Sign in to follow this  
Followers 0
VYCanisMajoris

** Urgent!! spldr.sys code 24

6 posts in this topic

background: Vista/Sp2; HP/desktop/2cpu; ZASS9

History: Computer runs otherwise normal, but WinExplorer some times takes longer to run. I cleaned out unnecessary BHO using ShellExView and Autoruns. Only ones that are registered I need to run computer normally. Right-click occassionally works fine, but other times slows down a bit 2x - 3x time normal. Never had infection of any kind I know of since last re-install.

Symptoms: Vista boots normally, but in SAFE MODE I saw spldr.sys code 24 as follows:

"Security Processor Loader Driver (spldr.sys)

This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Click 'Check for solutions' to send data about this device to Microsoft and to see if there is a solution available."

MD5 for spldr.sys is: 7aebdeef071fe28b0eef2cdd69102bff

spldr.sys (21048 bytes)

ver: 6.0.6001.16606

modified date: 1/19/2008 3:41am

FileAlyzer's analysis shows that disassembler's entry point is: 0x00001931

Now here is funky thing:

A while ago (7-10days) I had run Gmer showed no issue,

RootkitRevealer showed Data mismatch between Windows API and raw hive data.

HKU\S-1-5-21-9digits-9digits-3832373041-1000\Console

HKU\S-1-5-21-9digits-9digits-3832373041-1000\Console\cmd.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8digits-4digits-4digits-4digits-12digits}\DynamicInfo

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8digits-4digits-4digits-4digits-12digits}\AppName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell

RkUnHooker analysis indicated: !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

My question to gurus and knowledgeable pupils alike -- what is going on with this. Microsoft has no issues, and GoogLE shows few discussions, and one in particularly talks of same symptoms as I have (I think at Vista64 or Vistahead forum).

Thanks to all repondre.

Share this post


Link to post
Share on other sites

There are a lot of rootkits that are not malicious. Some anti-virus softwares use rootkit-like behavior to try to keep malware from disabling their software. At least for a while, optical drive emulation software (such as Alcohol 120% and Daemon Tools) used rootkit-like behavior to hide their presence from copy protection in games.

As for the error in Safe Mode, it is not abnormal to see weird errors about drivers not loading in Safe Mode, because most drivers don't load when Windows starts in Safe Mode. This sounds like a false alarm to me, but you may want to check for MBR rootkits just to be sure. ;)

Share this post


Link to post
Share on other sites

Salute! GT500,

Thanks for quick response. Great to know that some antiviruses act as rootkit emulator to prevent others to intrude.

I am not sure, but my firewall log show I always get alerts originating from China 202.102.y.z, 218.x.y.z.-223.x.y.z, but now it is mainly from 187.15.122.z (veloxzone.com.br) and some from 203.129.y.z and 220.244.y.z (australia). Nearly 90-95% of log show variety of access alerts from China.

How does your firewall log looks like?

I am aware that Chinese hackers are most active, but what are they trying to do with my ip address.

Share this post


Link to post
Share on other sites
Salute! GT500,

Thanks for quick response. Great to know that some antiviruses act as rootkit emulator to prevent others to intrude.

I am not sure, but my firewall log show I always get alerts originating from China 202.102.y.z, 218.x.y.z.-223.x.y.z, but now it is mainly from 187.15.122.z (veloxzone.com.br) and some from 203.129.y.z and 220.244.y.z (australia). Nearly 90-95% of log show variety of access alerts from China.

How does your firewall log looks like?

I am aware that Chinese hackers are most active, but what are they trying to do with my ip address.

If you are using Vista, could you verify why spldr.sys shows error in SAFE MODE:

Device Manager > VIEW > Show Hidden Devices | Non-plug and Play Drivers.

I thought that spldr.sys is a Security Processor Loader Driver which should run regardless of SAFE or NORMAL mode, since it allows one to log.

Yesterday was the first time I notice this error.

I hope others can contribute to what is going on.

Thanks again for your insightful feedback.

Share this post


Link to post
Share on other sites

It is possible that there is an infection, and maybe an MBR rootkit. Do you connect to the Internet through a router?

Share this post


Link to post
Share on other sites

Hello , and welcome to Malwarebytes.org

Someone will work with you one on one to assist you in the forum below. This forum here is not for detection and removal and only general information.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.