Avast WEBforum
Other => Viruses and worms => Topic started by: CyrusDragonas on April 21, 2011, 08:08:58 PM
-
I usually handle viruses, rootkits, anything I can happen to catch (or my friends catch on theirs), but this one has me stumped. I could just be not trying hard enough, but anyway:
Started with slowdowns, and me noticing that SVCHOST, one of the many in the Task Manager, would frequently, VERY frequently, be taking up exactly 25% of my CPU usage. I'd end it, and the related service (Almost always NLA), and I'd usually be fine for quite some time, having it pop up again maybe in a few hours, sometimes not at all. This however made me suspicious, so scanning I went. Avast boot scan found a few things that it could not handle, eventually leading to me having to skip them to continue (sadly at the time I did not record what those were, but I believe they were in System Restore). Upon reboot, I ended the svchost process, ran Rkill to make sure (didn't find any if I remember), then ran a full scan in Avast, and again in Mbam. Mbam found a few things, asking to restart to remove. I did, and it never seemed to get to remove them. Always showed up again on the next scan. Avast found a few things, but I knew them to be false positives as I'd created those few programs myself, just messing around. Deleted anyway, as they didn't have any real use. Avast then found nothing.
A few days passed, with little work done in the way of removing whatever it was (Busy, lazy, take your pick), then, after one Windows Update restart, things seemed a bit different. SVChost seemed to be a bit more docile about it running at 25% usage (although still did/does), and now, upon opening Task Manager, RIGHT after opening, my CPU usage is almost always above 30%, then immediately hops down to normal idle speed (0%-1%). I'd simply been refusing it network access at all past this point (actually, pretty much after I suspected it). I had just been playing games, and running scans while I slept, as scanning 2 TB for viruses and having it unpack every zip with Heuristics on HIGH takes quite some time. Every night this week and last, I've ran a slightly different scan than last nights, with no luck. Yesterday, I used TDSS Killer, and it consistently finds an infection in SPTD.SYS, which I obviously can't seriously quarantine or delete.
Truthfully, I'm a bit ashamed, as the real "kick in the butt" that made me post and actually try a bit harder was the fact that now, it seems to be affecting my gaming. It refuses to do almost anything smoothly now, and I have PLENTY of power to do what I'm asking -
CPU: Q9650 775 Cpu, Quad
Video Card: GTS 250-60, can't remember at the moment specifically
and a TON of Hard drives and partitions (4 or 5, each averages 2-3 partitions)
6.0 gb RAM
So please, if anyone has any insight, let me know. I'm completely under the control of this thing, and I can't get out from under it.
OH, also, I ran combofix (changing it's name to make sure nothing happens), but I wasn't watching it intently, so I have only a log I'd be happy to attach, and will try after I'm done typing this. Also keep in mind that I have updated everything before every scan (Mbam, Avast!), and only performed full scans with each.
EDIT: Oh sorry, forgot to mention WIndows 7, x64
EDIT EDIT: Just ran a check with aswMBR, here is the log for that as well.
-
This is KILLING me. I'm sorry for Double Posting, but I can't find any way around this whatsoever. If ANYONE has ANY ideas, I'd love to hear them. Please. :)
-CyrusD
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
Essexboy will look at the logs when he arrive here tomorrow...
-
MBAM log is attached to this post, two more logs (ComboFix log and aswMBR log) are attached to top post.
OTS log will be added to THIS post when it completes.
Thank you all for the help so very much. I'm sure you get it a lot, but it's nice to have someone help without expecting anything in return. I'm an indie game dev, and if you all would like something custom made, or something similar, I'm sure I could whip something up. Just let me know. :)
-Cyrus D
EDIT: Okay, OTS log posted on this post as well.
-
SPTD is a part of you system emulator and is not a threat
I can see no apparent malware there, however, your hard drive space is very low on your three main drives. This can cause slowdowns and errors as files are attempting to find somewhere to rest
Drive C: | 64.01 Gb Total Space | 9.63 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 4.22 Gb Free Space | 4.32% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 0.64 Gb Free Space | 0.07% Space Free | Partition Type: NTFS
Probably teaching you to suck eggs here, but, have you defragged the drive and ran a disc check
-
Given those free space numbers the standard windows defrag would probably have a whinge, as less than 15% free space doesn't leave it room to work. So it would probably require a disc clean-up first.
-
Sorry for the late reply. I run HD Regenerator Almost monthly on my main drive, and the recent intake of files to my system drive is due to me having to back up a computer of a friends. I assure you, the problems happened before I became laden with files. Nevertheless, I've removed some of the clutter to an external drive, and am still having SVChost take 25-35% of my processor until stopped. Most of the time, I have to manually restart the Network Location Awareness. I'm suspicious because as I said (at least I think I did), Avast had found things it could not remove, then, magically it couldn't find them anymore, without any input from me. I'm getting huge slowdowns at random spots, and the SECOND I open Task Manager, CPU usage hops to almost 50%, but before it refreshes the list, it drops. Task Manager never had that spike beforehand.
EDIT: OH! I meant to add; I realize that SPTD.SYS is required for booting, but does TDSS Killer usually pick it up as a false positive then?
Thanks again, greatly,
Cyrus D
-
Yes as it is a hidden file - but you notice that it does not allow you to take any action with it
But lets see if there is anything else hiding
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
-
Scanning now... Will return once finished.
EDIT: On my way to my desktop, glanced through the Network and Sharing Center I had open as I was disabling my adapter to turn network access off and on, and I noticed it still hasn't negotiated correctly with the router *which it normally does fine*. Could just be from me mucking with the NLA service, but I thought I'd mention it.
-
Ok - I don't suppose you remember what Avast found ?
-
Not in the least, sadly. I'd wager its stored in the logs though! (EUREKA!) I'll go check before I start GMER...... Okay, I can't seem to even find the logs for Avast. If you would be so kind as to tell me where to find them? :) Sorry. Also going to start GMER so the next post will at the least have THAT log in it.
-
Open Avast Scan tab
Select logs and it should be there
-
Alright, GMER finished, then crashed, so I'm running it again to see if it won't at least post a log. Also, I hadn't mentioned a few important things, and for that I'm sorry:
The exact symptoms have spread to 2 other computers on the network, but as previously stated, I've been severely limiting network access, so I'm fairly certain it wasn't through file transfer of the normal variety. One of the other computers has Kaspersky, which has actually found something it continually tries to get rid of to no avail. When it gets back I'll let you know what it says about it.
Another interesting tidbit is that, that SVChost process? the one that takes up 25% or so of cpu until ending it and restarting NLA. It seems to start whenever I attempt to install anything using MSI installers, (such as DirectX installs, etc), and freezes that install, until I end it in task manager, then, the install continues as normal. Thought that'd at least be interesting to know. Also, I've noted on random google searches that some other people have had this problem with SVChost doing this, and they've said it points to malware, but I've obviously not found a solution by now that works for me.
Anyway, i'll return once I know more.
Cyrus D
-
On the Kaspersky system could you get an analysis log for me ?
There are destructions here on how to get it http://support.kaspersky.com/kis2011/error?qid=208282257 it will produce an XML and HTML file in a zip folder
Could you upload the folder it to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
Alright, heres the GMER log, and I'll return with the Kaspersky. The AVAST logs DID have the viruses logged, and haven't been able to remove apparently, but I can't find the actual log file on the computer, so I'll just take a screencap if you want me. Oh, the GMER log is 10 mb. I'll just upload it to a MegaUpload if that's fine with you; I already have an account there. I'll through the Kaspersky log there too.
http://www.megaupload.com/?d=I1YJQPCC
There. The Avast log is saved as a picture in there.
Cyrus
-
Got 'em and looking now
-
Hmm Avast is reportin a rootkit on Microsoft SQL Server 2008 files
The Kaspersky log reported a TDL4 dropper
GMER comes up clean
Are the alerts still coming from Avast ? As it may have been a false positive that has been rectified
-
Sorry for the late response.
I could possibly see it being a false positive, but its fairly coincidental that almost every computer in the network has reported something in their AV, then having it go blank and consistently pump that SVChost to great heights of cpu usage. Like I said, a few google searches of "SVChost at 25%" returns plenty of hits from people having malware and supposedly neutralizing it, then not having that issue. Of course, you're obviously a bit better at this than I, so I'd trust you on this over my own word almost any day.
Tested a theory and hooked it up through a networked computer using a VM machine with all the AV and Firewalls I could put on without conflicting, and low and behold, the AV almost immediately picked a random PUP up during a file transfer, so SOMETHING either infected that VM machine beforehand, or something got sent with the few files I did. It was a random DLL, and was a standard SlowPCFighter thing, and was almost immediately taken care of by the VM.
I'm content if you deem this as a false positive or me just being paranoid. I still appreciate greatly the time you took from your days to help me. If you continue delving, I'm sure you noticed from the logs that I have disabled my System Restore and deleted my older ones to make sure. Also, FireFox, RIGHT NOW, is notably upset about something. I've NEVER had hangs in it before, even with 87 tabs open, and it repeatedly is hanging and going into an unresponsive state. Windows update has also been acting a bit wonky, but nothing truly abnormal. I can uninstall that SQL, but I believe I had the SVChost issue beforehand.
If you could solve this issue here (The SVChost cpu usage) I'd imagine you'd be doing a ton of people a favor, as it seems I'm not the only one with this affliction.
EDIT: ...and of COURSE I didn't answer your question. :P No, Avast hasn't come up with anything at all recently, which is mildly worrysome, as I KNOW I have false positive programs on here (made by myself to make sure they were really truly clean, just to test the "false positive" and Behavior Monitoring that Avast uses) and it hasn't seen them as of late, even after clearing them from the whitelist.
Thanks again,
Cyrus
-
This is a huge pic so I'm sorry, but this is exactly what it does.
This is me updating Java, and the second the install starts, svchost jumps to 25%, and freezes install progress until I end it, and after I do, the NLA service isn't affected at all, and it should at least restart it if that truly was the host process for the service. The only result is the install working correctly, which has led me to believe its a "rogue" or dummy process, not truly an SVChost. That latter bit sounds like a stretch, but eh.
(http://i5.photobucket.com/albums/y191/CyrusDragonas/Untitled.png)
-
I could see nothing in any of the logs that would indicate malware..
windows update repair
Go to this page (http://support.microsoft.com/kb/971058)
Run the fixit there (big button about one third the way down) - if the normal run does not cure it then re run and use the aggressive mode
I would also suggest a repair of Avast to be on the safe side
You could also test Avast by going to Spycar (http://www.spycar.org/Welcome%20to%20Spycar.html) when you run the tests the connection should be cut
Lets have a further look at net services to ensure that nothing was missed
Run OTS
- Make sure you close all other programs.
- Select All Users
- Under additional scans select the following
Reg - NetSvcs
- Under the Custom Scan box paste this in
/md5start
svchost.exe
/md5stop
%systemroot%\*. /mp /s
[/list]
-
Alright. Again sorry for that big pic.
Here's the new OTS log.
-
This is alll that is running under netsvc (svchost)
< 64bit-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs
YN -> AppMgmt -> C:\Windows\SysNative\appmgmts.dll
And svchost is reporting as legitimate
What might be worth doing is checking the veracity of your files
Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot
-
Alright, sorry again for tardiness. Easter happened.
Anyway, ran it twice; first instance ran until 10%, then crashed, saying Windows Resource Protection could not complete the action, then, it went to 99%, then gave the same message. I guess SVChost could simply be bugging out from some random corruption, but its fairly coincidental every time I run an installer, it jumps to 25% and blocks the install, until I end it.
Cyrus
-
You have plenty of RAM and hard drive space now - I will see if I can find out anything about that error code
You can run SFC from safe mode where it has more chance of completing
-
Same story in safe mode. 99%, then that message. I'll try disabling some stuff and make a dummy account to see if it has anything to do with my personal one.
-
Nothing. Not in Safe Mode, not in a new account in either mode, nothing. I don't know exactly what this is, but I don't know if we have the means to solve this other than me ending the process frequently, sadly.
-
It might be worth running process explorer to see if you can catch what is causing the surge in svchost
-
Alright, I'll do that shortly. Also, the laptop with Kasperskys' just lapsed in its subscription, so I'll switch it over to Avast soon. TDSS Killer also says SPTD is infected on IT too, as well as the other computer. Does TDSS find it as a false positive often? Or is it just ridiculous coincidence? Also, point of note; the owner of the laptop had their bank account info stolen, but not their physical card, so I imagine it might have been digitally?
Cyrus
-
When Kaspersky reports - does it say locked or infected ?
-
Sorry. Had to go to the hospital for a day. Long story. I'm ok now.
Anyway, yes, it reports as locked I believe. Only options are to copy to quarantine, ignore or skip, or something else. Not heal or clean or anything. I'll be back shortly to report what Process Explorer says about my SVChost.
Cyrus
-
SPTD is part of the cd rom emulation from daemon tools - so it should be OK
-
Okay. Process Explorer seems to say it's normal, but truth be told, I don't know exactly which threads or strings I'm looking for. It just hangs any install once it starts, and has DNS, Telman, and the NLA services attached to it. and having it take 25% of my cpu is the biggest ruining thing. Guess it's probably simply an error or corruption in one of the many files used in it. I have no idea. Thanks for all your help up to this point.
Cyrus
-
Looking at the associated files they are all networking elements - maybe it is to much strain. How many systems do you have networked and running ?
-
3 total, but it's a nice router. Also, the linked files and folders didn't seem out of place, but I did uninstall a few extraneous things. I'll have to see if it helped. I'll return with that info. I can't imagine the network structure causing a freezing MSI or similar, but I'm probably wrong. :) I'll continue to poke around in Process Explorer some more and track down the linked stuffs to that process further.
Cyrus
-
Alright. I apologize for being so tardy with this post. I've been in and out of the hospital, so I haven't been online in some time.
Anyway, I couldn't find anything whatsoever with the tools given, time spent, or shining effort as provided on Essex's part. I've ended up almost entirely re-writing the NLA Process, as well as the few other processes seeming to be in question, either from help from reading the MS. Webpage on it's processes, or by spending hours poking through dev forums. I believe in the end it had to do with SeaPort and it attempting to cache memory already flagged for use, and not reconciling itself well after realizing. If anyone needs any help on this subject, no matter how old this post gets, my email will stay the same, and I'll more than likely still have this account as well.
Thanks again everyone, and thanks, Essex.
-Cyrus
-
Glad there was a resolution... Funnily enough I have just completed a fix on a system where there was a TDL3 infection on SPTD.sys that was hiding a TDL4 infection on the MBR. Now that took some figuring - but we won out in the end