Author Topic: Possible Rootkit. SPTD.SYS by TDSSKiller (Read 35856 times)

essexboy · « **Reply #30 on:** April 30, 2011, 08:41:59 PM »

SPTD is part of the cd rom emulation from daemon tools - so it should be OK

CyrusDragonas · « **Reply #31 on:** April 30, 2011, 10:06:06 PM »

Okay. Process Explorer seems to say it's normal, but truth be told, I don't know exactly which threads or strings I'm looking for. It just hangs any install once it starts, and has DNS, Telman, and the NLA services attached to it. and having it take 25% of my cpu is the biggest ruining thing. Guess it's probably simply an error or corruption in one of the many files used in it. I have no idea. Thanks for all your help up to this point.

Cyrus

essexboy · « **Reply #32 on:** April 30, 2011, 10:33:01 PM »

Looking at the associated files they are all networking elements - maybe it is to much strain. How many systems do you have networked and running ?

CyrusDragonas · « **Reply #33 on:** May 02, 2011, 01:16:22 AM »

3 total, but it's a nice router. Also, the linked files and folders didn't seem out of place, but I did uninstall a few extraneous things. I'll have to see if it helped. I'll return with that info. I can't imagine the network structure causing a freezing MSI or similar, but I'm probably wrong.

I'll continue to poke around in Process Explorer some more and track down the linked stuffs to that process further.

Cyrus

CyrusDragonas · « **Reply #34 on:** May 07, 2011, 02:18:55 AM »

Alright. I apologize for being so tardy with this post. I've been in and out of the hospital, so I haven't been online in some time.

Anyway, I couldn't find anything whatsoever with the tools given, time spent, or shining effort as provided on Essex's part. I've ended up almost entirely re-writing the NLA Process, as well as the few other processes seeming to be in question, either from help from reading the MS. Webpage on it's processes, or by spending hours poking through dev forums. I believe in the end it had to do with SeaPort and it attempting to cache memory already flagged for use, and not reconciling itself well after realizing. If anyone needs any help on this subject, no matter how old this post gets, my email will stay the same, and I'll more than likely still have this account as well.

Thanks again everyone, and thanks, Essex.

-Cyrus

essexboy · « **Reply #35 on:** May 07, 2011, 03:04:34 PM »

Glad there was a resolution... Funnily enough I have just completed a fix on a system where there was a TDL3 infection on SPTD.sys that was hiding a TDL4 infection on the MBR. Now that took some figuring - but we won out in the end

Author Topic: Possible Rootkit. SPTD.SYS by TDSSKiller (Read 35856 times)

essexboy

Re: Possible Rootkit. SPTD.SYS by TDSSKiller

CyrusDragonas

Re: Possible Rootkit. SPTD.SYS by TDSSKiller

essexboy

Re: Possible Rootkit. SPTD.SYS by TDSSKiller

CyrusDragonas

Re: Possible Rootkit. SPTD.SYS by TDSSKiller

CyrusDragonas

Re: Possible Rootkit. SPTD.SYS by TDSSKiller

essexboy

Re: Possible Rootkit. SPTD.SYS by TDSSKiller