| View previous topic :: View next topic |
| Author |
Message |
Embers
Trooper
Joined: Jul 04, 2007
Posts: 23
Location: USA
|
 Posted: Fri Jul 27, 2007 3:45 pm Post subject: Rootkit activity detected |
|
|
Hi , i done few post before , im now sure i have a rootkit wich is pretty well done
i recently tried the A2 scanner wich detected a packet sniffer named
PSSdk23 (detected as instant messanger grabber by A2) but it is a packetsniffer library . (its not a false positive)
i removed the registry key but after each reboot they come back
i done a log of my registry at boot and here is the key
77330: services.exe:740 EnumerateKey HKLM\System\CurrentControlSet\Services SUCCESS Name: PSSdk23
77331: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Services\PSSdk23 SUCCESS Access: 0x20019
77332: services.exe:740 QueryValue HKLM\System\CurrentControlSet\Services\PSSdk23\Type NOT FOUND
it always come back , i also found out it is installed as a driver pssdk23.sys
(wich i cant find anymore since i detected it)
here are also some other traces of it
126090: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS Access: 0x20019
126091: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000\ROOT&LEGACY_PSSDK23&0000 NOT FOUND
126092: services.exe:740 CloseKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS
126093: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS Access: 0x20019
126094: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000\ROOT&LEGACY_PSSDK23&0000 NOT FOUND
126095: services.exe:740 QueryValue HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000\Phantom NOT FOUND
126096: services.exe:740 CloseKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS
126097: services.exe:740 OpenKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS Access: 0x20019
126098: services.exe:740 QueryValue HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000\ClassGUID SUCCESS "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
126099: services.exe:740 CloseKey HKLM\System\CurrentControlSet\Enum\ROOT\LEGACY_PSSDK23\0000 SUCCESS
i see also some keys near these modified one with a name : "Phantom"
i see nothing wrong with rkunhooker but it seems im not enough confirmed to see it
there also a lot of key that look suspect but im not going to post them right now to have a clean post and start by the first thing wich is anormal
thank you for reading my post , any help would be apreciated.
|
|
| Back to top |
|
 |
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
| Posted: Wed Aug 01, 2007 2:12 pm Post subject: |
|
|
Please download Rootkit Revealer
- Unzip it to your desktop.
- Open the rootkitrevealer folder and double-click rootkitrevealer.exe
- Click the Scan button (bottom right)
- It may take a while to scan (don't do anything while it's running)
- When it's done, go up to File > Save. Choose to save it to your desktop.
- Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.
** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.
This will ensure you have a simpler and clearer log file to analyze.
Second, download GMER from here: http://www.majorgeeks.com/GMER_d5198.html
Run GMER > go to rootkit tab > click copy button > ok. In your next reply, right-click and select paste
_________________
Microsoft MVP - Consumer Security 2008
An Invitation to Think - York University
|
|
| Back to top |
|
|
Embers
Trooper
Joined: Jul 04, 2007
Posts: 23
Location: USA
|
| Posted: Sun Aug 05, 2007 7:50 pm Post subject: |
|
|
hi
thank you for interesting into my problem
here is the root kit revealer log
HKU\.DEFAULT\Control Panel\International 27/07/2007 20:22 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 27/07/2007 20:22 0 bytes Security mismatch.
HKU\S-1-5-21-1229272821-1383384898-839522115-1004\Control Panel\International 27/07/2007 20:21 0 bytes Security mismatch.
HKU\S-1-5-21-1229272821-1383384898-839522115-1004\Control Panel\International\Geo 27/07/2007 20:21 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 27/07/2007 20:22 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 27/07/2007 20:22 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 06/03/2007 23:56 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 06/03/2007 23:56 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\cfexefile\DefaultIcon 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open\command 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas\command 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\ContextMenuHandlers 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\ContextMenuHandlers\CmdLineExt 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\DropHandler 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\PifProps 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\ShimLayer Property Page 27/07/2007 20:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 27/07/2007 20:14 0 bytes Security mismatch.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000376 05/08/2007 20:40 0 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000376\LogEntries 05/08/2007 20:40 465 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000376\Values 05/08/2007 20:40 82 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000377 05/08/2007 20:43 0 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000377\LogEntries 05/08/2007 20:43 940 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000377\Values 05/08/2007 20:43 82 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000378 05/08/2007 20:43 0 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000378\LogEntries 05/08/2007 20:43 513 bytes Hidden from Windows API.
C:\Program Files\G DATA InternetSecurity\AVK\Log\AVKLog\0000000378\Values 05/08/2007 20:43 82 bytes Hidden from Windows API.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 19/07/2007 01:43 252.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 19/07/2007 01:43 111.50 KB Visible in Windows API, but not in MFT or directory index.
and here is the gmer one
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-05 21:47:56
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwFsControlFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwReadVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.13 ----
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS Le fichier spécifié est introuvable.
---- Kernel IAT/EAT - GMER 1.0.13 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7AC11C0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7AC1200] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7AC0EA0] GDNdisIc.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7AC0F20] GDNdisIc.sys
---- Devices - GMER 1.0.13 ----
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7787454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F777AF4C] fltMgr.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFFAA4] GDTdiIcpt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7787454] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F77871DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F777AF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F777AF4C] fltMgr.sys
---- EOF - GMER 1.0.13 ----
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
| Posted: Mon Aug 06, 2007 1:46 pm Post subject: |
|
|
All your rootkit scans look clean.
Are you still experiencing problems from the rootkit you have in question?
_________________
Microsoft MVP - Consumer Security 2008
An Invitation to Think - York University
|
|
| Back to top |
|
|
jamesdudu
Guest
IP: 218.12.*.*
|
| Posted: Wed Jan 09, 2008 7:52 am Post subject: |
|
|
psdk23.sys is a packet sniffer sdk of ethereal,it's loaded when you launch ethereal.not a rootkit or malware
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
