CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[IN PROGRESS]Help with GMER Rootkit results

 
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
sunny20

Guest
IP: 75.28.*.*
PostPosted: Mon Jan 14, 2008 6:54 am    Post subject: Help with GMER Rootkit results
Reply with quote

After reading a news story on BBC about rootkits, I downloaded GMER and did a scan. I have no idea what the scan results mean. I would really appreciate some expert help.
Thanks in advance.
Here's the log...very long...only the last line was red...rest were black. No idea what that means.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-13 22:47:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 85B46918 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 85B46BE8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 85B46990 ZwQueueApcThread
SSDT 85B46828 ZwReadVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 85B46A80 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 85B46FA8 ZwSetInformationKey
SSDT 85B46CD8 ZwSetInformationProcess
SSDT 85B46AF8 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT 85B46C60 ZwSuspendProcess
SSDT 85B46A08 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 85B46B70 ZwTerminateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver
SSDT 85B468A0 ZwWriteVirtualMemory

INT 0x20 srescan.sys F72A1C70

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 10, B5, 0E, EE, 70, 18, 0F, ... ]
? srescan.sys The system cannot find the file specified.
? C:\WINDOWS\system32\5CB.tmp The system cannot find the file specified.

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1924] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [ CD, 20 ]

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 85B46648
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 85B46740
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EE0FD330] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE0EFCA0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE0EFE10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE0F0320] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE0F01C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EE0E8670] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EE0E85C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EE0E8770] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EE0E82D0] \SystemRoot\System32\vsdatant.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7571E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F73D31DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F73D31DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F73D3454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F73D31DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F73C6F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F73C6F4C] fltMgr.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 85822F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 85822E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 85828FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 85828F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 85828EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 85828E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 8582AFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 8582AF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 8582AEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 8582AE40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 85802930
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 858028B8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 85815BC0
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 85815B48
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 85815A58
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 855D1C10
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 855D1B98
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 855D1B20
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 855D1AA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 85820020
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 85820200
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 85820188
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 85820110

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [F66A7E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [F66A7E00] SynTP.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 85822F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 85822E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 85828FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 85828F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 85828EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 85828E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 8582AFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 8582AF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 8582AEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 8582AE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 85802930
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 858028B8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 85815BC0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 85815B48
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 85815A58
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 855D1C10
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 855D1B98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 855D1B20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 855D1AA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 85820020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 85820200
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 85820188
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 85820110

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [F7292B10] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [F72C6840] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [F72C6840] timntr.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 85822F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 85822E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 85828FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 85828F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 85828EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 85828E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 8582AFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 8582AF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 8582AEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 8582AE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 85802930
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 858028B8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 85815BC0
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 85815B48
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 85815A58
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 855D1C10
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 855D1B98
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 855D1B20
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 855D1AA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 85820020
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 85820200
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 85820188
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 85820110
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 85822F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 85822E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 85828FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 85828F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 85828EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 85828E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 8582AFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 8582AF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 8582AEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 8582AE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 85802930
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 858028B8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 85815BC0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 85815B48
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 85815A58
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 855D1C10
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 855D1B98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 855D1B20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 855D1AA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 85820020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 85820200
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 85820188
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 85820110
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 85822F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 85822E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 85828FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 85828F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 85828EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 85828E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 8582AFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 8582AF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 8582AEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 8582AE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 85802930
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 858028B8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 85815BC0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 85815B48
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EE0FCC20] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 85815A58
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 855D1C10
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 855D1B98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 855D1B20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 855D1AA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 85820020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 85820200
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 85820188
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 85820110
---- Processes - GMER 1.0.13 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1732] 0x02800000

---- EOF - GMER 1.0.13 ----
Back to top
negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5394

Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Security Experts SRT

PostPosted: Tue Jan 15, 2008 12:04 am    Post subject:
Reply with quote

Hello sunny,

You probably read something on the new MBR rootkit discussed here:
CastleCops Link/t212084-Stealth_MBR_rootkit.html

Don't worry - you Gmer log does NOT show that you have that.

There are also no rootkit drivers or libraries (DLLs) in your Gner log. Your log is long because you have a legitimate drivers that have created hooks such as Spysweeper and Zone Alarm Pro.

The file listed in red is a hidden process, but it is a legitimate Windows file - Explorer.exe, and is a false positive that ocassionally shows up in a Gmer scan report.

I want you to clean all your temp files and browser cache using ATF Cleaner by Atribune.

This program is for Windows 2K, XP, and Vista

Note: If you would like to retain your cookies - then do not check them to be removed

  • Double-clickATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Uncheck any items that you do not want removed such as stored cookies
  • Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Then disable active protection component of your installed security programs like Spysweeper by referring to these directions:
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

Reboot to unload the driver(s).

Then download and unzip the GMER 1.0.14 beta here:
http://www2.gmer.net/beta/
And perform a rootkit scan with that.
Then post back the GMER 1.0.14 beta log.

Re-enable your active protection.


_________________
Negster22 - MS MVP - Consumer Security 2006-2008 image
Back to top
View users profile Send private message Visit posters website
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
143ppm 0.291s (0.034s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer