registry update SDTable

when I started my pc this afternoon it showed a new registery table being
copied in? ...somthing like RegistrySDTable..
It then showed 3 updates installing.

Is this normal/expected or has someone just hacked my registry ?

what is RegistrySDTable?

jc1973 wrote:

> when I started my pc this afternoon it showed a new registery table being
> copied in? ...somthing like RegistrySDTable..
> It then showed 3 updates installing.
>
> Is this normal/expected or has someone just hacked my registry ?
>
> what is RegistrySDTable?

Well, since there are no hits on Google, MSDN.com nor Technet.com
besides your posts being listed, then it's apparently something "new".
There's also the possibility that you did not accurately transcribe the
*exact* message received when the system first booted up.

IF the messasge you posted is the *exact* same one as when the system
booted ...

Is this a home or business system ?
Is Spybot Search and Destroy installed; if not, does the installed
security software (antivirus/security suite/anti-spyware) guard against
registry changes ?


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"

I have also had an expirience with this reg entry

It is located at in the reg under HKEY_LOCAL_MACHINE/COMPONENTS/Installers/SDTable
I have deleted this entry on a couple of occasions I have also done a clean install and config as well as run killdisk to wipe my drive and it continues to install itself. It indicates itself as being a windows update but I did not give permission for this update to be installed and there is no entry in my update history to show this update when this entry first appeared I had SpyBot installed on my system but the entry appears to be going in on boot prior to windows. I also have I am running Vista and I have UAC activated as well.



MowGreen wrote:

jc1973 wrote:Well, since there are no hits on Google, MSDN.com nor Technet.
20-Oct-09

jc1973 wrote

Well, since there are no hits on Google, MSDN.com nor Technet.co
besides your posts being listed, then it is apparently something "new"
There is also the possibility that you did not accurately transcribe th
*exact* message received when the system first booted up

IF the messasge you posted is the *exact* same one as when the syste
booted ..

Is this a home or business system
Is Spybot Search and Destroy installed; if not, does the installe
security software (antivirus/security suite/anti-spyware) guard agains
registry changes

MowGree
==============
*-343-* FDN
Never Forgotte
==============

banthecheck.co
"Security updates should *never* have *non-security content* prechecked"

Previous Posts In This Thread:

On Tuesday, 20 October 2009 1:24 PM
jc1973 wrote:

registry update SDTable
when I started my pc this afternoon it showed a new registery table bein
copied in? ...somthing like RegistrySDTable.
It then showed 3 updates installing

Is this normal/expected or has someone just hacked my registry

what is RegistrySDTable?

On Tuesday, 20 October 2009 6:08 PM
MowGreen wrote:

jc1973 wrote:Well, since there are no hits on Google, MSDN.com nor Technet.
jc1973 wrote

Well, since there are no hits on Google, MSDN.com nor Technet.co
besides your posts being listed, then it is apparently something "new"
There is also the possibility that you did not accurately transcribe th
*exact* message received when the system first booted up

IF the messasge you posted is the *exact* same one as when the syste
booted ..

Is this a home or business system
Is Spybot Search and Destroy installed; if not, does the installe
security software (antivirus/security suite/anti-spyware) guard agains
registry changes

MowGree
==============
*-343-* FDN
Never Forgotte
==============

banthecheck.co
"Security updates should *never* have *non-security content* prechecked"

EggHeadCafe - Software Developer Portal of Choice
Build An XML-Safe DES Crypto Library in VB.NET
http://www.eggheadcafe.com/tutorials...e-des-cry.aspx

We shall alert the media.

Please tell us what wonderful combination of anti-virus & anti-spyware
applications you had installed that allowed this hijackware to take root in
the first place?

PS: Who are you and what happened to our OP "jc1973"?


PaulLukitsch wrote:
> FINALLY!!!!
>
> I have been dealing with a persistant malware problem since early this
> year. I have had not only problems with the malware affecting my
> laptop, but also from the numerous boards and forums where I would try
> to seek help, and after following instructions (although I am fairly
> computer savvy), they typically would believe I was lying or not
> following their instructions. I am using (currently) Vista HomePrem
> x64 on a HP Pavillion dv4 1225dx.
>
> I noticed this string of registry key changes as the previous posters
> noted. And I have seen this happen on my PC : (a) after re-
> installation of my OS, (b) after performing a dd if=/dev/urandom of=/
> dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
> drive with random characters, and THEN reinstalling my OS, and (c)
> after I decided to get mad, and I went out and bought a new HDD for my
> laptop.... then reinstalled my OS.
>
> But none of those things changed anything. This is a rootkit, and I
> believe it is a PCI rootkit. I do not know how it got on my machine
> initially, but the sad thing is, it occurred back in February, and
> then I bought a new laptop in April and accidentally stuck a USB pen
> drive (Doh!) into it, and I saw my screen flicker, and I knew what I
> had done (I had not even been out of Best Buy where I bought it for
> more than 20 minutes). I should have just made up some excuse to
> return the laptop then, but I figured "How hard can it be to remove a
> virus/rootkit? If I have to reinstall my OS, I will"
>
> But this rootkit does not care if you reinstall your OS. I have even
> re-installed my OS, and halfway through the reinstallation, I
> unplugged the machine abruptly, took out the battery, and the 4GB of
> DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
> continued my reinstallation. It didn't matter.
>
> It is some form of ROM rootkit, because after installation, if I set
> my firewall to advanced, and make sure I check all outbound and
> inbound traffic FIRST, I notice several things.... 1. LSASS.exe
> tries to access the net (to an IP in China or other exotic places, all
> which are probably proxies), but there is no LSASS.EXE other than the
> one in windows/system32 -- right where it is supposed to be. 2.
> Services.exe accesses the net (I thought that this might be normal,
> but I read it is only under certain circumstances related to PnP....
> (which by the way, the PNP service cannot be disabled as the whole
> dialog box on that service is grayed out. 3. I do not have
> administrative rights... I have invoked the super "Administrator",
> set a NSA-style passphrase for it (even wrote a random character gen
> script in Perl, and then copied a 20 char string from it, and pasted
> it into the Password Box. (Then I printed the Perl output so I would
> never forget this random character string). And I will try to use
> several network monitoring applications which I download for trial
> use, and even as THE ADMINISTRATOR (I delete all other users), it
> states I do not have administrative rights.
>
> I have installed windows, then installed a debian/ubuntu based Linux
> (backtrack 4 or Linux Mint), and ultimately, both of these OSs will
> get corrupted to!!! i NEVER setup smb/samba in Linux, and make sure
> any daemons are not using Samba, but somehow, whatever access has been
> made through my windows partition, migrates to my new Linux partition,
> and infects it.
>
> This probably sounds crazy, and I know it has lowered my quality of
> life. But I have already bought a second laptop, I cannot imagine
> there is not away around this to eradicate it.
>
> Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
> he had an old Netgear router/firewall. He let me have it and I am
> running it now. I shut off UPnP on the router, and turned up the
> built-in firewall to a rather strict level. It seems to be doing OK,
> but that may be because whatever rootkit I am infected with cannot get
> unfettered access to the net because of the hardware firewall (it
> always walked right through any software firewall in a matter of
> days), and therefore cannot grow and take over my system.
>
> But I have been hoping to meet a Windows expert with an open mind...
> maybe there is someone here who fits this description. Far to often I
> will seek help, and the Windows expert who is assisting me, will spend
> 1/3 of the time spewing platitudes like "you shouldn't use the
> Administrator user" or asking me if my Windows update has been turned
> on.
>
> Just as an FYI, Since this started I read Stanek's Windows Command
> Line probably 3x, and the SAMS Windows Vista: Management and
> Administration perhaps 2x. THis additional information has sometimes
> allowed me to slow this malware down, but never have I been able to
> stop it. It seems to change/morph so rapidly to whatever obstacles I
> try to put in its place that I sometimes feel as if someone was
> specifically interested in hacking my PC as opposed to some mindless
> Bot-agent that get orders from some central server. Otherwise,
> whoever coded this beast is brilliant and must have a database
> somewhere updating this code for a myriad of situations.
>
> So.... I hope someone can respond to this. I have stacks of
> screenshots using Sysinterals applications which show things I believe
> to be evidence of this RAT, and overall more knowledge than I care to
> have about it too.
>
> But that registry update the other poster mentions... (there are 569
> registry changes that take place upon bootup that are part of this
> rootkit's expansion into the system-- it happens on maybe the 3rd or
> 4th boot after I enable network/internet access--- but the last one is
> in fact a change to "SDTable" and it stays on the screen for about 3
> seconds before it continues the boot into windows. This is why
> everyone remembers it.
>
> I also think I am in some active domain and therefore my "local
> administrator's rights" have been made subject to the domain
> controller.
>
> I work at home.... as far as I know, no one has ever had physical
> access to my PC.
>
> Paul

Paul,

If I understand correctly, when you tried using a different router things
suddenly improved. I would therefore suggest that it may be your router that is
infected. This is more likely than a PCI rootkit.

Harry.

PaulLukitsch wrote:
> FINALLY!!!!
>
> I have been dealing with a persistant malware problem since early this
> year. I have had not only problems with the malware affecting my
> laptop, but also from the numerous boards and forums where I would try
> to seek help, and after following instructions (although I am fairly
> computer savvy), they typically would believe I was lying or not
> following their instructions. I am using (currently) Vista HomePrem
> x64 on a HP Pavillion dv4 1225dx.
>
> I noticed this string of registry key changes as the previous posters
> noted. And I have seen this happen on my PC : (a) after re-
> installation of my OS, (b) after performing a dd if=/dev/urandom of=/
> dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
> drive with random characters, and THEN reinstalling my OS, and (c)
> after I decided to get mad, and I went out and bought a new HDD for my
> laptop.... then reinstalled my OS.
>
> But none of those things changed anything. This is a rootkit, and I
> believe it is a PCI rootkit. I do not know how it got on my machine
> initially, but the sad thing is, it occurred back in February, and
> then I bought a new laptop in April and accidentally stuck a USB pen
> drive (Doh!) into it, and I saw my screen flicker, and I knew what I
> had done (I had not even been out of Best Buy where I bought it for
> more than 20 minutes). I should have just made up some excuse to
> return the laptop then, but I figured "How hard can it be to remove a
> virus/rootkit? If I have to reinstall my OS, I will"
>
> But this rootkit does not care if you reinstall your OS. I have even
> re-installed my OS, and halfway through the reinstallation, I
> unplugged the machine abruptly, took out the battery, and the 4GB of
> DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
> continued my reinstallation. It didn't matter.
>
> It is some form of ROM rootkit, because after installation, if I set
> my firewall to advanced, and make sure I check all outbound and
> inbound traffic FIRST, I notice several things.... 1. LSASS.exe
> tries to access the net (to an IP in China or other exotic places, all
> which are probably proxies), but there is no LSASS.EXE other than the
> one in windows/system32 -- right where it is supposed to be. 2.
> Services.exe accesses the net (I thought that this might be normal,
> but I read it is only under certain circumstances related to PnP....
> (which by the way, the PNP service cannot be disabled as the whole
> dialog box on that service is grayed out. 3. I do not have
> administrative rights... I have invoked the super "Administrator",
> set a NSA-style passphrase for it (even wrote a random character gen
> script in Perl, and then copied a 20 char string from it, and pasted
> it into the Password Box. (Then I printed the Perl output so I would
> never forget this random character string). And I will try to use
> several network monitoring applications which I download for trial
> use, and even as THE ADMINISTRATOR (I delete all other users), it
> states I do not have administrative rights.
>
> I have installed windows, then installed a debian/ubuntu based Linux
> (backtrack 4 or Linux Mint), and ultimately, both of these OSs will
> get corrupted to!!! i NEVER setup smb/samba in Linux, and make sure
> any daemons are not using Samba, but somehow, whatever access has been
> made through my windows partition, migrates to my new Linux partition,
> and infects it.
>
> This probably sounds crazy, and I know it has lowered my quality of
> life. But I have already bought a second laptop, I cannot imagine
> there is not away around this to eradicate it.
>
> Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
> he had an old Netgear router/firewall. He let me have it and I am
> running it now. I shut off UPnP on the router, and turned up the
> built-in firewall to a rather strict level. It seems to be doing OK,
> but that may be because whatever rootkit I am infected with cannot get
> unfettered access to the net because of the hardware firewall (it
> always walked right through any software firewall in a matter of
> days), and therefore cannot grow and take over my system.
>
> But I have been hoping to meet a Windows expert with an open mind...
> maybe there is someone here who fits this description. Far to often I
> will seek help, and the Windows expert who is assisting me, will spend
> 1/3 of the time spewing platitudes like "you shouldn't use the
> Administrator user" or asking me if my Windows update has been turned
> on.
>
> Just as an FYI, Since this started I read Stanek's Windows Command
> Line probably 3x, and the SAMS Windows Vista: Management and
> Administration perhaps 2x. THis additional information has sometimes
> allowed me to slow this malware down, but never have I been able to
> stop it. It seems to change/morph so rapidly to whatever obstacles I
> try to put in its place that I sometimes feel as if someone was
> specifically interested in hacking my PC as opposed to some mindless
> Bot-agent that get orders from some central server. Otherwise,
> whoever coded this beast is brilliant and must have a database
> somewhere updating this code for a myriad of situations.
>
> So.... I hope someone can respond to this. I have stacks of
> screenshots using Sysinterals applications which show things I believe
> to be evidence of this RAT, and overall more knowledge than I care to
> have about it too.
>
> But that registry update the other poster mentions... (there are 569
> registry changes that take place upon bootup that are part of this
> rootkit's expansion into the system-- it happens on maybe the 3rd or
> 4th boot after I enable network/internet access--- but the last one is
> in fact a change to "SDTable" and it stays on the screen for about 3
> seconds before it continues the boot into windows. This is why
> everyone remembers it.
>
> I also think I am in some active domain and therefore my "local
> administrator's rights" have been made subject to the domain
> controller.
>
> I work at home.... as far as I know, no one has ever had physical
> access to my PC.
>
> Paul

+1

Harry Johnston [MVP] wrote:
> Paul,
>
> If I understand correctly, when you tried using a different router things
> suddenly improved. I would therefore suggest that it may be your router
> that is infected. This is more likely than a PCI rootkit.
>
> Harry.
>
> PaulLukitsch wrote:
>> FINALLY!!!!
>>
>> I have been dealing with a persistant malware problem since early this
>> year. I have had not only problems with the malware affecting my
>> laptop, but also from the numerous boards and forums where I would try
>> to seek help, and after following instructions (although I am fairly
>> computer savvy), they typically would believe I was lying or not
>> following their instructions. I am using (currently) Vista HomePrem
>> x64 on a HP Pavillion dv4 1225dx.
>>
>> I noticed this string of registry key changes as the previous posters
>> noted. And I have seen this happen on my PC : (a) after re-
>> installation of my OS, (b) after performing a dd if=/dev/urandom of=/
>> dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
>> drive with random characters, and THEN reinstalling my OS, and (c)
>> after I decided to get mad, and I went out and bought a new HDD for my
>> laptop.... then reinstalled my OS.
>>
>> But none of those things changed anything. This is a rootkit, and I
>> believe it is a PCI rootkit. I do not know how it got on my machine
>> initially, but the sad thing is, it occurred back in February, and
>> then I bought a new laptop in April and accidentally stuck a USB pen
>> drive (Doh!) into it, and I saw my screen flicker, and I knew what I
>> had done (I had not even been out of Best Buy where I bought it for
>> more than 20 minutes). I should have just made up some excuse to
>> return the laptop then, but I figured "How hard can it be to remove a
>> virus/rootkit? If I have to reinstall my OS, I will"
>>
>> But this rootkit does not care if you reinstall your OS. I have even
>> re-installed my OS, and halfway through the reinstallation, I
>> unplugged the machine abruptly, took out the battery, and the 4GB of
>> DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
>> continued my reinstallation. It didn't matter.
>>
>> It is some form of ROM rootkit, because after installation, if I set
>> my firewall to advanced, and make sure I check all outbound and
>> inbound traffic FIRST, I notice several things.... 1. LSASS.exe
>> tries to access the net (to an IP in China or other exotic places, all
>> which are probably proxies), but there is no LSASS.EXE other than the
>> one in windows/system32 -- right where it is supposed to be. 2.
>> Services.exe accesses the net (I thought that this might be normal,
>> but I read it is only under certain circumstances related to PnP....
>> (which by the way, the PNP service cannot be disabled as the whole
>> dialog box on that service is grayed out. 3. I do not have
>> administrative rights... I have invoked the super "Administrator",
>> set a NSA-style passphrase for it (even wrote a random character gen
>> script in Perl, and then copied a 20 char string from it, and pasted
>> it into the Password Box. (Then I printed the Perl output so I would
>> never forget this random character string). And I will try to use
>> several network monitoring applications which I download for trial
>> use, and even as THE ADMINISTRATOR (I delete all other users), it
>> states I do not have administrative rights.
>>
>> I have installed windows, then installed a debian/ubuntu based Linux
>> (backtrack 4 or Linux Mint), and ultimately, both of these OSs will
>> get corrupted to!!! i NEVER setup smb/samba in Linux, and make sure
>> any daemons are not using Samba, but somehow, whatever access has been
>> made through my windows partition, migrates to my new Linux partition,
>> and infects it.
>>
>> This probably sounds crazy, and I know it has lowered my quality of
>> life. But I have already bought a second laptop, I cannot imagine
>> there is not away around this to eradicate it.
>>
>> Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
>> he had an old Netgear router/firewall. He let me have it and I am
>> running it now. I shut off UPnP on the router, and turned up the
>> built-in firewall to a rather strict level. It seems to be doing OK,
>> but that may be because whatever rootkit I am infected with cannot get
>> unfettered access to the net because of the hardware firewall (it
>> always walked right through any software firewall in a matter of
>> days), and therefore cannot grow and take over my system.
>>
>> But I have been hoping to meet a Windows expert with an open mind...
>> maybe there is someone here who fits this description. Far to often I
>> will seek help, and the Windows expert who is assisting me, will spend
>> 1/3 of the time spewing platitudes like "you shouldn't use the
>> Administrator user" or asking me if my Windows update has been turned
>> on.
>>
>> Just as an FYI, Since this started I read Stanek's Windows Command
>> Line probably 3x, and the SAMS Windows Vista: Management and
>> Administration perhaps 2x. THis additional information has sometimes
>> allowed me to slow this malware down, but never have I been able to
>> stop it. It seems to change/morph so rapidly to whatever obstacles I
>> try to put in its place that I sometimes feel as if someone was
>> specifically interested in hacking my PC as opposed to some mindless
>> Bot-agent that get orders from some central server. Otherwise,
>> whoever coded this beast is brilliant and must have a database
>> somewhere updating this code for a myriad of situations.
>>
>> So.... I hope someone can respond to this. I have stacks of
>> screenshots using Sysinterals applications which show things I believe
>> to be evidence of this RAT, and overall more knowledge than I care to
>> have about it too.
>>
>> But that registry update the other poster mentions... (there are 569
>> registry changes that take place upon bootup that are part of this
>> rootkit's expansion into the system-- it happens on maybe the 3rd or
>> 4th boot after I enable network/internet access--- but the last one is
>> in fact a change to "SDTable" and it stays on the screen for about 3
>> seconds before it continues the boot into windows. This is why
>> everyone remembers it.
>>
>> I also think I am in some active domain and therefore my "local
>> administrator's rights" have been made subject to the domain
>> controller.
>>
>> I work at home.... as far as I know, no one has ever had physical
>> access to my PC.
>>
>> Paul