Jump to content
security_concerned

MBAR Rootkit False Positives

Recommended Posts

I wanted to get a second opinion from you guys on some results from the Malwarebytes Anti-Rootkit scanner we have used on several Windows machines on our network.  We noticed some issues with odd behavior on our network, and got them cleaned up we believe for the most part with MSE and Malwarebytes Malware Scanner (not mbar).  To be extra thorough we decided to scan some of the Windows servers with the MWB Anti-Rootkit scanner for extra assurance.  We found a handful of computers with positive results from MBAR.  All of the results came up with "Unknown.rootkit.Driver" across a variety of files in C:\windows\system32\drivers, which MBAR reported as "Forged File".  However we took the files and uploaded them to virustotal.com which is run by Kaspersky which checks the hashes of the files against known good file.  All of the positive results we got were for Windows 2003 Servers, no other servers appear to be yeilding results from mbar.

 

My questions are this:

-How does mbar classify files as a "forged file"?

-Are there ways these files can be coming up as good on virustotal.com but still be infected with rootkits?

-Does anyone here with the know how still believe these infections are legit?

 

The mbar results for one of these servers are below:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 5.2.3790 Windows Server 2003 Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_13

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.327000 GHz
Memory total: 2142724096, free: 1236303872

Downloaded database version: v2013.11.22.09
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
     11/22/2013 09:46:17
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
volsnap.sys
PartMgr.sys
xevtchn.sys
\WINDOWS\system32\DRIVERS\XENUTIL.SYS
xenvif.sys
atapi.sys
perc2.sys
\WINDOWS\system32\drivers\SCSIPORT.SYS
xenvbd.sys
scsifilt.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
MpFilter.sys
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
xennet.sys
r1vssfltr.sys
r1fltr.sys
Mup.sys
crcdisk.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\cirrus.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\watchdog.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\xeniface.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_xenvbd.sys
\SystemRoot\System32\Drivers\dump_XENUTIL.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\System32\RDPDD.dll
\SystemRoot\System32\cirrus.dll
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89ffd9a8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\xenvbd1Port2Path0Target0Lun0\
Lower Device Object: 0xffffffff89f09030
Lower Device Driver Name: \Driver\xenvbd\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89ffd9a8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89f0ab80, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89ffd9a8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89faccf8, DeviceName: Unknown, DriverName: \Driver\scsifilt\
DevicePointer: 0xffffffff89f09030, DeviceName: \Device\Scsi\xenvbd1Port2Path0Target0Lun0\, DriverName: \Driver\xenvbd\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 512, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 512, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 512, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "C:\WINDOWS\system32\drivers\smb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\smb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\smclib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\smclib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sonydcam.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\sonydcam.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\srv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\srv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\storport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\storport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\stream.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\stream.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\swenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\swenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tape.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tape.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tcpip.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tcpip.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tcpip6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys
Read File: File "C:\WINDOWS\system32\drivers\tcpip6.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\tdi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tdi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdpipe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tdpipe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdtcp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tdtcp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\termdd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\termdd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tunmp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\tunmp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\uagp35.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\uagp35.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\udfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\udfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\uliagpkx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\uliagpkx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fastfat.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fastfat.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fdc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fdc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fips.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fips.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\flpydisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\flpydisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fltmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fltmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fsvga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fs_rec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\fs_rec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ftdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ftdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gagp30kx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gagp30kx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hdaudbus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hdaudbus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hdaudio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hdaudio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hidclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hidclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hidparse.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hidparse.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hidusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hidusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hpcisss.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\hpcisss.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\http.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\http.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\i8042prt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\i8042prt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\imapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\imapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\acpi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\acpi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\acpiec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\acpiec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\afd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\afd.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\afd.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\afd.sys
Read File: File "C:\WINDOWS\system32\drivers\afd.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\afd.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\amdide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\amdide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\amdk6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk7.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\amdk7.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk8.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\amdk8.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\arc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\arc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\asyncmac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\asyncmac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati2mpad.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ati2mpad.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmarpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atmarpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmarps.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atmarps.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atmepvc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmlane.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atmlane.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\atmuni.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\audstub.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\audstub.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mouhid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mouhid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mountmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mountmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MpFilter.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\MpFilter.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mqac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mqac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mrxdav.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mrxdav.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\mrxdav.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\mrxdav.sys
Read File: File "C:\WINDOWS\system32\drivers\mrxdav.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\mrxdav.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\mrxsmb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mrxsmb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\msfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\msfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\msgpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\msgpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mssmbios.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mssmbios.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mup.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mup.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndis.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ndis.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndistapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ndistapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndisuio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ndisuio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndiswan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ndiswan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndproxy.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ndproxy.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netbios.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\netbios.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netbt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\netbt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nmnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nmnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\npfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\npfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ntfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ntfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rasl2tp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rasl2tp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\raspppoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\raspppoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\raspptp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\raspptp.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\raspptp.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\raspptp.sys
Read File: File "C:\WINDOWS\system32\drivers\raspptp.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\raspptp.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\raspti.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\raspti.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rawwan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rdbss.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rdbss.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rdpcdd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rdpcdd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rdpdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rdpdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rdpwd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rdpwd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\redbook.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\redbook.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rmcast.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rmcast.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rndismp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rndismp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rndismpx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rndismpx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rootmdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\RTL8139.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\RTL8139.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sacdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\sacdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\scsifilt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\scsifilt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\scsiport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\scsiport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\secdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\secdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\serenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\serenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\serial.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\serial.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\beep.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\beep.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\intelide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\intelide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mouclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\mouclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\null.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\null.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rasacd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\rasacd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sfloppy.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\sfloppy.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\update.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\update.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usb8023.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usb8023.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usb8023x.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usb8023x.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbcamd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbcamd2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbccgp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbccgp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbccid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbccid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbhub.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbhub.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbintel.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbintel.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbohci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbohci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbuhci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbuhci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbvideo.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\usbvideo.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\vdmindvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\vga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\vga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\videoprt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\videoprt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\volsnap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\volsnap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wanarp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\wanarp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\watchdog.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\watchdog.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wlbs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\wlbs.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\wlbs.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\wlbs.sys
Read File: File "C:\WINDOWS\system32\drivers\wlbs.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\wlbs.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\wmilib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\wmilib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\wpdusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ws2ifsl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xeniface.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xeniface.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xennet.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xennet.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xenutil.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xenutil.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xenvbd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xenvbd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xenvif.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xenvif.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\xevtchn.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\xevtchn.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nv_agp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nv_agp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkipx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nwlnkipx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nwlnknb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nwlnkspx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwrdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\nwrdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\oprghdlr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\oprghdlr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\p3.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\p3.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\p3.sys
Read File: File "C:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\p3.sys --> [unknown.Rootkit.Driver]
Read File: File "C:\WINDOWS\system32\drivers\parport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\parport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\partmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\partmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\parvdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\parvdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\pci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\pciide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciidex.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\pciidex.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pcmcia.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\pcmcia.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\perc2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\perc2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\perc2cin.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\perc2cin.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\perc2evt.exe" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\perc2evt.exe" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\processr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\processr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\psched.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\psched.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ptilink.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ptilink.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\r1fltr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\r1fltr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\r1vssfltr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\r1vssfltr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bridge.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\bridge.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cbidf2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\cbidf2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\cdfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdrom.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\cdrom.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cirrus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\cirrus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\classpnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\classpnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\crcdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\crcdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\crusoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\crusoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\disk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\disk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\diskdump.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\diskdump.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmboot.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dmboot.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dmio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmload.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dmload.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dxapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dxapi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dxgthk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\dxgthk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\e1000325.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\e1000325.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\intelppm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\intelppm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ip6fw.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ip6fw.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipfltdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ipfltdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipnat.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ipnat.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipsec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ipsec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\isapnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\isapnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\kbdclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\kbdclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\kbdhid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\kbdhid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ks.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ks.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\ks.sys --> [Forged file]
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\ks.sys
Read File: File "C:\WINDOWS\system32\drivers\ks.sys" is compressed (flags = 1)
Infected: C:\WINDOWS\SYSTEM32\drivers\ks.sys --> [unknown.Rootkit.Driver]
Too many forged files. Probable DDA driver failure.
Driver scan terminated, results discarded.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 6FEB239E

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 64197

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 64260  Numsec = 20563200
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 20627460  Numsec = 266084595

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 214758850560 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-419430880-419450880)...
Done!
Read File: File "C:\WINDOWS\system32\config\AppEvent.Evt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\SecEvent.Evt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\SysEvent.Evt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\******\Cookies\index.dat" is compressed (flags = 1)
Read File: File "C:\WINDOWS\WindowsUpdate.log" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\******\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Scan finished
 

Thanks,

Security_Concerned

Share this post


Link to post
Share on other sites

I dont believe these are legit detections.

As far as virustotal coming out legit.

 

-How does mbar classify files as a "forged file"?

-Are there ways these files can be coming up as good on virustotal.com but still be infected with rootkits?

 

Its related to these two.

 

A forged file is a file that has a difference to what user land and kernal sees in the file. If you upload a file to virustotal its from a normal user read and not kernel level so rootkits would present the legit file to you i user mode when you upload.

 

This is what a lot of rootkits do running the infected code in the kernal mode so it cant be seen easily.

 

Your detections may be related drive encryption or compression. I would recommend contacting our support with  this issue to get this resolved further as this is not a definition problem.

Share this post


Link to post
Share on other sites

As this issue is being handled in Support, I will close this topic now.

Thanks for contacting us, and thanks for choosing Malwarebytes!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.