5 replies to this topic

[VYCanisMajoris]

background: Vista/Sp2; HP/desktop/2cpu; ZASS9

History: Computer runs otherwise normal, but WinExplorer some times takes longer to run. I cleaned out unnecessary BHO using ShellExView and Autoruns. Only ones that are registered I need to run computer normally. Right-click occassionally works fine, but other times slows down a bit 2x - 3x time normal. Never had infection of any kind I know of since last re-install.

Symptoms: Vista boots normally, but in SAFE MODE I saw spldr.sys code 24 as follows:

"Security Processor Loader Driver (spldr.sys)
This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Click 'Check for solutions' to send data about this device to Microsoft and to see if there is a solution available."

MD5 for spldr.sys is: 7aebdeef071fe28b0eef2cdd69102bff
spldr.sys (21048 bytes)
ver: 6.0.6001.16606
modified date: 1/19/2008 3:41am

FileAlyzer's analysis shows that disassembler's entry point is: 0x00001931

Now here is funky thing:
A while ago (7-10days) I had run Gmer showed no issue,
RootkitRevealer showed Data mismatch between Windows API and raw hive data.

HKU\S-1-5-21-9digits-9digits-3832373041-1000\Console
HKU\S-1-5-21-9digits-9digits-3832373041-1000\Console\cmd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8digits-4digits-4digits-4digits-12digits}\DynamicInfo
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8digits-4digits-4digits-4digits-12digits}\AppName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell

RkUnHooker analysis indicated: !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

My question to gurus and knowledgeable pupils alike -- what is going on with this. Microsoft has no issues, and GoogLE shows few discussions, and one in particularly talks of same symptoms as I have (I think at Vista64 or Vistahead forum).
Thanks to all repondre.

[GT500]

There are a lot of rootkits that are not malicious. Some anti-virus softwares use rootkit-like behavior to try to keep malware from disabling their software. At least for a while, optical drive emulation software (such as Alcohol 120% and Daemon Tools) used rootkit-like behavior to hide their presence from copy protection in games.

As for the error in Safe Mode, it is not abnormal to see weird errors about drivers not loading in Safe Mode, because most drivers don't load when Windows starts in Safe Mode. This sounds like a false alarm to me, but you may want to check for MBR rootkits just to be sure.

[VYCanisMajoris]

Salute! GT500,

Thanks for quick response. Great to know that some antiviruses act as rootkit emulator to prevent others to intrude.
I am not sure, but my firewall log show I always get alerts originating from China 202.102.y.z, 218.x.y.z.-223.x.y.z, but now it is mainly from 187.15.122.z (veloxzone.com.br) and some from 203.129.y.z and 220.244.y.z (australia). Nearly 90-95% of log show variety of access alerts from China.

How does your firewall log looks like?

I am aware that Chinese hackers are most active, but what are they trying to do with my ip address.

[VYCanisMajoris]

VYCanisMajoris, on Sep 2 2010, 06:35 PM, said:

Salute! GT500,

Thanks for quick response. Great to know that some antiviruses act as rootkit emulator to prevent others to intrude.
I am not sure, but my firewall log show I always get alerts originating from China 202.102.y.z, 218.x.y.z.-223.x.y.z, but now it is mainly from 187.15.122.z (veloxzone.com.br) and some from 203.129.y.z and 220.244.y.z (australia). Nearly 90-95% of log show variety of access alerts from China.

How does your firewall log looks like?

I am aware that Chinese hackers are most active, but what are they trying to do with my ip address.

If you are using Vista, could you verify why spldr.sys shows error in SAFE MODE:

Device Manager > VIEW > Show Hidden Devices | Non-plug and Play Drivers.

I thought that spldr.sys is a Security Processor Loader Driver which should run regardless of SAFE or NORMAL mode, since it allows one to log.

Yesterday was the first time I notice this error.

I hope others can contribute to what is going on.

Thanks again for your insightful feedback.

[GT500]

It is possible that there is an infection, and maybe an MBR rootkit. Do you connect to the Internet through a router?

[AdvancedSetup]

Hello , and welcome to Malwarebytes.org

Someone will work with you one on one to assist you in the forum below. This forum here is not for detection and removal and only general information.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.
One of the expert helpers there will give you one-on-one assistance when one becomes available.
After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org