| Files |
Log |
| Turla/Uroburos |
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-07-14 10:13:28
Windows 5.2.3790 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Scsi\mraid35x1Port2Path2Target0Lun0 PERC____ rev.____ 68,24GB
Running: gmer.exe; Driver: c:\temp\ugtdapob.sys
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!IofCallDriver E061E140 5 Bytes [6A, 00, CD, C3, 90] {PUSH 0x0; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!ZwCreateKey E06DA054 5 Bytes [6A, 04, CD, C3, 90] {PUSH 0x4; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!ZwEnumerateKey + 1 E06DA7C9 6 Bytes [03, CD, C3, 90, 90, 90] {ADD ECX, EBP; RET ; NOP ;NOP ; NOP }
PAGE ntkrnlpa.exe!ZwQueryKey + 1 E06DBBFF 6 Bytes [02, CD, C3, 90, 90, 90] {ADD CL, CH; RET ; NOP ; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwSaveKey E06DC29E 5 Bytes [6A, 05, CD, C3, 90] {PUSH 0x5; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!IoCreateDevice E06EDF84 5 Bytes [6A, 01, CD, C3, 90] {PUSH 0x1; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!NtReadFile + 1 E06F4473 6 Bytes [06, CD, C3, 90, 90, 90] {PUSH ES; INT 0xc3; NOP ; NOP; NOP }
PAGE ntkrnlpa.exe!ObOpenObjectByName E0735F64 5 Bytes [6A, 0A, CD, C3, 90] {PUSH 0xa; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!NtClose E0736C20 5 Bytes [6A, 08, CD, C3, 90] {PUSH 0x8; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!ZwCreateThread + 1 E074D333 6 Bytes [0B, CD, C3, 90, 90, 90] {OR ECX, EBP; RET ; NOP ; NOP; NOP }
PAGE ntkrnlpa.exe!ZwTerminateProcess E074E5B2 5 Bytes [6A, 09, CD, C3, 90] {PUSH 0x9; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!NtQuerySystemInformation E07911E8 5 Bytes [6A, 07, CD, C3, 90] {PUSH 0x7; INT 0xc3; NOP }
PAGE ntkrnlpa.exe!NtShutdownSystem E0792B1C 5 Bytes [6A, 0C, CD, C3, 90] {PUSH 0xc; INT 0xc3; NOP }
---- User code sections - GMER 2.1 ----
.text D:\Exchange\bin\store.exe[1116] kernel32.dll!TerminateProcess 77E42014 5 Bytes JMP 005F3C9A D:\Exchange\bin\store.exe
.text D:\Exchange\bin\store.exe[1116] kernel32.dll!ExitProcess 77E66919 5 Bytes JMP 005F3C6B D:\Exchange\bin\store.exe
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys
Device \Driver\iScsiPrt \Device\00000068 iscsiprt.sys
Device \Driver\iScsiPrt \Device\00000069 iscsiprt.sys
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys
Device \Driver\iScsiPrt \Device\0000006a iscsiprt.sys
Device \Driver\iScsiPrt \Device\Scsi\iScsiPort0 iscsiprt.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys
---- Services - GMER 2.1 ----
Service C:\WINDOWS\$NtUninstallQ918236$\elfa32.sys (*** hidden*** ) [SYSTEM] elfa32 <-- ROOTKIT !!!
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@ImagePath \SystemRoot\$NtUninstallQ918236$\elfa32.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@DisplayName elfa32
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32@Group Streams Drivers
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\elfa32
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@ImagePath \SystemRoot\$NtUninstallQ918236$\elfa32.sys
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@DisplayName elfa32
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32@Group Streams Drivers
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\elfa32\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 369212
---- EOF - GMER 2.1 ----
|
| Gapz/x64 |
GMER 2.0.18444 - http://www.gmer.net
Rootkit scan 2013-01-06 20:21:33
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\kwniafod.sys
---- Kernel code sections - GMER 2.0 ----
.text C:\Windows\system32\DRIVERS\ataport.SYS!AtaPortInitialize + 357 fffff880010c24d9 11 bytes {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
.text C:\Windows\system32\DRIVERS\ataport.SYS!AtaPortInitialize + 397 fffff880010c2501 11 bytes {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
---- Devices - GMER 2.0 ----
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\ScsiPort0 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\ScsiPort0 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\ScsiPort1 IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880010c24d8 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
Device \Driver\atapi \Device\ScsiPort1 IRP_MJ_DEVICE_CONTROL fffff880010c2500 {MOV RAX, 0xfffffa80024fbdd1; JMP RAX}
---- Trace I/O - GMER 2.0 ----
Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS >>UNKNOWN [0xfffffa80024fbdd1]<< >>UNKNOWN [0xfffffa8000822064]<< intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8000822064
Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8001348790] fffffa8001348790
Trace 3 CLASSPNP.SYS[fffff8800143b43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800129d060] fffffa800129d060
---- Disk sectors - GMER 2.0 ----
Disk \Device\Harddisk0\DR0 Windows 7 default MBR code found via API
Disk \Device\Harddisk0\DR0 unknown MBR code
Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior
---- EOF - GMER 2.0 ----
|
| ZAccess/x64 |
GMER 2.0.18327 - http://www.gmer.net
Rootkit scan 2012-12-21 20:10:17
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\kwniafod.sys
---- User code sections - GMER 2.0 ----
.reloc C:\Windows\system32\services.exe [440] section is executable [0x4A8, 0xA0000020] 00000000ff532000
---- Threads - GMER 2.0 ----
Thread C:\Windows\system32\services.exe [440:1080] 00000000000d1e58
---- EOF - GMER 2.0 ----
|
| SST@VBR/x64 |
GMER 2.0.17849 - http://www.gmer.net
Rootkit scan 2012-12-24 15:37:02
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 TOSHIBA_MK1255GSX_H rev.FG001Q 111.79GB
Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\uwldqpod.sys
---- Devices - GMER 2.0 ----
Device \Driver\volmgr \Device\HarddiskVolume1 fffffa8002db8e84
Device \Driver\volmgr \Device\FtControl fffffa8002db8e84
Device \Driver\volmgr \Device\VolMgrControl fffffa8002db8e84
Device \Driver\volmgr \Device\HarddiskVolume2 fffffa8002db8e84
Device \Driver\volmgr \Device\HarddiskVolume3 fffffa8002db8e84
Device \Driver\volmgr \Device\HarddiskVolume4 fffffa8002db8e84
---- Trace I/O - GMER 2.0 ----
Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8002db6560]<< ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8002db6560
Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002d94530] fffffa8002d94530
Trace 3 CLASSPNP.SYS[fffff880018a843f] -> nt!IofCallDriver -> [0xfffffa8001e42600] fffffa8001e42600
Trace 5 ACPI.sys[fffff88000f45781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-4[0xfffffa8002863060] fffffa8002863060
Trace \Driver\atapi[0xfffffa8001e45060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8002db6560 fffffa8002db6560
---- Threads - GMER 2.0 ----
Thread System [4:196] fffffa8002db8b24
---- Disk sectors - GMER 2.0 ----
Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior
Disk \Device\Harddisk0\DR0 suspicious partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 163840000
---- EOF - GMER 2.0 ----
|
| TDL4/Alureon@mbr |
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-21 22:34:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200BB-22KEA0 rev.08.05J08
Running: rplt1sur.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdrpob.sys
---- System - GMER 1.0.15 ----
SSDT 8A272CB8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA3630350]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA3630580]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F7000C
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0305000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0306000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0326000A
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0108000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0182000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0183000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0167000C
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0153000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0154000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0152000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 8A78127F
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200BB-22KEA0_____________________08.05J08#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
|
| TDSS |
GMER 1.0.15.15121 - http://www.gmer.net
Rootkit scan 2009-10-03 13:54:24
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74CB380]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort1 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort2 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort3 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort5 [F74BE9F2] atapi.sys[unknown section]
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\Ide\IdePort5\kbwwiibi\kbwwiibi\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1736] 0x10000000
---- EOF - GMER 1.0.15 ----
|
| Tigger/Syzor |
GMER 1.0.15.14918 - http://www.gmer.net
Rootkit scan 2009-01-12 15:18:21
Windows 5.1.2600 Dodatek Service Pack 2
---- Kernel code sections - GMER 1.0.15 ----
PAGEKD KDCOM.DLL!KdSendPacket F9F4D1B2 8 Bytes [FF, 35, 00, F0, 8F, 81, 9B, ...] {PUSH DWORD [0x818ff000]; WAIT ; RET }
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 7 Bytes [55, FF, 25, 00, 00, F6, 00] {PUSH EBP; JMP [0xf60000]}
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 7 Bytes [55, FF, 25, 00, 00, 1F, 01] {PUSH EBP; JMP [0x11f0000]}
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE F8B98880
Device \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ F8B99E54
Device \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ F8B99E54
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ F8B992DC
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE F8B9932E
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN F8B99FA0
---- Threads - GMER 1.0.15 ----
Thread System [4:300] F8B99EB4
Thread System [4:1164] F8B99490
Thread System [4:1740] F8B98988
Thread System [4:1388] F8B9A022
---- EOF - GMER 1.0.15 ----
|
| MBR rootkit/Mebroot/Sinowal |
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-24 07:50:49
Windows 5.1.2600 Service Pack 3
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x25429800 size 0x2c4
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- Kernel code sections - GMER 1.0.14 ----
PAGE CLASSPNP.SYS!ClassInitialize + F4 F9A934B2 4 Bytes [ 7E, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F9A934BD 4 Bytes [ 28, 74, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F9A934C8 4 Bytes [ 90, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F9A934CF 4 Bytes [ 84, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F9A934D6 4 Bytes [ 8A, C8, 84, 81 ]
PAGE ...
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00D52B9A
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 00D52B57
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 00D52B1B
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!send 71A5428A 5 Bytes JMP 00D5298C
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 00D52A7E
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!recv 71A5615A 5 Bytes JMP 00D529C4
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 00D529FC
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 00D52B00
---- Devices - GMER 1.0.14 ----
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 855A1410
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 855A1410
---- Threads - GMER 1.0.14 ----
Thread 4:796 855BBC80
Thread 4:800 855A8D80
Thread 4:804 85663DC0
Thread 4:808 85594E00
Thread 4:2856 855BBC80
Thread 4:2860 855A8D80
Thread 4:2864 85663DC0
Thread 4:2868 85594E00
---- EOF - GMER 1.0.14 ----
C:\>mbr.exe -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938E90]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x85938e90
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x8593fc20
NDIS: Intel(R) 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> 0x8596e700
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0100A757
malicious code @ sector 0x0100A75A !
PE file found in sector at 0x0100A770 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
|
| RioDrvs.sys |
GMER 1.0.13.12482 - http://www.gmer.net
Rootkit scan 2007-06-15 08:55:07
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D8] PUSH F7912914; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D8] ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460EA] PUSH F79133AA; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460EA] ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460F0] PUSH F7913432; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460F0] ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D2] PUSH F7912888; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D2] ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460CC] PUSH F7913140; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460CC] ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460DE] PUSH F7912A40; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460DE] ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460E4] PUSH F7913320; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwSaveKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460E4] ZwSaveKey
---- Processes - GMER 1.0.13 ----
Library C:\WINDOWS\LINKINFO.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x10000000
Library C:\WINDOWS\system32\linkinfo.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x76960000
---- Files - GMER 1.0.13 ----
File C:\WINDOWS\linkinfo.dll
File C:\WINDOWS\ServicePackFiles\i386\linkinfo.dll
File C:\WINDOWS\system32\drivers\RioDrvs.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\linkinfo.dll
---- Services - GMER 1.0.13 ----
Service C:\WINDOWS\system32\DRIVERS\RioDrvs.sys [AUTO] RioDrvs <-- ROOTKIT !!!
---- EOF - GMER 1.0.13 ----
|
| VideoAti0.sys |
GMER 1.0.12.12070 - http://www.gmer.net
Rootkit scan 2007-02-26 15:38:06
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
PAGE ntoskrnl.exe!ZwQueryKey + 201 8056F674 6 Bytes PUSH FC8152D4; RET
? C:\WINDOWS\system32\drivers\Ntfs.sys Access denied.
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE FC814E94
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL FC815084
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CREATE FC8144AC
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CLOSE FC8144AC
---- Modules - GMER 1.0.12 ----
Module \SystemRoot\System32\drivers\VideoAti0.sys (*** hidden *** ) FC814000
---- Files - GMER 1.0.12 ----
File C:\WINDOWS\system32\drivers\VideoAti0.sys
File C:\WINDOWS\system32\VideoAti0.dll
File C:\WINDOWS\system32\VideoAti0.exe
---- EOF - GMER 1.0.12 ----
|
| wincom32.sys |
GMER 1.0.12.12012 - http://www.gmer.net
Rootkit scan 2007-02-04 13:46:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 009B083C
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009B07B6
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009B05E4
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009B045D
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009B0505
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 011E083C
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011E07B6
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011E05E4
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 011E045D
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 011E0505
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E1083C
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E107B6
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E105E4
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E1045D
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E10505
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A1083C
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A107B6
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A105E4
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A1045D
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A10505
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D0083C
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D007B6
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D005E4
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D0045D
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D00505
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008E083C
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008E07B6
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008E05E4
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008E045D
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008E0505
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0196083C
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 019607B6
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 019605E4
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0196045D
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01960505
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0077083C
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 007707B6
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 007705E4
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0077045D
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00770505
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A4083C
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A407B6
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A405E4
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A4045D
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A40505
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DB083C
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DB07B6
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DB05E4
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DB045D
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DB0505
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E3083C
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E307B6
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E305E4
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E3045D
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E30505
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\system32\taskdir.exe (*** hidden *** ) 1248
---- Services - GMER 1.0.12 ----
Service C:\WINDOWS\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 <-- ROOTKIT !!!
---- Files - GMER 1.0.12 ----
File C:\WINDOWS\Prefetch\TASKDIR.EXE-02B5617A.pf
File C:\WINDOWS\system32\adir.dll
File C:\WINDOWS\system32\adirss.exe
File C:\WINDOWS\system32\taskdir.exe
File C:\WINDOWS\system32\wincom32.ini
File C:\WINDOWS\system32\wincom32.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\WindowsLogon.manifest
---- EOF - GMER 1.0.12 ----
|
| lzx32 |
GMER 1.0.11.11310 - http://www.gmer.net
Rootkit 2006-09-14 09:31:21
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.11 ----
SYSENTER ? F60FDFAF
---- Modules - GMER 1.0.11 ----
Module (noname) (*** hidden *** ) F60F9000
---- Threads - GMER 1.0.11 ----
Thread 4:1224 F60FC08A
---- Services - GMER 1.0.11 ----
Service D:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
---- Files - GMER 1.0.11 ----
ADS D:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!
---- EOF - GMER 1.0.11 ----
|
| Gromozon Rootkit |
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2
---- Processes - GMER 1.0.10 ----
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!
---- Files - GMER 1.0.10 ----
File C:\WINDOWS\mdoom1.dll
File C:\WINDOWS\system32\lpt4.hzq
---- EOF - GMER 1.0.10 ----
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 14:27:47
Windows 5.1.2600 Service Pack 2
...
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt4.hzq
...
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
SrvXdx /*SrvXdx*/@ = "C:\Programmi\File comuni\System\mfxS.exe"
...
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{D4ED03F3-6672-F05B-77C2-859151625148}C:\WINDOWS\mdoom1.dll = C:\WINDOWS\mdoom1.dll
...
---- EOF - GMER 1.0.10 ----
|
| pe386 |
GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-25 14:32:07
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.10 ----
SYSENTER ? 00810005
---- Devices - GMER 1.0.10 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81732520
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 817310C0
---- Services - GMER 1.0.10 ----
Service D:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
---- EOF - GMER 1.0.10 ----
|
xdudmm.sys
xdudtt.dll |
GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-24 00:29:02
Windows 5.1.2600
---- System - GMER 1.0.10 ----
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenThread <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess
---- Devices - GMER 1.0.10 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
---- Processes - GMER 1.0.10 ----
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [244] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [300] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\nvsvc32.exe [308] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe [332] 0x00E50000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe [492] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [572] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\RECYCLER\lsass.exe [600] 0x10000000 <-- ROOTKIT !!!
Process C:\WINDOWS\SYSTEM32\winlogon.exe (*** hidden *** ) 796 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\winlogon.exe [796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [1636] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [1696] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1820] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [1956] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\GEARSec.exe [1996] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2024] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE [2388] 0x00C00000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe [2412] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [2556] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [2616] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2656] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\wccx.exe [2796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\d13a4e75.exe [2804] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\SpeedFan\speedfan.exe [3080] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [3084] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\rundll32.exe [3212] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Canon\CAL\CALMAIN.exe [3564] 0x10000000 <-- ROOTKIT !!!
Process C:\WINDOWS\explorer.exe (*** hidden *** ) 3808 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3808] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [4196] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\PowerArchiver\POWERARC.EXE [4836] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Gadu-Gadu\gg.exe [5140] 0x00D00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [5400] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_PA459\gmer.exe [6008] 0x10000000 <-- ROOTKIT !!!
---- Services - GMER 1.0.10 ----
Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [SYSTEM] xdudmm <-- ROOTKIT !!!
Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [AUTO] xdudtt <-- ROOTKIT !!!
---- EOF - GMER 1.0.10 ----
|
| alco8drv.sys |
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack 2
---- System - GMER 1.0.9 ----
---- Devices - GMER 1.0.9 ----
Device \Driver\WmiDisk \Device\G69uQQGr IRP_MJ_CREATE 83E50A11
---- Processes - GMER 1.0.9 ----
Process synbdusx.exe (*** hidden *** ) 1848 <-- ROOTKIT !!!
---- Files - GMER 1.0.9 ----
File C:\WINDOWS\system32\drivers\alco8drv.sys
File C:\WINDOWS\system32\synbdusx.exe
---- EOF - GMER 1.0.9 ----
|
| imaslip.sys |
GMER 1.0.9.8110 - {http://www.gmer.net}
Windows 5.1.2600 Dodatek Service Pack 2
---- Devices - GMER 1.0.9 ----
Device \Driver\Volvice \Device\aswtMgr IRP_MJ_CREATE 81BBB8C3
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1950828
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E100D390
---- Processes - GMER 1.0.9 ----
Process msvcji32.exe (*** hidden *** ) 1480 <-- ROOTKIT !!!
Process lsacap32.exe (*** hidden *** ) 1488 <-- ROOTKIT !!!
---- Files - GMER 1.0.9 ----
File C:\WINDOWS\system32\drivers\imaslip.sys
File C:\WINDOWS\system32\lsacap32.exe
---- EOF - GMER 1.0.9 ----
|
| ivdmt16.sys winlow.sys |
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600
---- System - GMER 1.0.9 ----
SSDT a347bus.sys ZwClose
SSDT a347bus.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT FF7B1820 ZwEnumerateKey <-- ROOTKIT !!!
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenKey
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT a347bus.sys ZwQueryKey
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState
---- Services - GMER 1.0.9 ----
Service C:\WINDOWS\System32\Drivers\sysbus32.sys (*** hidden *** ) [AUTO] sysbus32 <-- ROOTKIT !!!
---- Files - GMER 1.0.9 ----
File C:\!KillBox\drct16.dll
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\system32\cz.dll
File C:\WINDOWS\system32\drct16.dll
File C:\WINDOWS\system32\fltr.a3d
File C:\WINDOWS\system32\hz.sys
File C:\WINDOWS\system32\i.a3d
File C:\WINDOWS\system32\klogini.dll
File C:\WINDOWS\system32\mszx23.exe
File C:\WINDOWS\system32\p2.ini
File C:\WINDOWS\system32\redir.a3d
File C:\WINDOWS\system32\tnfl.a3d
File C:\WINDOWS\system32\vdmt16.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\winlow.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\wz.sys
File D:\System Volume Information\tracking.log
---- Services - GMER 1.0.9 ----
Service C:\WINDOWS\System32\vdmt16.sys [SYSTEM] vdmt16 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\winlow.sys [AUTO] winlow <-- ROOTKIT !!!
---- EOF - GMER 1.0.9 ----
|
| drmpdate.sys |
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack. 1
---- System - GMER 1.0.9 ----
SSDT \SystemRoot\System32\drivers\klif.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateSection
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateThread
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT kl1.sys ZwOpenFile
SSDT d347bus.sys ZwOpenKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwOpenProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwQueryInformationFile
SSDT d347bus.sys ZwQueryKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT d347bus.sys ZwQueryValueKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwResumeThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwSetInformationProcess
SSDT d347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\System32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[284]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[285]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[286]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[287]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[288]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[289]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[290]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[291]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[292]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[293]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[294]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[295]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[296]
---- Devices - GMER 1.0.9 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CREATE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_WRITE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SHUTDOWN [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_PNP_POWER [F865776A] HIDCLASS.SYS
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP_POWER 82113F00
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\adpsSvc \Device\perRAME IRP_MJ_CREATE 81C721E7
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSEIRP_MJ_READ 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSEIRP_MJ_READ 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP_POWER 82147AD8
---- Processes - GMER 1.0.9 ----
Process UXTAKSIE.EXE (*** hidden *** ) 1208 <-- ROOTKIT !!!
Process ADSPTSVC.EXE (*** hidden *** ) 1216 <-- ROOTKIT !!!
---- Modules - GMER 1.0.9 ----
Module _________ F846A000
---- Services - GMER 1.0.9 ----
Service C:\WINDOWS\System32\drivers\drmpdate.sys (*** hidden *** ) [SYSTEM] adpsSvc <-- ROOTKIT !!!
---- Registry - GMER 1.0.9 ----
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName adpsSvc
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HideUninstallerName C:\Program Files\Inturacy\lzedw400.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerPath C:\WINDOWS\System32\qosccr32.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerRegKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?965B0857-18E7-45F1-BC59-D59CE7AFA7D4?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerParams /CTUN
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HDll C:\WINDOWS\System32\dxdstyle.dll
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ServerAddress adchannel.contextplus.net
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LegalNote http://adchannel.contextplus.net/legal-note/nonbranded.html
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PartnerId CP.IST2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@InstallationId ?X613cfc5-155c-47f2-44fb-b8bd7a7e0703?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PageFiltering 1
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ClientName C:\Program Files\Inturacy\uxtaksie.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@AutoUpdater C:\WINDOWS\System32\adsptsvc.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Version 2.0.131
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@CrMnTmt 3600000
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@NxRestTm 2006:03:25-14:32:01:192
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LastAURestoreMsgTS 2006:03:25-13:32:01:442
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName adpsSvc
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HideUninstallerName C:\Program Files\Inturacy\lzedw400.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerPath C:\WINDOWS\System32\qosccr32.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerRegKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?965B0857-18E7-45F1-BC59-D59CE7AFA7D4?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerParams /CTUN
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HDll C:\WINDOWS\System32\dxdstyle.dll
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ServerAddress adchannel.contextplus.net
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LegalNote http://adchannel.contextplus.net/legal-note/nonbranded.html
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PartnerId CP.IST2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@InstallationId ?X613cfc5-155c-47f2-44fb-b8bd7a7e0703?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PageFiltering 1
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ClientName C:\Program Files\Inturacy\uxtaksie.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@AutoUpdater C:\WINDOWS\System32\adsptsvc.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Version 2.0.131
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@CrMnTmt 3600000
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@NxRestTm 2006:03:25-14:32:01:192
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LastAURestoreMsgTS 2006:03:25-13:32:01:442
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm\AU2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName
|
| m_hook.sys |
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack. 1
---- System - GMER 1.0.9 ----
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwCreateFile <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQueryKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQuerySystemInformation <-- ROOTKIT !!!
---- Processes - GMER 1.0.9 ----
Process wintems.exe (*** hidden *** ) 1656 <-- ROOTKIT !!!
---- Registry - GMER 1.0.9 ----
Reg \\Registry\\USER\\S-1-5-21-839522115-1303643608-725345543-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run@german.exe
C:\\WINDOWS\\System32\\wintems.exe
Reg \\Registry\\USER\\S-1-5-21-839522115-1303643608-725345543-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run@drvsyskit
C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\hidr.exe
---- Files - GMER 1.0.9 ----
File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires
File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\hidr.exe
File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys <-- ROOTKIT !!!
File C:\\WINDOWS\\system32\\wintems.exe
---- Services - GMER 1.0.9 ----
Service C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys [MANUAL] m_hook <-- ROOTKIT !!!
---- EOF - GMER 1.0.9 ----
|
| VT100.EXE |
GMER 1.0.10.9819 - http://www.gmer.net
Rootkit 2006-05-04 18:30:25
Windows 5.1.2600 Dodatek Service Pack 2
---- Processes - GMER 1.0.10 ----
Process C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) 3004 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) @ C:\WINDOWS\system32\VT100.EXE [3004] 0x00400000 <-- ROOTKIT !!!
---- Registry - GMER 1.0.10 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\WINDOWS\system32\VT100.EXE
---- Files - GMER 1.0.10 ----
File C:\WINDOWS\system32\VT100.EXE
---- EOF - GMER 1.0.10 ----
|
| zopenssld.sys |
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.9 ----
SSDT \??\C:\WINDOWS\system32\zopenssld.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\zopenssld.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\zopenssld.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
---- Processes - GMER 1.0.9 ----
Process ogolrs.exe (*** hidden *** ) 1928 <-- ROOTKIT !!!
Process epfpr.exe (*** hidden *** ) 1972 <-- ROOTKIT !!!
Process epfpr.exe (*** hidden *** ) 2032 <-- ROOTKIT !!!
Process epfpr.exe (*** hidden *** ) 2040 <-- ROOTKIT !!!
---- Registry - GMER 1.0.9 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@nxsdrq C:\WINDOWS\system32\ogolrs.exe reg_run
Reg \Registry\USER\S-1-5-21-2000478354-764733703-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Run@kuaes
C:\WINDOWS\system32\ogolrs.exe reg_run
---- Files - GMER 1.0.9 ----
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gobmx.exe
File C:\WINDOWS\mcusi.dll
File C:\WINDOWS\system32\epfpr.exe
File C:\WINDOWS\system32\ogolrs.exe
File C:\WINDOWS\system32\plmtcxj.exe
File C:\WINDOWS\system32\unolibu.dll
File C:\WINDOWS\system32\zopenssl.dll
File C:\WINDOWS\system32\zopenssld.sys <-- ROOTKIT !!!
---- Services - GMER 1.0.9 ----
Service C:\WINDOWS\system32\zopenssld.sys [SYSTEM] zopenssld <-- ROOTKIT !!!
---- EOF - GMER 1.0.9 ----
|
| sysbus32.sys |
---- System - GMER 1.0.8 ----
SSDT 8182860A ZwEnumerateKey
SSDT 818298B6 ZwQueryDirectoryFile
---- Devices - GMER 1.0.8 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 81828CEE
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 81828CEE
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 81828CEE
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 81828CEE
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 81828CEE
---- Services - GMER 1.0.8 ----
Service D:\WINDOWS\System32\DRIVERS\sysbus32.sys (*** hidden *** ) [AUTO] sysbus32
---- Registry - GMER 1.0.8 ----
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32@ImagePath System32\DRIVERS\sysbus32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\sysbus32@ExtParam 0xF1 0x15 0x28 0xD4 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32@ImagePath System32\DRIVERS\sysbus32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\sysbus32@ExtParam 0xF1 0x15 0x28 0xD4 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32@ImagePath System32\DRIVERS\sysbus32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32@ExtParam 0xF1 0x15 0x28 0xD4 ...
---- Files - GMER 1.0.8 ----
File D:\WINDOWS\system32\drivers\sysbus32.sys
|
| avpe32.sys avpe64.sys avpe32.dll |
---- System - GMER 1.0.7 ----
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwCreateProcess
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwQueryDirectoryFile
SSDT \SystemRoot\System32\DRIVERS\avpe32.sys ZwQuerySystemInformation
---- Processes - GMER 1.0.7 ----
Process explorer.exe (*** hidden *** ) 1596
File D:\WINDOWS\system32\avpe32.dll
File D:\WINDOWS\system32\drivers\avpe64.sys
File D:\WINDOWS\system32\klgcptini.dat
File D:\WINDOWS\system32\stt82.ini
|
| isa32.sys + netpt.sys |
---- System - GMER 1.0.6 ----
SSDT \??\C:\WINDOWS\System32\drivers\isa32.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\System32\drivers\isa32.sys ZwEnumerateValueKey
SSDT \SystemRoot\system32\DRIVERS\netpt.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\drivers\isa32.sys ZwQueryDirectoryFile
SSDT \SystemRoot\system32\DRIVERS\netpt.sys ZwQuerySystemInformation
---- Devices - GMER 1.0.6 ----
Device \Driver\Tcpip IRP_MJ_CREATE isa32.sys
Device \Driver\Tcpip IRP_MJ_CLOSEIRP_MJ_READ isa32.sys
Device \Driver\Tcpip IRP_MJ_INTERNAL_DEVICE_CONTROL isa32.sys
---- Processes - GMER 1.0.6 ----
Process svchost.exe (*** hidden *** ) 828
Process perfont.exe (*** hidden *** ) 1276
File C:\WINDOWS\system32\drivers\isa32.sys
File C:\WINDOWS\system32\main6.exe
File C:\WINDOWS\Prefetch\MAIN6.EXE-2CC0C9E7.pf
|
| i386p.sys |
---- System - GMER 1.0.6 ----
SSDT 81F7FA16 ZwEnumerateKey
SSDT 81F7FABA ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenProcess
SSDT 81F7F532 ZwQueryDirectoryFile
---- Devices - GMER 1.0.6 ----
Device \Driver\Tcpip IRP_MJ_CREATE 81F8057A
Device \Driver\i386p IRP_MJ_CREATE 81F7F3A4
File C:\99e21c81d36497c0228b\data\EURGEOM.DAT
File C:\99e21c81d36497c0228b\data\EURROUTE.DAT
File C:\99e21c81d36497c0228b\data\EURROUTE.DCT
File C:\99e21c81d36497c0228b\data\EURROUTE.VLF
File C:\99e21c81d36497c0228b\data\EUR_HD.MAD
File C:\99e21c81d36497c0228b\data\MSCREATE.DIR
File C:\99e21c81d36497c0228b\sp1\spmsg.dll
File C:\99e21c81d36497c0228b\sp1\spuninst.exe
File C:\99e21c81d36497c0228b\sp1\update
File C:\99e21c81d36497c0228b\sp1\update\eula.txt
File C:\99e21c81d36497c0228b\sp1\update\spcustom.dll
File C:\99e21c81d36497c0228b\sp1\update\update.exe
File C:\99e21c81d36497c0228b\sp2\spmsg.dll
File C:\99e21c81d36497c0228b\sp2\spuninst.exe
File C:\99e21c81d36497c0228b\sp2\update
File C:\99e21c81d36497c0228b\sp2\update\eula.txt
File C:\99e21c81d36497c0228b\sp2\update\spcustom.dll
File C:\99e21c81d36497c0228b\sp2\update\update.exe
File C:\99e21c81d36497c0228b\system\AM70407.DLL
File C:\99e21c81d36497c0228b\system\AUTOMAP7.EXE
File C:\99e21c81d36497c0228b\system\EUR70407.CHM
File C:\99e21c81d36497c0228b\system\EUR70407.DLL
File C:\99e21c81d36497c0228b\system\EUR70407.HLP
File C:\99e21c81d36497c0228b\system\MSCREATE.DIR
File C:\99e21c81d36497c0228b\system\MVUT21N.DLL
|