Author Topic: Possible Rootkit. SPTD.SYS by TDSSKiller  (Read 23091 times)

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Possible Rootkit. SPTD.SYS by TDSSKiller
« on: April 21, 2011, 06:08:58 PM »
     I usually handle viruses, rootkits, anything I can happen to catch (or my friends catch on theirs), but this one has me stumped. I could just be not trying hard enough, but anyway:

       Started with slowdowns, and me noticing that SVCHOST, one of the many in the Task Manager, would frequently, VERY frequently, be taking up exactly 25% of my CPU usage. I'd end it, and the related service (Almost always NLA), and I'd usually be fine for quite some time, having it pop up again maybe in a few hours, sometimes not at all. This however made me suspicious, so scanning I went. Avast boot scan found a few things that it could not handle, eventually leading to me having to skip them to continue (sadly at the time I did not record what those were, but I believe they were in System Restore). Upon reboot, I ended the svchost process, ran Rkill to make sure (didn't find any if I remember), then ran a full scan in Avast, and again in Mbam. Mbam found a few things, asking to restart to remove. I did, and it never seemed to get to remove them. Always showed up again on the next scan. Avast found a few things, but I knew them to be false positives as I'd created those few programs myself, just messing around. Deleted anyway, as they didn't have any real use. Avast then found nothing.

        A few days passed, with little work done in the way of removing whatever it was (Busy, lazy, take your pick), then, after one Windows Update restart, things seemed a bit different. SVChost seemed to be a bit more docile about it running at 25% usage (although still did/does), and now, upon opening Task Manager, RIGHT after opening, my CPU usage is almost always above 30%, then immediately hops down to normal idle speed (0%-1%). I'd simply been refusing it network access at all past this point (actually, pretty much after I suspected it). I had just been playing games, and running scans while I slept, as scanning 2 TB for viruses and having it unpack every zip with Heuristics on HIGH takes quite some time. Every night this week and last, I've ran a slightly different scan than last nights, with no luck. Yesterday, I used TDSS Killer, and it consistently finds an infection in SPTD.SYS, which I obviously can't seriously quarantine or delete.

        Truthfully, I'm a bit ashamed, as the real "kick in the butt" that made me post and actually try a bit harder was the fact that now, it seems to be affecting my gaming. It refuses to do almost anything smoothly now, and I have PLENTY of power to do what I'm asking -

CPU: Q9650 775 Cpu, Quad
Video Card: GTS 250-60, can't remember at the moment specifically
and a TON of Hard drives and partitions (4 or 5, each averages 2-3 partitions)
6.0 gb RAM

      So please, if anyone has any insight, let me know. I'm completely under the control of this thing, and I can't get out from under it.

OH, also, I ran combofix (changing it's name to make sure nothing happens), but I wasn't watching it intently, so I have only a log I'd be happy to attach, and will try after I'm done typing this. Also keep in mind that I have updated everything before every scan (Mbam, Avast!), and only performed full scans with each.

EDIT: Oh sorry, forgot to mention WIndows 7, x64

EDIT EDIT: Just ran a check with aswMBR, here is the log for that as well.
« Last Edit: April 21, 2011, 08:42:05 PM by CyrusDragonas »

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #1 on: April 22, 2011, 12:16:10 AM »
This is KILLING me. I'm sorry for Double Posting, but I can't find any way around this whatsoever. If ANYONE has ANY ideas, I'd love to hear them. Please. :)

-CyrusD

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21683
  • Gender: Male
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #2 on: April 22, 2011, 12:24:23 AM »
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the logs when he arrive here tomorrow...



Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #3 on: April 22, 2011, 12:54:01 AM »
MBAM log is attached to this post, two more logs (ComboFix log and aswMBR log) are attached to top post.

 OTS log will be added to THIS post when it completes.

Thank you all for the help so very much. I'm sure you get it a lot, but it's nice to have someone help without expecting anything in return. I'm an indie game dev, and if you all would like something custom made, or something similar, I'm sure I could whip something up. Just let me know. :)

-Cyrus D

EDIT: Okay, OTS log posted on this post as well.
« Last Edit: April 22, 2011, 03:43:15 AM by CyrusDragonas »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #4 on: April 22, 2011, 03:52:24 PM »
SPTD is a part of you system emulator and is not a threat

I can see no apparent malware there, however, your hard drive space is very low on your three main drives.  This can cause slowdowns and errors as files are attempting to find somewhere to rest

Quote
Drive C: | 64.01 Gb Total Space | 9.63 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 4.22 Gb Free Space | 4.32% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 0.64 Gb Free Space | 0.07% Space Free | Partition Type: NTFS

Probably teaching you to suck eggs here, but, have you defragged the drive and ran a disc check
« Last Edit: April 22, 2011, 04:16:11 PM by essexboy »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #5 on: April 22, 2011, 04:12:40 PM »
Given those free space numbers the standard windows defrag would probably have a whinge, as less than 15% free space doesn't leave it room to work. So it would probably require a disc clean-up first.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #6 on: April 22, 2011, 06:47:58 PM »
Sorry for the late reply. I run HD Regenerator Almost monthly on my main drive, and the recent intake of files to my system drive is due to me having to back up a computer of a friends. I assure you, the problems happened before I became laden with files. Nevertheless, I've removed some of the clutter to an external drive, and am still having SVChost take 25-35% of my processor until stopped. Most of the time, I have to manually restart the Network Location Awareness. I'm suspicious because as I said (at least I think I did), Avast had found things it could not remove, then, magically it couldn't find them anymore, without any input from me. I'm getting huge slowdowns at random spots, and the SECOND I open Task Manager, CPU usage hops to almost 50%, but before it refreshes the list, it drops. Task Manager never had that spike beforehand.


EDIT: OH! I meant to add; I realize that SPTD.SYS is required for booting, but does TDSS Killer usually pick it up as a false positive then?


Thanks again, greatly,
  Cyrus D
« Last Edit: April 22, 2011, 06:54:34 PM by CyrusDragonas »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #7 on: April 22, 2011, 06:54:03 PM »
Yes as it is a hidden file - but you notice that it does not allow you to take any action with it

But lets see if there is anything else hiding

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
 
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
 
Double-click gmer.exe. The program will begin to run.
 
**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!
 
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #8 on: April 22, 2011, 06:56:06 PM »
Scanning now... Will return once finished.


EDIT: On my way to my desktop, glanced through the Network and Sharing Center I had open as I was disabling my adapter to turn network access off and on, and I noticed it still hasn't negotiated correctly with the router *which it normally does fine*. Could just be from me mucking with the NLA service, but I thought I'd mention it.
« Last Edit: April 22, 2011, 06:58:42 PM by CyrusDragonas »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #9 on: April 22, 2011, 06:57:40 PM »
Ok - I don't suppose you remember what Avast found ?

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #10 on: April 22, 2011, 07:01:31 PM »
Not in the least, sadly. I'd wager its stored in the logs though! (EUREKA!) I'll go check before I start GMER...... Okay, I can't seem to even find the logs for Avast. If you would be so kind as to tell me where to find them? :) Sorry. Also going to start GMER so the next post will at the least have THAT log in it.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #11 on: April 22, 2011, 07:06:30 PM »
Open Avast Scan tab
Select logs and it should be there


Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #12 on: April 22, 2011, 07:47:56 PM »
Alright, GMER finished, then crashed, so I'm running it again to see if it won't at least post a log. Also, I hadn't mentioned a few important things, and for that I'm sorry:

   The exact symptoms have spread to 2 other computers on the network, but as previously stated, I've been severely limiting network access, so I'm fairly certain it wasn't through file transfer of the normal variety. One of the other computers has Kaspersky, which has actually found something it continually tries to get rid of to no avail. When it gets back I'll let you know what it says about it.

    Another interesting tidbit is that, that SVChost process? the one that takes up 25% or so of cpu until ending it and restarting NLA. It seems to start whenever I attempt to install anything using MSI installers, (such as DirectX installs, etc), and freezes that install, until I end it in task manager, then, the install continues as normal. Thought that'd at least be interesting to know. Also, I've noted on random google searches that some other people have had this problem with SVChost doing this, and they've said it points to malware, but I've obviously not found a solution by now that works for me.

Anyway, i'll return once I know more.

Cyrus D

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #13 on: April 22, 2011, 08:03:28 PM »
On the Kaspersky system could you get an analysis log for me ?

There are destructions here on how to get it http://support.kaspersky.com/kis2011/error?qid=208282257 it will produce an XML and HTML file in a zip folder
Could you upload the folder it to Mediafire and post the sharing link.

Offline CyrusDragonas

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: Possible Rootkit. SPTD.SYS by TDSSKiller
« Reply #14 on: April 22, 2011, 11:17:22 PM »
Alright, heres the GMER log, and I'll return with the Kaspersky. The AVAST logs DID have the viruses logged, and haven't been able to remove apparently, but I can't find the actual log file on the computer, so I'll just take a screencap if you want me. Oh, the GMER log is 10 mb. I'll just upload it to a MegaUpload if that's fine with you; I already have an account there. I'll through the Kaspersky log there too.

http://www.megaupload.com/?d=I1YJQPCC

There. The Avast log is saved as a picture in there.

Cyrus

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now