Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? Hidden driver changes name each reboot!


  • This topic is locked This topic is locked
10 replies to this topic

#1 dcmdcm

dcmdcm

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 31 December 2011 - 11:04 PM

I'm thinking I might have a rootkit:
1) Explorer slow.
2) Possibly coincidence (other systems are on net), but I see router activity when using Explorer.
3) A hidden driver has a name spxx.sys, where xx changes each reboot. Is it from AlcoholSoft?

All of these have gone on a while. AV and malware scans show nothing ususual except on files that I expect alerts on. (Some tools loaded on the system generate alerts but are in fact OK).

Attached Files

  • Attached File  DDS.txt   35.92KB   6 downloads
  • Attached File  gmer.log   44.95KB   3 downloads


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 06 January 2012 - 11:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 dcmdcm

dcmdcm
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 January 2012 - 10:20 PM

I looked over the logs. Seems there's a lot of old cruft in there that should have been cleaned by an uninstaller.
Maybe after this, I'll spend a couple hours cleaning. Or I can just buy a faster processor :-)

Do you have any docs on this program so I can use it to see other stuff?

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 06 January 2012 - 11:26 PM

Hi,

first things first: yes spxx.sys is from alcoholsoft or daemon tools. More precisely it's part of SPTD which is used by both to simulate the virtual drives. You'll need to delete sptd manually as it's not usually uninstalled when you uninstall either of the two afore mentioned programs.

then regarding your question about OTL: There's actual a tutorial at geekstogo that is very worth reading: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Finally I do not see indication for malware in your logs, but you are sure running a lot of things. :)

regard smyrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 dcmdcm

dcmdcm
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 January 2012 - 01:01 AM

OK, thanks for checking it out. I need to have SPTD there because I do still use Alcohol 120% sometimes (but not as often as I used to). Thanks for the documentation tips, I'll check it out.

Explorer is really slow, though: when running "C:\WINDOWS\explorer.exe /n, /e, /select, c:\" from quick links, it takes about 8 seconds before clicking on a drive letter in the folders column on the left produces any response on the right side; Explorer is busy all that time preparing the first display. Further navigation to subdirectories takes usually about 3-5 seconds each time. Clicking on "My computer" in history (the first entry) takes again about 3-5 seconds. What it's doing all that time, I don't know. This happens on both local and "remote" [CIFS] drives. I've used Linux on this same machine to test the remote speed, and it's much faster -- it's not anything else on the network, it's Windows on this machine.

Is there any way I can figure out what's happening? I have Resplendence Multimon, but I don't know enough about Windows internal events to effectively set it up to get the right information. I've tried it in the past, and I've seen a lot of events, but as I said, I don't know enough. Logging everything in the universe just wouldn't be helpful, there's way too much output.

Do you have any suggestions? (No, reinstall isn't an option, there's way too much historical stuff that I'd lose. I'm scared of even a repair reinstall; the applications would be OK but all other settings would be hosed).

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 07 January 2012 - 07:18 AM

Hi,

you could have a look at this: http://support.microsoft.com/?kbid=819017 See if that helps.

It's possible that explorer tries to access shared folders/network printers etc when you open it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 dcmdcm

dcmdcm
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 09 January 2012 - 12:37 AM

WOW! Thanks for finding that KB article. I've tried to look up possible solutions, but anything I found wasn't quite applicable or was in high-noise forums that were painful to wade through -- and then didn't have what I needed anyway. You know how it is if you don't ask the right query, you just don't quite find what you need.

If you remember what you searched for (what string) and where you searched (ms kb, google), that would help me be more effective in the future.

Turns out that the WIA service was running, so I stopped and disabled it. The improved the initial start-up slightly but noticably, and subsequent directory navigation on a disk sped up quite a bit more, maybe 50%. Accesses to SAMBA shared drives sped up very much, more than to local drives. The speed still seems to depend on some other factor that I haven't figured out yet. It's not necessarily the number of entries in the directory. (I run a continuous defragger the operates when the system is idle. It's at low priority anyway. So I think that the directory structure should be reasonably clean, with not too many unused/deleted entries. No, I don't think the defrag is getting in the way, but I could turn it off just to see what happens).

There are no shared remote printers (but the local USB printer is shared to others).

Your advice was very valuable, thanks!

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 09 January 2012 - 09:34 AM

Hi,

My first search simply contained "explorer slow", which, as you likely now, did not lead to much success. I then went ahead and added "my computer" to the search. The first hit then is: link where the two first reply comes from MVPs (Microsoft Most valued professional, this is a programme where MS rewards the most active and knowledgeable people in special areas around Microsoft's products. Here Windows XP.) suggesting the link I gave you.

MVPs are usually a reliable source for good information. Their suggestions have a high probability of working.

regards myrti

Edited by myrti, 09 January 2012 - 03:33 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 dcmdcm

dcmdcm
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 09 January 2012 - 01:02 PM

Thanks for the reply. I've noticed the "MVP phenomenon" in the past, and I'm always happy when I see those responses, since they're more likely to be helpful.

Again, thanks for working this issue with me.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 09 January 2012 - 03:34 PM

Hi,

happy to hear things have been resolved. To remove the tools we used, just open up OTL and click on the cleanup button.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

Edited by myrti, 09 January 2012 - 03:34 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:47 AM

Posted 17 January 2012 - 10:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users