scsiport.sys general questions

Discussion in 'Software' started by doc Holliday, Jun 18, 2011.

  1. doc Holliday

    doc Holliday Private First Class

    Hi folks:

    BACKGROUND: my 2 PCs haven't been running smoothly (THIS IS NOT A MALWARE CLEANING POST PER SE) and I suspected a rootkit. GMER showed items of interest, but no "red text" for removal. Of the rootkit programs I tried, only Tizer Rootkit Razor showed problems and removed them (BTW the Comodo Fire Wall and Microsoft Security Essentials "hits" were NOT false positives - the rootkit apparently hooks into them or modifies them. I did REVO MAXIMUM Uninstalls on those and installed fresh after Tizer showed no rootkits, and they work correctly again)

    [I also ID problem files and go to a bootable CD to change files without the rootkit blocking me]

    Tizer is showing scsiport.sys as a rootkit. I have therefore been looking at all the instances of it in my system.

    MY QUESTIONS:

    1. what is scsiport.sy_ ?? It's size does not match the version in my sp3.cab file, and it is not indicated as a Microsoft file. I think I should remove the .sy_ version and replace with a good one from my files.

    2. Is there any reason that a file called scsiport.sys would be any different in one location than another?? The file in \$NtServicePackUninstalls\ (5.1.2600.2180 = SP2 version) does not match the size of the file in c:\windows\driver cache\i386\sp2.cab. Thinking of replacing this one too

    Thanks for any insights..

    BTW at this point I think Tizer Rootkit Razor is amazing...
    .
     
    doc Holliday, Jun 18, 2011
    #1
  2. satrow

    satrow Major Geek Extraordinaire

    Hi Doc,

    scsiport.sy_ is the compressed version of scsiport.sys, it's expanded to the full file on installation; something like 'expand D:\i386\scsiport.sy_ C:\Windows\System32\scsiport.sys' would be the command to expand the file to recover from a missing one from the original XP CD.

    Cab file compression may account for the size difference you see, check again once the file has been expanded or copied from the cab.

    Autoruns set to show MSFT and Windows files and verify set to on is a useful way to check some currently loaded files (not all MSFT files are signed though!). Don't forget to refresh it after any options changes.

    Also Driverview can give a lot of details fast about currently loaded drivers.

    There's also a HashTab explorer extension and many other useful tools out there - beware of the crapware though ;)
     
    satrow, Jun 18, 2011
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds