CastleCops® Found rootkit ssswlyo!?

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[DONE]Found rootkit ssswlyo!?
Goto page 1, 2 Next

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

super_beda

Trooper
Trooper

Joined: Nov 20, 2007
Posts: 12
Location: Italy

Posted: Tue Nov 20, 2007 10:59 am Post subject: Found rootkit ssswlyo!?

Hi all, I'm new in this forum and a newbie in this field.. I'm afraid my Pc is infected by a rootkit that i can't remove.. Every time i open Firefox another instance of the program is open (and addressed to commercial websites..) and every time this happens my firewall tells me that ssswlyo.exe is trying to connect to the internet. I made a scan with rootkitrevealer and it founds HKLM\S-1-5-21-515967899-1647877149-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\ssswlyo 12/11/2007 10.28 170 bytes Hidden from Windows API. Anyone can help? Thanx in advance!

Angelfire777

1st Responder

Joined: Apr 16, 2006
Posts: 1322
Location: BC, Canada

Posted: Tue Nov 20, 2007 11:19 am Post subject:

Hi, welcome to CC!

Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, copy and paste that file back here.
_______

Download Gmer

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.

_________________
Member of UNITE and ASAP since 2006

super_beda

Trooper
Trooper

Joined: Nov 20, 2007
Posts: 12
Location: Italy

Posted: Tue Nov 20, 2007 11:47 am Post subject: log files

Hi AngelFire! thank you for the quick reply! Ok i did what you said and this is the hijackthis log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12.27.40, on 20/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\NowSMS\SMSGWNT.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NowSMS\SMSGWS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Nokia\Update_Manager\bin\UMScheduler.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\javaw.exe C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Documents and Settings\Andrea\Desktop\sek.toolz\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [chkhbci] C:\WINDOWS\system32\chkhbcin.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [UninstallAbility] "C:\Program Files\Innovatools\UninstallAbility\uability.exe" /AUTO O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Startup: Nokia Connectivity Framework Lite.lnk = C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176908305500 O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireone.webex.com/client/v_mywebex-localized/webex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{516C9462-F359-43EF-837E-24E2E04FAFC4}: NameServer = 130.251.51.200,130.251.89.216 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NowSMS - Unknown owner - C:\PROGRA~1\NowSMS\SMSGWNT.EXE O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 8355 bytes and this is the gmer log: GMER 1.0.13.12551 - http://www.gmer.net Rootkit scan 2007-11-20 12:45:47 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.13 ---- SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection SSDT F8A9E054 ZwCreateThread SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey SSDT F8A9E040 ZwOpenProcess SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection SSDT F8A9E045 ZwOpenThread SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem SSDT F8A9E04F ZwTerminateProcess SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather SSDT F8A9E04A ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.13 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. ? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. ---- User code sections - GMER 1.0.13 ---- .text C:\WINDOWS\Explorer.EXE[568] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DE200E .text C:\WINDOWS\Explorer.EXE[568] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DE1DAF .text C:\WINDOWS\Explorer.EXE[568] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DE1CF2 .text C:\WINDOWS\Explorer.EXE[568] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DE191B .text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\QuickTime\qttask.exe[776] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\QuickTime\qttask.exe[776] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\QuickTime\qttask.exe[776] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\QuickTime\qttask.exe[776] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\System32\svchost.exe[912] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\System32\svchost.exe[912] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\System32\svchost.exe[912] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\System32\svchost.exe[912] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe[1208] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F3200E .text C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe[1208] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F31DAF .text C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe[1208] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F31CF2 .text C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe[1208] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F3191B .text C:\Program Files\AntiVir PersonalEdition Classic\sched.exe[1452] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F2200E .text C:\Program Files\AntiVir PersonalEdition Classic\sched.exe[1452] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F21DAF .text C:\Program Files\AntiVir PersonalEdition Classic\sched.exe[1452] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F21CF2 .text C:\Program Files\AntiVir PersonalEdition Classic\sched.exe[1452] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F2191B .text C:\Program Files\Comodo\CBOClean\BOCORE.exe[1464] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\Comodo\CBOClean\BOCORE.exe[1464] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\Comodo\CBOClean\BOCORE.exe[1464] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\Comodo\CBOClean\BOCORE.exe[1464] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\iTunes\iTunesHelper.exe[1504] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011C200E .text C:\Program Files\iTunes\iTunesHelper.exe[1504] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011C1DAF .text C:\Program Files\iTunes\iTunesHelper.exe[1504] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 011C1CF2 .text C:\Program Files\iTunes\iTunesHelper.exe[1504] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 011C191B .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1516] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1516] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1516] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1516] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\PROGRA~1\NowSMS\SMSGWNT.EXE[1560] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\PROGRA~1\NowSMS\SMSGWNT.EXE[1560] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\PROGRA~1\NowSMS\SMSGWNT.EXE[1560] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\PROGRA~1\NowSMS\SMSGWNT.EXE[1560] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\system32\igfxtray.exe[1568] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0100200E .text C:\WINDOWS\system32\igfxtray.exe[1568] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01001DAF .text C:\WINDOWS\system32\igfxtray.exe[1568] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01001CF2 .text C:\WINDOWS\system32\igfxtray.exe[1568] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0100191B .text C:\WINDOWS\system32\hkcmd.exe[1580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00CD200E .text C:\WINDOWS\system32\hkcmd.exe[1580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00CD1DAF .text C:\WINDOWS\system32\hkcmd.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00CD1CF2 .text C:\WINDOWS\system32\hkcmd.exe[1580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00CD191B .text C:\WINDOWS\system32\igfxpers.exe[1584] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D1200E .text C:\WINDOWS\system32\igfxpers.exe[1584] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D11DAF .text C:\WINDOWS\system32\igfxpers.exe[1584] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D11CF2 .text C:\WINDOWS\system32\igfxpers.exe[1584] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D1191B .text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\PROGRA~1\NowSMS\SMSGWS.EXE[1616] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0199200E .text C:\PROGRA~1\NowSMS\SMSGWS.EXE[1616] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01991DAF .text C:\PROGRA~1\NowSMS\SMSGWS.EXE[1616] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01991CF2 .text C:\PROGRA~1\NowSMS\SMSGWS.EXE[1616] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0199191B .text C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe[1812] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe[1812] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe[1812] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe[1812] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\SOUNDMAN.EXE[1836] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\SOUNDMAN.EXE[1836] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\SOUNDMAN.EXE[1836] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\SOUNDMAN.EXE[1836] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Documents and Settings\Andrea\Desktop\sek.toolz\gmer\gmer.exe[1924] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Documents and Settings\Andrea\Desktop\sek.toolz\gmer\gmer.exe[1924] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Documents and Settings\Andrea\Desktop\sek.toolz\gmer\gmer.exe[1924] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Documents and Settings\Andrea\Desktop\sek.toolz\gmer\gmer.exe[1924] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\ALCWZRD.EXE[2000] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\ALCWZRD.EXE[2000] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\ALCWZRD.EXE[2000] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\ALCWZRD.EXE[2000] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\iPod\bin\iPodService.exe[2264] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00AB200E .text C:\Program Files\iPod\bin\iPodService.exe[2264] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00AB1DAF .text C:\Program Files\iPod\bin\iPodService.exe[2264] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00AB1CF2 .text C:\Program Files\iPod\bin\iPodService.exe[2264] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00AB191B .text C:\Program Files\Comodo\Firewall\CPF.exe[2320] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\Comodo\Firewall\CPF.exe[2320] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ] .text C:\Program Files\Comodo\Firewall\CPF.exe[2320] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E .text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[2356] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009A200E .text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[2356] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009A1DAF .text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[2356] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009A1CF2 .text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[2356] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009A191B .text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[2388] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01E9200E .text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[2388] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01E91DAF .text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[2388] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01E91CF2 .text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[2388] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01E9191B .text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2400] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2400] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2400] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2400] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\PROGRA~1\Comodo\CBOClean\BOC425.exe[2440] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0182200E .text C:\PROGRA~1\Comodo\CBOClean\BOC425.exe[2440] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01821DAF .text C:\PROGRA~1\Comodo\CBOClean\BOC425.exe[2440] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01821CF2 .text C:\PROGRA~1\Comodo\CBOClean\BOC425.exe[2440] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0182191B .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[2444] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 014E200E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[2444] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 014E1DAF .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[2444] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 014E1CF2 .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[2444] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 014E191B .text C:\WINDOWS\system32\ctfmon.exe[2472] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\ctfmon.exe[2472] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\ctfmon.exe[2472] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\ctfmon.exe[2472] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2484] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0171200E .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2484] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01711DAF .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2484] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01711CF2 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2484] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0171191B .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2536] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2536] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2536] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2536] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2536] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe .text C:\Nokia\Update_Manager\bin\UMScheduler.exe[2680] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 175E200E .text C:\Nokia\Update_Manager\bin\UMScheduler.exe[2680] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 175E1DAF .text C:\Nokia\Update_Manager\bin\UMScheduler.exe[2680] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 175E1CF2 .text C:\Nokia\Update_Manager\bin\UMScheduler.exe[2680] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 175E191B .text C:\WINDOWS\system32\cmd.exe[2752] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\cmd.exe[2752] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\cmd.exe[2752] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\cmd.exe[2752] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\WINDOWS\system32\javaw.exe[2828] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\WINDOWS\system32\javaw.exe[2828] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\WINDOWS\system32\javaw.exe[2828] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\WINDOWS\system32\javaw.exe[2828] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe[3688] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0103200E .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe[3688] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01031DAF .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe[3688] ntdll.dll!NtQueryDirectoryFile

super_beda

Trooper
Trooper

Joined: Nov 20, 2007
Posts: 12
Location: Italy

Posted: Tue Nov 20, 2007 11:51 am Post subject: ...continues

7C90DF5E 5 Bytes JMP 01031CF2 .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe[3688] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0103191B .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe[3860] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe[3860] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe[3860] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe[3860] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\documents and settings\andrea\local settings\application data\ssswlyo.exe[3904] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\documents and settings\andrea\local settings\application data\ssswlyo.exe[3904] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\documents and settings\andrea\local settings\application data\ssswlyo.exe[3904] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\documents and settings\andrea\local settings\application data\ssswlyo.exe[3904] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe[4008] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe[4008] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe[4008] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2 .text C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe[4008] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B ---- Kernel IAT/EAT - GMER 1.0.13 ---- IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F84C5910] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F84C5950] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F84C56D0] inspect.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F84C5730] inspect.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F82C51DE] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F82C51DE] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F82C5454] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F82C51DE] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F82B8F4C] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F82B8F4C] fltmgr.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AA3B9A6A] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AA3B9A16] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AA3B994A] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3B985E] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AA3B99B8] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [AA3B9B12] cmdmon.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE