MMSO.sys?

WINDBG
1

I have a system which has seen a bunch of crashes, all the same that seems due to “mmso.sys” in WinDbg. However, there’s no such file on the system (or any other system) that I can find. But it is in the module list and has a reasonable date and a path to the normal drivers directory. Google turns up nothing. Is “mmso” actually some shorthand the way “nt” is in WinDbg, or does anyone have any other insight into this mysterious driver?

Thanks!

2

It may have been deleted from disk after it was loaded (this doesn’t
necessarily point to anything nefarious though, many utilities do this).

Did you search the registry for any references to this as being the binary
for a service?

Considering the fact that you’re desperate, you could search the image for
any strings that might point to an owner. Just get the start and end module
addresses from lm and pass them to the “s -sa” command (i.e. “s -sa
”). “s -su” might also be useful.

-scott
OSR
@OSRDrivers

“Taed Wynnell” wrote in message news:xxxxx@windbg…

I have a system which has seen a bunch of crashes, all the same that seems
due to “mmso.sys” in WinDbg. However, there’s no such file on the system
(or any other system) that I can find. But it is in the module list and has
a reasonable date and a path to the normal drivers directory. Google turns
up nothing. Is “mmso” actually some shorthand the way “nt” is in WinDbg, or
does anyone have any other insight into this mysterious driver?

Thanks!

3

Taed Wynnell wrote:

I have a system which has seen a bunch of crashes, all the same that
seems due to “mmso.sys” in WinDbg. However, there’s no such file on
the system (or any other system) that I can find. But it is in the
module list and has a reasonable date and a path to the normal drivers
directory. Google turns up nothing.

Actually, Google turns up two reports of infected computers that include
an mmso.exe process where the associated file does not actually exist on
disk. The process identifies itself as “Microsoft Disk Manager”. It’s
possible you have a root kit infection.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.