivers\mfewfpk.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\System32\drivers\volume.sys \SystemRoot\System32\drivers\volsnap.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\system32\drivers\iorate.sys \SystemRoot\System32\drivers\disk.sys \SystemRoot\System32\drivers\CLASSPNP.SYS \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\drivers\cdrom.sys \SystemRoot\system32\drivers\filecrypt.sys \SystemRoot\system32\drivers\tbs.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\BasicDisplay.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\vmbkmclr.sys \SystemRoot\System32\drivers\BasicRender.sys \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\drivers\vwififlt.sys \SystemRoot\System32\drivers\pacer.sys \SystemRoot\system32\drivers\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\System32\drivers\npsvctrig.sys \SystemRoot\System32\drivers\mssmbios.sys \SystemRoot\System32\drivers\gpuenergydrv.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\ahcache.sys \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\CompositeBus.sys \SystemRoot\System32\drivers\kdnic.sys \SystemRoot\System32\drivers\umbus.sys \SystemRoot\System32\drivers\CAD.sys \SystemRoot\System32\DriverStore\FileRepository\119748.inf_amd64_8e3972f5c88264c0\igdkmd64.sys \SystemRoot\System32\drivers\dptf_cpu.sys \SystemRoot\System32\drivers\USBXHCI.SYS \SystemRoot\system32\drivers\ucx01000.sys \SystemRoot\System32\drivers\TeeDriverW8x64.sys \SystemRoot\System32\drivers\rt640x64.sys \SystemRoot\system32\DRIVERS\Netwtw04.sys \SystemRoot\system32\DRIVERS\wdiwifi.sys \SystemRoot\System32\drivers\vwifibus.sys \SystemRoot\System32\drivers\i8042prt.sys \SystemRoot\system32\DRIVERS\SynTP.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\System32\drivers\kbdclass.sys \SystemRoot\System32\drivers\mouclass.sys \SystemRoot\System32\drivers\CmBatt.sys \SystemRoot\System32\drivers\BATTC.SYS \SystemRoot\System32\drivers\HDAudBus.sys \SystemRoot\System32\drivers\portcls.sys \SystemRoot\System32\drivers\drmk.sys \SystemRoot\System32\drivers\ks.sys \SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys \SystemRoot\System32\drivers\wmiacpi.sys \SystemRoot\System32\drivers\intelppm.sys \SystemRoot\System32\drivers\acpipagr.sys \SystemRoot\system32\DRIVERS\WirelessButtonDriver64.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\UEFI.sys \SystemRoot\System32\drivers\NdisVirtualBus.sys \SystemRoot\System32\drivers\swenum.sys \SystemRoot\System32\drivers\rdpbus.sys \SystemRoot\System32\drivers\UsbHub3.sys \SystemRoot\system32\drivers\RTKVHD64.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\drivers\hidusb.sys \SystemRoot\system32\DRIVERS\ibtusb.sys \SystemRoot\system32\DRIVERS\BTHUSB.sys \SystemRoot\system32\DRIVERS\bthport.sys \SystemRoot\System32\drivers\usbccgp.sys \SystemRoot\System32\drivers\mouhid.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\drivers\mfeaack.sys \SystemRoot\system32\drivers\mfeplk.sys \SystemRoot\system32\drivers\mfeavfk.sys \SystemRoot\system32\drivers\mfefirek.sys \SystemRoot\system32\DRIVERS\mfencbdc.sys \SystemRoot\system32\DRIVERS\Microsoft.Bluetooth.Legacy.LEEnumerator.sys \SystemRoot\System32\drivers\rfcomm.sys \SystemRoot\System32\drivers\BthEnum.sys \SystemRoot\System32\drivers\bthpan.sys \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\win32kfull.sys \SystemRoot\System32\win32kbase.sys \SystemRoot\System32\drivers\dxgmms2.sys \SystemRoot\System32\drivers\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\esif_lf.sys \SystemRoot\system32\DRIVERS\WUDFRd.sys \SystemRoot\system32\drivers\mmcss.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\wcifs.sys \SystemRoot\system32\drivers\storqosflt.sys \SystemRoot\System32\drivers\registry.sys \SystemRoot\system32\DRIVERS\cdfs.sys \SystemRoot\system32\drivers\lltdio.sys \SystemRoot\system32\drivers\mslldp.sys \SystemRoot\system32\drivers\rspndr.sys \SystemRoot\System32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\drivers\ndisuio.sys \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\Drivers\dump_iaStorA.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\drivers\condrv.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\drivers\Ndu.sys \??\C:\windows\system32\drivers\npf.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\System32\drivers\tcpipreg.sys \??\C:\Program Files (x86)\Digital Care Solutions\Digital Care\plugins\{3333F5A1-4CDC-4B43-A55F-66F57DAFD5A6}\64bit\WinDivert64.sys \SystemRoot\System32\drivers\vwifimp.sys \SystemRoot\System32\drivers\tunnel.sys \SystemRoot\system32\DRIVERS\Trufos.sys \??\C:\Program Files\BDServices\gzflt.sys \SystemRoot\System32\drivers\WSDPrint.sys \SystemRoot\system32\DRIVERS\WSDScan.sys \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys ----------- End ----------- Done! Scan started Database versions: main: v2017.04.07.05 rootkit: v2017.04.02.01 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffc302e53b5610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffc302e2bef9f0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffc302e53b5610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffc302e119bc40, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffc302df46a3c0, DeviceName: \Device\00000037\, DriverName: \Driver\iaStorA\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... The directory C:\WINDOWS\SYSTEM32\drivers seems inaccessible or encrypted. Drivers scan is aborted. Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 3070F30A GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 2531504341 GPT Header CurrentLba = 1 BackupLba 1953525167 GPT Header FirstUsableLba 34 LastUsableLba 1953525134 GPT Header Guid e52473aa-2052-41c7-8e4b-2bc8804246b GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 2531504341 Backup GPT header CurrentLba = 1953525167 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134 Backup GPT header Guid e52473aa-2052-41c7-8e4b-2bc8804246b Backup GPT header Contains 128 partition entries starting at LBA 1953525135 Backup GPT header Partition entry size = 128 Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID 35e1cd02-b3c0-4112-a785-d4da6cc2141f FirstLBA 2048 Last LBA 534527 Attributes 0 Partition Name EFI system partition GPT Partition 0 is bootable Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID f91a5d17-e71a-45ce-9192-ca9f8d59ca6 FirstLBA 534528 Last LBA 567295 Attributes 0 Partition Name Microsoft reserved partition Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 1c15d032-3023-408c-9b4c-b552e065a737 FirstLBA 567296 Last LBA 1922185215 Attributes 0 Partition Name Basic data partition Partition 3 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 3ad9d932-b5be-4c3b-bca3-607bb7102b12 FirstLBA 1922185216 Last LBA 1924192255 Attributes 1 Partition Name Basic data partition Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 75076ef3-bbd3-4039-8689-4a5f4f8ce157 FirstLBA 1924192256 Last LBA 1953513471 Attributes 1 Partition Name Basic data partition Disk Size: 1000204886016 bytes Sector size: 512 bytes Done! Infected: C:\Program Files (x86)\ntuserlitelist\dataup\dataup.exe --> [Adware.Yelloader] Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Dataup --> [Adware.Yelloader] Infected: C:\Program Files (x86)\ntuserlitelist\dataup\dataup.exe --> [Adware.Yelloader] Infected: C:\Users\Sean\AppData\Local\ntuserlitelist\winscr\winscr.exe --> [Adware.Yelloader] File C:\Windows\System32\drivers\SWDUMon.sys will be destroyed Infected: C:\Windows\System32\drivers\SWDUMon.sys --> [PUP.Optional.DriverUpdate] Infected: C:\Users\Sean\AppData\Local\drutkycvq\qdcomsvc.exe --> [Trojan.Clicker.Generic] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svcvmx --> [Trojan.Clicker] Infected: C:\Users\Sean\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe --> [Trojan.Clicker] Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 --> [Rootkit.Agent.PUA] Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP|ImagePath --> [Trojan.Clicker] Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup --> [Trojan.Clicker] Infected: C:\Users\Sean\AppData\Local\llssoft\winvmx --> [Trojan.Clicker.D] Infected: C:\Users\Sean\AppData\Local\ntuserlitelist --> [Trojan.Clicker] Infected: C:\Program Files (x86)\ntuserlitelist --> [Trojan.Clicker] Scan finished Creating System Restore point... Cleaning up... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Removal scheduling successful. System shutdown needed. System shutdown occurred =======================================