Author Topic: Possible Rootkit. SPTD.SYS by TDSSKiller  (Read 35717 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #15 on: April 23, 2011, 12:59:48 PM »
Got 'em and looking now

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #16 on: April 23, 2011, 01:14:47 PM »
Hmm Avast is reportin a rootkit on Microsoft SQL Server 2008 files
The Kaspersky log reported a TDL4 dropper
GMER comes up clean

Are the alerts still coming from Avast ? As it may have been a false positive that has been rectified

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #17 on: April 23, 2011, 11:24:34 PM »
 Sorry for the late response.

     I could possibly see it being a false positive, but its fairly coincidental that almost every computer in the network has reported something in their AV, then having it go blank and consistently pump that SVChost to great heights of cpu usage. Like I said, a few google searches of "SVChost at 25%" returns plenty of hits from people having malware and supposedly neutralizing it, then not having that issue. Of course, you're obviously a bit better at this than I, so I'd trust you on this over my own word almost any day.

     Tested a theory and hooked it up through a networked computer using a VM machine with all the AV and Firewalls I could put on without conflicting, and low and behold, the AV almost immediately picked a random PUP up during a file transfer, so SOMETHING either infected that VM machine beforehand, or something got sent with the few files I did. It was a random DLL, and was a standard SlowPCFighter thing, and was almost immediately taken care of by the VM.

   I'm content if you deem this as a false positive or me just being paranoid. I still appreciate greatly the time you took from your days to help me. If you continue delving, I'm sure you noticed from the logs that I have disabled my System Restore and deleted my older ones to make sure. Also, FireFox, RIGHT NOW, is notably upset about something. I've NEVER had hangs in it before, even with 87 tabs open, and it repeatedly is hanging and going into an unresponsive state. Windows update has also been acting a bit wonky, but nothing truly abnormal. I can uninstall that SQL, but I believe I had the SVChost issue beforehand.

   If you could solve this issue here (The SVChost cpu usage) I'd imagine you'd be doing a ton of people a favor, as it seems I'm not the only one with this affliction.

EDIT: ...and of COURSE I didn't answer your question. :P No, Avast hasn't come up with anything at all recently, which is mildly worrysome, as I KNOW I have false positive programs on here (made by myself to make sure they were really truly clean, just to test the "false positive" and Behavior Monitoring that Avast uses) and it hasn't seen them as of late, even after clearing them from the whitelist.

Thanks again,
   Cyrus
« Last Edit: April 23, 2011, 11:26:52 PM by CyrusDragonas »

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #18 on: April 23, 2011, 11:42:00 PM »
This is a huge pic so I'm sorry, but this is exactly what it does.

   This is me updating Java, and the second the install starts, svchost jumps to 25%, and freezes install progress until I end it, and after I do, the NLA service isn't affected at all, and it should at least restart it if that truly was the host process for the service. The only result is the install working correctly, which has led me to believe its a "rogue" or dummy process, not truly an SVChost. That latter bit sounds like a stretch, but eh.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #19 on: April 23, 2011, 11:48:02 PM »
I could see nothing in any of the logs that would indicate malware..

windows update repair

Go to this page
Run the fixit there  (big button about one third the way down) - if the normal run does not cure it then re run and use the aggressive mode

I would also suggest a repair of Avast to be on the safe side

You could also test Avast by going to Spycar when you run the tests the connection should be cut


Lets have a further look at net services to ensure that nothing was missed

Run OTS
  • Make sure you close all other programs.
  • Select All Users
  • Under additional scans select the following
Reg - NetSvcs

  • Under the Custom Scan box paste this in
/md5start
svchost.exe
/md5stop
%systemroot%\*. /mp /s

[/list]

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #20 on: April 24, 2011, 12:38:26 AM »
Alright. Again sorry for that big pic.

 Here's the new OTS log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #21 on: April 24, 2011, 12:38:54 PM »
This is alll that is running under netsvc (svchost)
Quote
< 64bit-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs
YN -> AppMgmt -> C:\Windows\SysNative\appmgmts.dll
And svchost is reporting as legitimate

What might be worth doing is checking the veracity of your files

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #22 on: April 25, 2011, 06:23:54 PM »
     Alright, sorry again for tardiness. Easter happened.

  Anyway, ran it twice; first instance ran until 10%, then crashed, saying Windows Resource Protection could not complete the action, then, it went to 99%, then gave the same message. I guess SVChost could simply be bugging out from some random corruption, but its fairly coincidental every time I run an installer, it jumps to 25% and blocks the install, until I end it.

Cyrus

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #23 on: April 25, 2011, 06:52:25 PM »
You have plenty of RAM and hard drive space now - I will see if I can find out anything about that error code

You can run SFC from safe mode where it has more chance of completing

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #24 on: April 25, 2011, 10:09:08 PM »
Same story in safe mode. 99%, then that message. I'll try disabling some stuff and make a dummy account to see if it has anything to do with my personal one.

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #25 on: April 27, 2011, 09:11:07 PM »
Nothing. Not in Safe Mode, not in a new account in either mode, nothing. I don't know exactly what this is, but I don't know if we have the means to solve this other than me ending the process frequently, sadly.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #26 on: April 27, 2011, 10:45:45 PM »
It might be worth running process explorer to see if you can catch what is causing the surge in svchost

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #27 on: April 28, 2011, 07:45:02 PM »
Alright, I'll do that shortly. Also, the laptop with Kasperskys' just lapsed in its subscription, so I'll switch it over to Avast soon. TDSS Killer also says SPTD is infected on IT too, as well as the other computer. Does TDSS find it as a false positive often? Or is it just ridiculous coincidence? Also, point of note; the owner of the laptop had their bank account info stolen, but not their physical card, so I imagine it might have been digitally?

Cyrus

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #28 on: April 28, 2011, 08:25:45 PM »
When Kaspersky reports - does it say locked or infected ?

CyrusDragonas

  • Guest
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #29 on: April 30, 2011, 07:45:02 PM »
   Sorry. Had to go to the hospital for a day. Long story. I'm ok now.


  Anyway, yes, it reports as locked I believe. Only options are to copy to quarantine, ignore or skip, or something else. Not heal or clean or anything. I'll be back shortly to report what Process Explorer says about my SVChost.

Cyrus