Whats this?

Just installed and ran sanity check
https://www.wilderssecurity.com/showthread.php?t=298752
on a windows 7 64 bit system ,and am getting strange results that maybe experts here can explain.Everytime i run sanity check it mentions a different .sys file that may be malicious that isnt there any more?.Indeed when i look for the file that is mentioned ,its not there.Anyone know what this is all about?.I have performed other checks and dont believe that i have an infection ,but i cant understand these results from sanity check and google search doesnt help ?
tia
ellison

...................................................................................................
Analyzing your system ...

Some driver entry points are being hijacked by other modules



Module spys.sys is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module spys.sys:

file path: C:\Windows\system32\drivers\spys.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on spys.sys


......................................................................................................



Analyzing your system ...

Some driver entry points are being hijacked by other modules



Module spgu.sys is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module spgu.sys:

file path: C:\Windows\system32\drivers\spgu.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on spgu.sys


.......................................................................................................


Analyzing your system ...

Some driver entry points are being hijacked by other modules



Module spgi.sys is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module spgi.sys:

file path: C:\Windows\system32\drivers\spgi.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on spgi.sys

.......................................................................................................


Analyzing your system ...

Some driver entry points are being hijacked by other modules



Module spuw.sys is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module spuw.sys:

file path: C:\Windows\system32\drivers\spuw.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on spuw.sys

......................................................................................................

 

Unless it is some error in sanitycheck, from the google search those .sys could be malware related. What did you use to check your comp for malware?

 

Ive checked with norton power eraser (with rootkit option enabled) hitman pro,I already have mbam pro and that doesnt find anything ,neither does avast boot scan.However combofix deleted a few files and folders......
.................................................................................................
i] ADS - Windows: deleted 24 bytes in 1 streams. [/i]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\Michael\AppData\Roaming\EurekaLog
c:\users\Michael\AppData\Roaming\EurekaLog\EurekaLog.ini
c:\users\Michael\AppData\Roaming\inst.exe
c:\windows\jestertb.dll
c:\windows\system32\User
c:\windows\XSxS
...................................................................................................

When i run sanity check again i still get a wierd file name that isnt there so im not sure what to try next or whether its a sanity check problem....
.....................................................................................................

Some driver entry points are being hijacked by other modules



Module spyg.sys is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module spyg.sys:

file path: C:\Windows\system32\drivers\spyg.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on spyg.sys
................................................................................................

ellison

 

Ive just run gmer which shows two rootkit/malware entries.However when i cant delete them from within gmer or from safemode.I also navigated to the entries in registry workshop and noticed that the alleged malware folder is in red ( i dont know what that means).I cannot delete the folder or entries even in safe mode.Anyone have any suggestions?
ellison

 

that sptd entry could be a false positive
http://forum.sysinternals.com/access-is-denied-for-servicessptdcfg_topic12571.html

if you are still concerned ask one of the specialised sites to look into it
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

Hmm i might just post at the malwarebytes sites that you gave the link too.Ive also scanned with dr web cureit which shows nothing ,and also prevx 3 shows nothing.Im still a little concerned that sanitycheck is still showing files that are possibly malicious but cant be found on my system.
thanks for the links
ellison

 

Looks like typical Alcohol/Daemon tools detection.

 

Best way to find a rootkit (and other hidden malware) is to use an AV Live CD.

 

I agree, it does "look" like it & ellison64 must know if he has it

 

What is alcohol/daemon tools detection?.I have no idea what that means or if i have it?
ellison

 

https://secure.wikimedia.org/wikipedia/en/wiki/Daemon_Tools

http://www.daemon-tools.cc/eng/home

I guess you don't have it, or you would know, if you'ld installed it ! Maybe someone else did ?

So "IF" you really don't have it, there "could" indeed be a problem, or FP's by SanityCheck ?

 

After reading the wikipedia link i can categorically say that i dont have any deamon tools installed.To top it all ,ive just found out that gmer apparently doesnt work on 64 bit which is what i have ,so perhaps the results are screwy in the screen shot i previously posted.Well i ve scanned with everything i can think of ,although ive only scanned with avast from boot.All other scans have been from windows.
ellsion

 

Sounds like a FP, but ya never know these days. Try these which work on x64

XueTr - http://xuetr.com/download/XueTr.zip - or - http://www.kernelmode.info/ARKs/TrueX64.rar

Avast anti-rootkit Edition, based upon the powerful GMER engine - http://files.avast.com/files/beta/aswar.exe

Sophos Anti-Rootkit - http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

 

avast anti rootkit found a hidden registry entry in a hidden registry folder

...................................................................................

Code:

vast! Antirootkit, version 0.9.6
Scan started: 09 May 2011 20:32:50

Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]  **HIDDEN**

Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System] OOCC7.00.00.01PROSTATION="9C50459E6F178054487323EDF8FB1014B8235C004B1FB48077C05A64527AB498805D4C70EBCC5CDE9EB5292A3F7CD0DB4E7FD1EF324F6FFEB30636FD6367C2BE2495933FBC200316BB363BE98BAEAB4D7F3F70F236169A0E9BA9D14F74ECC453A3C5D20024F0F6176BB1C8F821ED2CE76C28014B39ED6935BE9FEFAAA741B6801E2FE83C25D21E517DD3E8B3844B3F80B4F673CAE10471CBAF4F797A6450774636075510088DBF09C9BF568D7D0A38BF005ADA5899B93082049479FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E"  **HIDDEN**

Scan finished: 09 May 2011 20:39:31
Hidden files found: 0
Hidden registry items found: 2
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

----------

When i navigate to the " hidden" system folder with registry workshop ,i can see the system folder ,but noticed that although the system folder is highlighted ,it wont show in the address bar at the top ,and also it cant be deleted because it cant be found.Im not sure what this can be.By the way ,does anyone know whther the avast standalone antirootkit is the same as the antirootkit module in AIS or is it enhanced in some way?
ellison
P.S
I word wrapped the entry above so that it wouldnt go across the page ,however when i actually submit the the reply ,it gets un wrapped ??

 

Heres the pic

 

How is this 64-bit? The process is 32-bit, and GMER isn't 64-bit.

Another 64-bit anti-rookit is SanityCheck.

 

@ ellison64

Try finding the key in SafeMode, if possible.

If you google for that full key

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System] OOCC7.00.00.01[B]PROSTATION[/B]="9C50459E6F178054487323EDF8FB1014B8235C004B1FB48077C05A64527AB498805D4C70EBCC5CDE9EB5292A3F7CD0DB4E7FD1EF324F6FFEB30636FD6367C2BE2495933FBC200316BB363BE98BAEAB4D7F3F70F236169A0E9BA9D14F74ECC453A3C5D20024F0F6176BB1C8F821ED2CE76C28014B39ED6935BE9FEFAAA741B6801E2FE83C25D21E517DD3E8B3844B3F80B4F673CAE10471CBAF4F797A6450774636075510088DBF09C9BF568D7D0A38BF005ADA5899B93082049479FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E" **HIDDEN**

You'll get about 6 results, mostly non english. Use google translation & see if you can find Anything relevant

Re - SysPrepTapi

Appears to be dial related ? - http://www.realgeek.com/forums/sysprep-tapi-area-code-180458.html

*

AFAIK it is x64 ! Gmer worked on it with Avast so their version is not exactly the same anyway

See Post # 23 - https://www.wilderssecurity.com/showthread.php?t=235325

He's already used that & found what he's found

 

Doesn't seem to be fully compatible.

My mistake

 

After much messing around ,restoring backed up images etc and still having the same sanity check warnings ,ias ked the g/f to download sanity check on her w7 64 bit machine and scan again.This time she rebooted (as requested by sanity check) before running a scan.She didnt reboot the first time.After rebooting the scan showed similar warnings to mine about non existent files.Ive come to the conclusion that sanitycheck is not reliable.Maybe someone with windows 7 service pack 1 and 64bit could run a sanity check scan (remember to reboot before scan) and see if they have similar results?
tia
ellison

 

I tried it but I don't get such result, no HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System here either.

 

Thanks for testing for me .Ill try on my desktop machine later this evening.Its strange its on my g/fs laptop too.She has also performed scans with other security software ,and only sanity check shows, the changing .sys file.I find it hard believe that every other malware scanner that we have tried is wrong,and also apart from the sanity check result ,there no other evidence of any malware.Id like to get to the bottom of this though.
ellison