Need help with what I think is a rootkit

Learn about Computer Security Virus/Malware Removal Assistance
#1

Hello, I’ll try to make this as short as possible.
Tried to run a script requiring that port 80 is not used. It didn’t work, so checked in TCPView and found System:4 using it. Through ProcessExplorer I found “spjr.sys”, only reference I could find to that file is that it is suspected of being a rootkit. I have no such file on the computer, and can’t kill it through ProcessExplorer.

Tried GMER and RootRepeal pluss a few others, but none of them work on W7 X64 Ultimate. Suggestions on what I do from here ? Malware finds nothing, HijackThis shows nothing out of the ordinary, Avira finds nothing and Comodo shows no traffic and can’t kill the connection.

All help is greatly appreciated.

#2

Sophos Anti-Rootkit says that is supports the 64-bit version of Windows 7:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

You can download it from here if you don’t want to fill out the form:

I’d also give Autoruns a try:

Once you’ve started it, click the Drivers-tab, and find the entry for spjr.sys. If found, you should be able to delete it.

#3

Cheers, finished the run with Sophos and here is the result:

If that is inconclusive I’ll try Autoruns :slight_smile:

#4

only thing that i can think of on how to find the rootkit if there is one is to make a bootable antimalware disk. it runs a version of windows in ram and doesnt even load the hard drive so if anything is found it can be removed with ease. here is a tutorial on how to make the disk

there are multiple parts
hope this helps

#5

All entries look legit. I was a bit unsure about ChipsetRUS.dll, but it seems to be related to Intel.

#6

Gave Autoruns a try. That list is huge to say the least, but if anyone has the time and will to check it out the file(5.83 mb, read through Autorun) can be downloaded here:
http://www.megafileupload.com/en/file/215614/AutoRuns-arn.html

I tried looking through it myself, but it is hard when you really don’t know what you are looking for.

Cheers for the suggestion wasgij6, if Autoruns come up negative as well I’ll give it a try.

#7

can you upload it to
www.megaupload.com instead off the KNOCK-OFF site :slight_smile: I don’t think any smart person would click on that. If I was a “MOD” I would have deleted that link

#8

I’m not even a big fan of megaupload. I prefer to use http://ifile.it/

Really though I’d like to hear the results of Comodo Cloud Scanner and Hitman Pro. If I’m not wrong these should also be able to detect suspicious activity, although they may not be able to locate the source if it is protected by a rootkit. They’re both quick, so why not.

#9
They're both quick, so why not.
Good point :-TU
#10

Do you have daemon tools or a similar emulation software installed ?

DT installs a drivers called sptd.sys in system32 but loads 2 kernel modules, sptd.sys and one with sp**.sys name (**= 2 random letters)

The second one with the random name is created at boot as kernel modulel, there is no actual file on the hdd.

If “spjr.sys” is replaced after a reboot with another files with random name “sp**.sys”, it’s surely from DT.

#11

I bow down to your wisdom. You are absolutely correct, it was now named spqd.sys. Thank you, you surely saved me of a lot of work!
Now for how to figure out which thread is listening on port 80 :-TU