Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable To Install Antivirus Or Firewall


  • Please log in to reply
13 replies to this topic

#1 Char0n

Char0n

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 04 March 2007 - 05:29 AM

Hi, this is the first time I've come across a problem like this so I really appreciate any suggestions

Ok, on to the nitty gritty, yesterday I was stupid enough to execute a crack "Natural Text to Speech Reader Standard 6.exe" witch started a few process that I was unable to terminate.
My McAfee 2005 9.x AntiVirus stopped working. Any attempts to reinstall or install other AV(Nod32, Kaspersky, Norton 2005, BitDefender, Panda) where interrupted by fatal errors.
I followed the "Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer" and came across TSPY.BAGLE.PAC with Housecall Anti Virus (resolved).

Also I noticed that Spybot - Search and Destroy had its *.exe removed as soon as it was installed, and I can’t install a firewall (Zone Alarm, Norton 2006, not even Windows Xp SP2 Firewall!).


Logfile of HijackThis v1.99.1
Scan saved at 12:23:24, on 04.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\nvsvc32.exe
d:\programare\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tweaknow.com/RegCleanerPro.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - d:\programare\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 06 March 2007 - 03:01 AM

Hi Char0n and welcome to the Forums :flowers:

Sounds that you're infected.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

:thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 06 March 2007 - 10:38 AM

Ok, this is the GMER Rootkit log(I unchecked the Registry and the Files section 'couse it was taking way too long)

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-06 17:31:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwCreateFile
SSDT sptd.sys ZwCreateKey
SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys ZwQuerySystemInformation
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 7C90D586 5 Bytes JMP 7203407A
.text ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 72034205
.text ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 720340E9
.text ntdll.dll!NtCreateSection 7C90D793 5 Bytes JMP 72034098

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 81BA8E30
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 81BA8E30
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8193F7E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8193F7E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 81BCD500
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 81BCD500
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 81BCD738
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 819602F0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 819602F0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81A64EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81A64EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 81961C38
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 81961C38
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 81961C38
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 81961C38
Device \Driver\00000165 \Device\0000003e IRP_MJ_POWER [F994CEA8] sptd.sys
Device \Driver\00000165 \Device\0000003e IRP_MJ_SYSTEM_CONTROL [F9960A70] sptd.sys
Device \Driver\00000165 \Device\0000003e IRP_MJ_PNP [F9959728] sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 81961C38
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 81961C38
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 81961C38
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 81961C38
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 81BA80E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 81BA80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8195AD58
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8195AD58
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 8197FAD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 8197FAD0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 81BCD738
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 81BCD738
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 819836F0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 819836F0
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_CREATE 81961C38
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_CLOSE 81961C38
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_INTERNAL_DEVICE_CONTROL 81961C38
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_CLEANUP 81961C38
Device \Driver\NetBT \Device\NetBT_Tcpip_{36761ABC-073A-4AB8-9F1E-05D482EB353A} IRP_MJ_PNP 81961C38
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 81AA6618
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 81AA6618
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8193F7E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8193F7E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81940360
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81940360

---- EOF - GMER 1.0.12 ----

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 06 March 2007 - 01:58 PM

Hi again :flowers:

You have a rootkit running there...

Run a new rootkit scan with GMER. (check all the boxes)

When you see the following process(es) on the list:

When you see the following service on the list:

Service C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys

Rigthclick it with your mouse and a menu will open. Choose "Delete the service" from the list.
If GMER asks for a reboot allow it to do it.

Then close GMER and restart your computer.

Run a new scan with GMER but don't use your computer during the scan.
When the scan has finished please copy/upload the results to me along with a fresh HijackThis log

:thumbsup:

Edited by Mr_JAk3, 06 March 2007 - 02:08 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 07 March 2007 - 02:56 PM

Hi, I think that was it! I did a scan with GMER, but I didn't get the option to "Delete the service" with the file, Service C:\Documents and Settings\Dan\Application Data\hidires\m_hook.sys(I think this was becouse it was running). Anyway I deleted it manualy from my hdd with the help of another computer(safe mode doesn't work on my OS).

So, I was able to install Kaspersky 6.0 and it works fine. It found a bunch o files infected with win32.Bagle(deleted :D). If you think I should still send you a GMER or HiJackThis log tell me.

Thank you for all your help!!!!!!!!! :thumbsup:

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 08 March 2007 - 03:20 AM

Hi again :flowers:

Sounds good. I would like to have a look at the logs so that we can be sure that you're clean :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 08 March 2007 - 07:30 AM

Hi, again I did the scans, here they are: p.s. the GMER is 3.2MB in a plain .txt format & 1220 pages. Are you sure you want me to post it?(k, I'm looking at the file now-I istalled Oracle 10g for school and that has a lot of entry logs-80%). I'm skiping .txt entries for the GMER. If you want to see them tell me

Logfile of HijackThis v1.99.1
Scan saved at 13:32:21, on 08.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\nvsvc32.exe
d:\programare\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Dan\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tweaknow.com/RegCleanerPro.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - d:\programare\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - D:\Programare\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe




GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-08 14:13:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP F7ECEE10 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP F7ECCB50 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP F7ECC6C0 \??\C:\WINDOWS\system32\drivers\klif.sys

---- User code sections - GMER 1.0.12 ----

.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8 7C901000 45 Bytes [ 6A, 01, 68, 06, 00, 02, 00, ... ]
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlEnterCriticalSection + 29 7C90102E 7 Bytes [ 00, 8B, B5, E8, FD, FF, FF ]
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlEnterCriticalSection + 31 7C901036 14 Bytes JMP 7C900F8F C:\WINDOWS\system32\ntdll.dll
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlEnterCriticalSection + 40 7C901045 5 Bytes [ C0, E9, 30, 01, 00 ]
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlEnterCriticalSection + 46 7C90104B 10 Bytes [ 8B, 45, 14, 83, F8, 20, 72, ... ]
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlEnterCriticalSection + 51 7C901056 2 Bytes [ 72, 61 ]
.text ...
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!RtlActivateActivationContextUnsafeFast + B 7C9011C0 138 Bytes CALL 7C8B7D22 C:\WINDOWS\system32\kernel32.dll
.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] ntdll.dll!DbgUserBreakPoint + 12 7C90124B 9 Bytes [ 00, 00, 89, 4D, E0, C7, 45, ... ]


...........................................................................................................................................................
many, many pages later... :thumbsup:


.text D:\Programare\Oracle\app\oracle\product\10.2.0\server\bin\oradim.exe[1884] iphlpapi.dll!SetAdapterIpAddress + 46 76D71F9C 44 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 81BE0708
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 81BE0708
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 818170E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 818170E8
Device \Driver\00000164 \Device\00000041 IRP_MJ_POWER [F994CEA8] sptd.sys
Device \Driver\00000164 \Device\00000041 IRP_MJ_SYSTEM_CONTROL [F9960A70] sptd.sys
Device \Driver\00000164 \Device\00000041 IRP_MJ_PNP [F9959728] sptd.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 81BE0EB0
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 81BE0EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 81BE00E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 81BE00E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81A09A20
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81A09A20
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 81885868
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 81885868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 818D6868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 818D6868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 818D6868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 818D6868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 818D6868
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 818D6868
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 818D6868
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 81BE09C0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 81BE09C0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8187F868
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8187F868
D

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 08 March 2007 - 02:19 PM

Ok no need for the complete GMER log then.

You removed this whole folder, right? C:\Documents and Settings\Dan\Application Data\hidires

The HijackThis log looks clean. You could run a one more scan just to be sure.
  • Please go HERE to run PandaActiveScan...

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Edited by Mr_JAk3, 08 March 2007 - 02:20 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 09 March 2007 - 04:23 AM

Hi again :thumbsup:
I removed this whole folder C:\Documents and Settings\Dan\Application Data\hidires!

I have a quiestion, as you can se in the GMER log, there is this system process running
"C:\WINDOWS\system32\drivers\klif.sys". What is it?

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-08 14:13:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP F7ECEE10 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP F7ECCB50 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP F7ECC6C0 \??\C:\WINDOWS\system32\drivers\klif.sys

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 09 March 2007 - 04:33 PM

Hi again and sorry for the delay.

That klif.sys belongs to your Kaspersky software. It is legitimate.

Did you ran the Panda scan?
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 10 March 2007 - 05:37 AM

Hi, the Panda scan doesn't work for some reason, I'm using Internet Explorer v7.00 and after I install the ActiveX & the updates I get the options for My Computer, Local Harddisk Ohter Media or something like that, but when I click on ether of them I get "Error on page" in bottom status bar...

p.s. I'm not expecting a promt answer, but thank you you've already done so much :thumbsup:

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 10 March 2007 - 12:54 PM

Hi :thumbsup:

Ok...We may use another scanner then. Just to be sure that you're clean :flowers:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found Posted Image
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report

UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 Char0n

Char0n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 16 March 2007 - 10:21 AM

Hi, I'm sorry for not writing sooner
my OS doesn't work in safe mode, I don't know why, so ran the Dr Web in normal configuration and it looks clean.
thank you for all your help, bye

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:56 PM

Posted 16 March 2007 - 02:31 PM

Hello :flowers:

Ok nice to hear that the scan came out clean.


Do you want that we try to fix the safe mode issue?

:thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users