Posted 28 March 2009 - 10:47 PM
I have been experiencing this phenomena for quite a time,like in terms of years.
Recently,I had a lot of Bsods and explorer crashes and my network driver keeps uninstalled automatically.
So I run a lot of antivirus,antispyware,malware removers etc.
As of posting this,I am using ESET Smart Security 4.
Found a lot of malwares and quarantined them.
But explorer still keeps killed from time to time.
The problem is,after I run Autoruns from Sysinternals,
I always find 2 randomly named sys files in Drivers section of autoruns.
Seems like the names of both files always start with 'a',followed by random 8 characters.
Like I said,I have been seeing this phenomena for some years.
I just format my hdd and reinstall windows when ever I saw this before.
But this time,I thought it must be a real badass rootkit and ran fsecure blacklight,icesword,gmer,rootrepeal even combofix,
after many researches and reading through a lot of forum posts all over the net.
gmer showed these random named files but didn't give me an alert.
blacklight didn't show anything.
combofix fixed some of my files but not the named files.
Then when I run Icesword,in the SSDT section,a lot of entries are in red and one of them is the file you mentioned,ssXX.sys.
the XX part keeps changing after each reboot.
There is another fishy entry in SSDT section,an Unknown entry keeps working in SSDT section.
The rest of the SSDT entry are ok.
I search for that ssXX.sys in autoruns,but can't find it.
Can't find all those mentioned .sys files in system32\drivers even though they are listed to exist in that folder in autoruns.
rootrepeal also showed the same ssXX.sys file entries.
I also have both Alcohol 120% and Daemon tool installed on my box.
And whenever I tried to get into safe mode,I was asked 'Press any key to stop loading sptd.sys.
I don't know if it's relevant or not though.
One last thing is,in process explorer from sysinternals,when I checked the explorer entry,it seems like it was started by imapi.exe.So I killed explorer from taskmanager,and I found that it was restarted by imapi.exe and
also in icesword,I found that in the process creation section,there were some entries about imapi.exe.
I am just a user.Not a technician.
So,I can't fully comprehand the significance of my findings.
Like you,I have the logs from different antirootkit products.
One real last thing is,whenever I installed Superantispyware,it installed alright,but then can't update and worse,
after the reboot required by the installation,I lost my network drivers somehow.
It seems to be a DNS problem,in the network icon-status-connection status tab,everything is blank,
and when I clicked repair,it showed,tcpip settings cannot be retrieved or something like that.
Strangely,if I uninstall Superantispyware,everything goes back to normal.
By now,the explorer seems more stable than before,rarely goes crashing but it still happens,
I hope that it's just a hardware issue rather than any trojan,virus or rootkit,because in the eventviewer page,
I have a lot of IPNAT errors.
Anyway,I search all through the internet and found only you have similar problems.
I also found that entry you talked about from a guy in OSAM,during my research.
But as I was more afraid of rootkits back then,so I didn't take it seriously.
Now,the only seeming problems apparent to me now are these driver sys files,
I will rename that sptd.sys now.
And hopefully,I can come back and post the results.
Please keep your fingers crossed for me.
Thanks for your kind efforts to present your findings.