Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Rootkit


  • Please log in to reply
17 replies to this topic

#1 jfirestorm44

jfirestorm44

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 14 June 2006 - 10:48 PM

Hi. Everytime I run SpySweeper it tells me I have a potential rootkit masked file and it will delete on reboot but everytime I reboot and then scan again it's still there. I just want to know if there is anything in my hijackthis log that indicates a rootkit or any program that might be spyware. Also could this just be a false positive? Please let me know.

Logfile of HijackThis v1.99.1
Scan saved at 8:45:00 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Opera 9 Beta\Opera.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\COMPAQ~1\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PCDrProfiler] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145402590656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 127.0.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: MPGEZL - Unknown owner - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MPGEZL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2006 - 04:26 AM

Hi jfirestorm44 and Welcome to the Bleeping Computer!


Download GMER from Here

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.

It takes a while to run,once complete,copy the results to notepad and save them somewhere safe.

Post those results in the next reply.

#3 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 15 June 2006 - 05:56 PM

Hi Cretemonster thanks for the reply. Here is the GMER results.


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-15 15:53:06
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateKey
SSDT SSI.SYS ZwCreateProcess
SSDT SSI.SYS ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateThread
SSDT SSI.SYS ZwDeleteKey
SSDT SSI.SYS ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwFsControlFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwProtectVirtualMemory
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwReadVirtualMemory
SSDT SSI.SYS ZwRenameKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetContextThread
SSDT SSI.SYS ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86D9AEB0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8682A448
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7B8E85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7B8E85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F73D720C] SSI.SYS
Device \Driver\00000045 \Device\00000049 IRP_MJ_SYSTEM_CONTROL [F748BEA8] sptd.sys
Device \Driver\00000045 \Device\00000049 IRP_MJ_DEVICE_CHANGE [F749FA70] sptd.sys
Device \Driver\00000045 \Device\00000049 IRP_MJ_PNP_POWER [F7498728] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86D9BEB0
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 86D9BEB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86D9B4D0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 86926EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 86926EB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86D9B4D0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86D9B4D0
Device \Driver\usbstor \Device\00000074 IRP_MJ_CREATE 8683AEB0
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 86D9B4D0
Device \Driver\usbstor \Device\00000075 IRP_MJ_CREATE 8683AEB0
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 86D9B4D0
Device \Driver\usbstor \Device\00000076 IRP_MJ_CREATE 8683AEB0
Device \Driver\usbstor \Device\00000077 IRP_MJ_CREATE 8683AEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 868A9838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 868A9838
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7B8E85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F73D720C] SSI.SYS
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7B8E85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F73D720C] SSI.SYS
Device \Driver\Disk \Device\Harddisk1\DR3 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk2\DR4 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk3\DR5 IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 IRP_MJ_CREATE 86D9A0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2CC6DF3E-0EF8-444C-ACF7-26B3A1E6F681} IRP_MJ_CREATE 868A9838
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a IRP_MJ_CREATE 86D9A0E8
Device \Driver\Disk \Device\Harddisk4\DR6 IRP_MJ_CREATE 86D9A0E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86854A18
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 86854A18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F7B8E85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F73D720C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F73D720C] SSI.SYS
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86854A18
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 86854A18
Device \Driver\usbstor \Device\0000006f IRP_MJ_CREATE 8683AEB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 86A05EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 86A05EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 86D9BEB0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 8692F738
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target3Lun0 IRP_MJ_CREATE 86D9C5A0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target1Lun0 IRP_MJ_CREATE 86D9C5A0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target2Lun0 IRP_MJ_CREATE 86D9C5A0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_CREATE 86D9C5A0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 86D9C5A0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8682A448
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 8689C810

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}

---- EOF - GMER 1.0.10 ----

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2006 - 06:08 PM

Make sure SpySweeper is updated with the latest definitions please.


Open Spy Sweeper and click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#5 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 15 June 2006 - 06:39 PM

here's the Session log. But when i scan again it's still there.


4:11 PM: | Start of Session, Thursday, June 15, 2006 |
4:11 PM: Spy Sweeper started
4:11 PM: Sweep initiated using definitions version 699
4:11 PM: Starting Memory Sweep
4:15 PM: Memory Sweep Complete, Elapsed Time: 00:03:51
4:15 PM: Starting Registry Sweep
4:15 PM: Registry Sweep Complete, Elapsed Time:00:00:10
4:15 PM: Starting Cookie Sweep
4:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:15 PM: Starting File Sweep
4:29 PM: Found System Monitor: potentially rootkit-masked files
4:29 PM: 6729bbf9-d54c-48cb-a4d7-ad400339d808.dat (ID = 0)
4:32 PM: File Sweep Complete, Elapsed Time: 00:17:08
4:32 PM: Full Sweep has completed. Elapsed time 00:21:13
4:32 PM: Traces Found: 1
4:59 PM: Deletion from quarantine initiated
4:59 PM: Processing: potentially rootkit-masked files
4:59 PM: Deletion from quarantine completed. Elapsed time 00:00:00
4:59 PM: Removal process initiated
4:59 PM: Quarantining All Traces: potentially rootkit-masked files
4:59 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
4:59 PM: 6729bbf9-d54c-48cb-a4d7-ad400339d808.dat is in use. It will be removed on reboot.
4:59 PM: Preparing to restart your computer. Please wait...
4:59 PM: Removal process completed. Elapsed time 00:00:03

Edited by jfirestorm44, 15 June 2006 - 07:28 PM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2006 - 02:52 AM

Copy all the text in the quote box to a blank notepad page and save it to the desktop with the name find.bat


dir \6729bbf9-d54c-48cb-a4d7-ad400339d808.dat /a h /s > File.txt



Double Click find.bat and wait for the dos windows to close.

File.txt will be automatically generated,post the contents of that text file please.

#7 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 16 June 2006 - 05:42 PM

Ok here's the results.


Volume in drive C is PRESARIO
Volume Serial Number is 06CF-E434

Directory of C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing

06/10/2006 07:10 PM 74,748 6729BBF9-D54C-48CB-A4D7-AD400339D808.dat
1 File(s) 74,748 bytes

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2006 - 07:13 PM

Hmm,thats a rather interesting entry,could it be something Symantec placed there?

Id have to go and look at another machine I have with NIS 2004 but I can honestly say Ive not noticed that one before.

Looks more like Mcafee than Symantec.

Either way,go to safe mode and be sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Manually delete all the files in that folder please.

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files


Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Temp

C:\Windows\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\<Your Profile>\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)


Restart Normal and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 16 June 2006 - 09:13 PM

Okay i've done everything you said, and the F-Secure Online Scan said no virus was detected. But spy sweeper still picks up a potential root kit. I'm confused. No other program seems to detect this rootkit that sweeper keeps finding and can't delete.
Do you have any other ideas of why it keeps doing this? I just want to make sure that there isn't any rootkit at all, and it worries me that it keeps appearing.

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 04:31 AM

Can you see this entry

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat

#11 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 17 June 2006 - 02:34 PM

No the furthest I can go is Temporary internet files. That folder is full of crap but no Antiphishing folder or even a 6729bbf9...dat file I've looked for this before and couldn't find it I can't search for it or run it either.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 02:48 PM

Lets try this little utility for removing files


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot Normal and delete the old file.txt and then run find.bat again.

Lets see if it re appears.

#13 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 17 June 2006 - 02:57 PM

Ok i was going to do this but before I do I want to let you know that it won't let me select the "Unregister .dll before Deleting" option. It's there but I can't select it. Should I do everything else and run it anyway?

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 03:00 PM

Whoops,I wasnt suppose to leave that there.

I was suppose to just say select delete on reboot :thumbsup:

#15 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 17 June 2006 - 03:09 PM

Okay It'as done but it didn't ask my anything about file PendingFileRenameOperations. Is that good or Bad?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users