Possible Rootkit. SPTD.SYS by TDSSKiller

 I usually handle viruses, rootkits, anything I can happen to catch (or my friends catch on theirs), but this one has me stumped. I could just be not trying hard enough, but anyway:

   Started with slowdowns, and me noticing that SVCHOST, one of the many in the Task Manager, would frequently, VERY frequently, be taking up exactly 25% of my CPU usage. I'd end it, and the related service (Almost always NLA), and I'd usually be fine for quite some time, having it pop up again maybe in a few hours, sometimes not at all. This however made me suspicious, so scanning I went. Avast boot scan found a few things that it could not handle, eventually leading to me having to skip them to continue (sadly at the time I did not record what those were, but I believe they were in System Restore). Upon reboot, I ended the svchost process, ran Rkill to make sure (didn't find any if I remember), then ran a full scan in Avast, and again in Mbam. Mbam found a few things, asking to restart to remove. I did, and it never seemed to get to remove them. Always showed up again on the next scan. Avast found a few things, but I knew them to be false positives as I'd created those few programs myself, just messing around. Deleted anyway, as they didn't have any real use. Avast then found nothing.

    A few days passed, with little work done in the way of removing whatever it was (Busy, lazy, take your pick), then, after one Windows Update restart, things seemed a bit different. SVChost seemed to be a bit more docile about it running at 25% usage (although still did/does), and now, upon opening Task Manager, RIGHT after opening, my CPU usage is almost always above 30%, then immediately hops down to normal idle speed (0%-1%). I'd simply been refusing it network access at all past this point (actually, pretty much after I suspected it). I had just been playing games, and running scans while I slept, as scanning 2 TB for viruses and having it unpack every zip with Heuristics on HIGH takes quite some time. Every night this week and last, I've ran a slightly different scan than last nights, with no luck. Yesterday, I used TDSS Killer, and it consistently finds an infection in SPTD.SYS, which I obviously can't seriously quarantine or delete. 

    Truthfully, I'm a bit ashamed, as the real "kick in the butt" that made me post and actually try a bit harder was the fact that now, it seems to be affecting my gaming. It refuses to do almost anything smoothly now, and I have PLENTY of power to do what I'm asking -

CPU: Q9650 775 Cpu, Quad
Video Card: GTS 250-60, can’t remember at the moment specifically
and a TON of Hard drives and partitions (4 or 5, each averages 2-3 partitions)
6.0 gb RAM

  So please, if anyone has any insight, let me know. I'm completely under the control of this thing, and I can't get out from under it. 

OH, also, I ran combofix (changing it’s name to make sure nothing happens), but I wasn’t watching it intently, so I have only a log I’d be happy to attach, and will try after I’m done typing this. Also keep in mind that I have updated everything before every scan (Mbam, Avast!), and only performed full scans with each.

EDIT: Oh sorry, forgot to mention WIndows 7, x64

EDIT EDIT: Just ran a check with aswMBR, here is the log for that as well.

This is KILLING me. I’m sorry for Double Posting, but I can’t find any way around this whatsoever. If ANYONE has ANY ideas, I’d love to hear them. Please. :slight_smile:

-CyrusD

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the logs when he arrive here tomorrow…

MBAM log is attached to this post, two more logs (ComboFix log and aswMBR log) are attached to top post.

OTS log will be added to THIS post when it completes.

Thank you all for the help so very much. I’m sure you get it a lot, but it’s nice to have someone help without expecting anything in return. I’m an indie game dev, and if you all would like something custom made, or something similar, I’m sure I could whip something up. Just let me know. :slight_smile:

-Cyrus D

EDIT: Okay, OTS log posted on this post as well.

SPTD is a part of you system emulator and is not a threat

I can see no apparent malware there, however, your hard drive space is very low on your three main drives. This can cause slowdowns and errors as files are attempting to find somewhere to rest

Drive C: | 64.01 Gb Total Space | 9.63 Gb Free Space | [b]15.05% Space Free [/b] | Partition Type: NTFS Drive D: | 97.65 Gb Total Space | 4.22 Gb Free Space | [b]4.32% Space Free [/b] | Partition Type: NTFS Drive E: | 931.51 Gb Total Space | 0.64 Gb Free Space | [b]0.07% Space Free [/b] | Partition Type: NTFS

Probably teaching you to suck eggs here, but, have you defragged the drive and ran a disc check

Given those free space numbers the standard windows defrag would probably have a whinge, as less than 15% free space doesn’t leave it room to work. So it would probably require a disc clean-up first.

Sorry for the late reply. I run HD Regenerator Almost monthly on my main drive, and the recent intake of files to my system drive is due to me having to back up a computer of a friends. I assure you, the problems happened before I became laden with files. Nevertheless, I’ve removed some of the clutter to an external drive, and am still having SVChost take 25-35% of my processor until stopped. Most of the time, I have to manually restart the Network Location Awareness. I’m suspicious because as I said (at least I think I did), Avast had found things it could not remove, then, magically it couldn’t find them anymore, without any input from me. I’m getting huge slowdowns at random spots, and the SECOND I open Task Manager, CPU usage hops to almost 50%, but before it refreshes the list, it drops. Task Manager never had that spike beforehand.

EDIT: OH! I meant to add; I realize that SPTD.SYS is required for booting, but does TDSS Killer usually pick it up as a false positive then?

Thanks again, greatly,
Cyrus D

Yes as it is a hidden file - but you notice that it does not allow you to take any action with it

But lets see if there is anything else hiding

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[
]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Scanning now… Will return once finished.

EDIT: On my way to my desktop, glanced through the Network and Sharing Center I had open as I was disabling my adapter to turn network access off and on, and I noticed it still hasn’t negotiated correctly with the router which it normally does fine. Could just be from me mucking with the NLA service, but I thought I’d mention it.

Ok - I don’t suppose you remember what Avast found ?

Not in the least, sadly. I’d wager its stored in the logs though! (EUREKA!) I’ll go check before I start GMER… Okay, I can’t seem to even find the logs for Avast. If you would be so kind as to tell me where to find them? :slight_smile: Sorry. Also going to start GMER so the next post will at the least have THAT log in it.

Open Avast Scan tab
Select logs and it should be there

Alright, GMER finished, then crashed, so I’m running it again to see if it won’t at least post a log. Also, I hadn’t mentioned a few important things, and for that I’m sorry:

The exact symptoms have spread to 2 other computers on the network, but as previously stated, I’ve been severely limiting network access, so I’m fairly certain it wasn’t through file transfer of the normal variety. One of the other computers has Kaspersky, which has actually found something it continually tries to get rid of to no avail. When it gets back I’ll let you know what it says about it.

Another interesting tidbit is that, that SVChost process? the one that takes up 25% or so of cpu until ending it and restarting NLA. It seems to start whenever I attempt to install anything using MSI installers, (such as DirectX installs, etc), and freezes that install, until I end it in task manager, then, the install continues as normal. Thought that'd at least be interesting to know. Also, I've noted on random google searches that some other people have had this problem with SVChost doing this, and they've said it points to malware, but I've obviously not found a solution by now that works for me.

Anyway, i’ll return once I know more.

Cyrus D

On the Kaspersky system could you get an analysis log for me ?

There are destructions here on how to get it http://support.kaspersky.com/kis2011/error?qid=208282257 it will produce an XML and HTML file in a zip folder
Could you upload the folder it to Mediafire and post the sharing link.

Alright, heres the GMER log, and I’ll return with the Kaspersky. The AVAST logs DID have the viruses logged, and haven’t been able to remove apparently, but I can’t find the actual log file on the computer, so I’ll just take a screencap if you want me. Oh, the GMER log is 10 mb. I’ll just upload it to a MegaUpload if that’s fine with you; I already have an account there. I’ll through the Kaspersky log there too.

http://www.megaupload.com/?d=I1YJQPCC

There. The Avast log is saved as a picture in there.

Cyrus

Got 'em and looking now

Hmm Avast is reportin a rootkit on Microsoft SQL Server 2008 files
The Kaspersky log reported a TDL4 dropper
GMER comes up clean

Are the alerts still coming from Avast ? As it may have been a false positive that has been rectified

Sorry for the late response.

 I could possibly see it being a false positive, but its fairly coincidental that almost every computer in the network has reported something in their AV, then having it go blank and consistently pump that SVChost to great heights of cpu usage. Like I said, a few google searches of "SVChost at 25%" returns plenty of hits from people having malware and supposedly neutralizing it, then not having that issue. Of course, you're obviously a bit better at this than I, so I'd trust you on this over my own word almost any day.

 Tested a theory and hooked it up through a networked computer using a VM machine with all the AV and Firewalls I could put on without conflicting, and low and behold, the AV almost immediately picked a random PUP up during a file transfer, so SOMETHING either infected that VM machine beforehand, or something got sent with the few files I did. It was a random DLL, and was a standard SlowPCFighter thing, and was almost immediately taken care of by the VM. 

I’m content if you deem this as a false positive or me just being paranoid. I still appreciate greatly the time you took from your days to help me. If you continue delving, I’m sure you noticed from the logs that I have disabled my System Restore and deleted my older ones to make sure. Also, FireFox, RIGHT NOW, is notably upset about something. I’ve NEVER had hangs in it before, even with 87 tabs open, and it repeatedly is hanging and going into an unresponsive state. Windows update has also been acting a bit wonky, but nothing truly abnormal. I can uninstall that SQL, but I believe I had the SVChost issue beforehand.

If you could solve this issue here (The SVChost cpu usage) I’d imagine you’d be doing a ton of people a favor, as it seems I’m not the only one with this affliction.

EDIT: …and of COURSE I didn’t answer your question. :stuck_out_tongue: No, Avast hasn’t come up with anything at all recently, which is mildly worrysome, as I KNOW I have false positive programs on here (made by myself to make sure they were really truly clean, just to test the “false positive” and Behavior Monitoring that Avast uses) and it hasn’t seen them as of late, even after clearing them from the whitelist.

Thanks again,
Cyrus

This is a huge pic so I’m sorry, but this is exactly what it does.

This is me updating Java, and the second the install starts, svchost jumps to 25%, and freezes install progress until I end it, and after I do, the NLA service isn’t affected at all, and it should at least restart it if that truly was the host process for the service. The only result is the install working correctly, which has led me to believe its a “rogue” or dummy process, not truly an SVChost. That latter bit sounds like a stretch, but eh.

http://i5.photobucket.com/albums/y191/CyrusDragonas/Untitled.png

I could see nothing in any of the logs that would indicate malware…

windows update repair

Go to this page
Run the fixit there (big button about one third the way down) - if the normal run does not cure it then re run and use the aggressive mode

I would also suggest a repair of Avast to be on the safe side

You could also test Avast by going to Spycar when you run the tests the connection should be cut

Lets have a further look at net services to ensure that nothing was missed

Run OTS

[*]Make sure you close all other programs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs

[*]Under the Custom Scan box paste this in

/md5start
svchost.exe
/md5stop
%systemroot%*. /mp /s