Tweet
Hello,
This has surely been asked plenty of times on the forum, but I was unable to locate any directly relevant threads in the search which I just ran. I've been having quite a few crashes lately, installing or loading problems, sometimes the PC itself, as well as a hijacking of Avast (gone after each re-installaion of a fresh download, but always appearing once again). I'd been using Malwarebytes and Avast, both of which scan for rootkits, but always came up clean. Last night I downloaded Sophos, and it made one detection, hidden file: "C:\Windows\System32\Drivers\sptd.sys". Possibly it was detected simply due to the fact that its cfg registry key is locked while it's running (access denied when I tried to open the key in Regedit) -- but then again why should it be running? I find conflicting descriptions online, from it being harmless, one of your drivers, to being a rootkit which must be removed immediately. Superantispyware, a source I'm inclined to trust, advises removal. The file sizes shown by them, which I assume to be those of the "rootkit version" are a bit larger than what I found, ~800,000 bytes vs ~700,000 for this one.
DOS/Windows executable (application/x-ms-dos-executable)
675.5 KB (691696 bytes)
Windows/System32/drivers
Accessed: Sun 27 Jun 2010 11:57:06 PM CDT
Modified: Sun 27 Jun 2010 11:57:06 PM CDT
Created: Sun 27 Jun 2010 11:57:06 PM CDT
I understand what your driver does, and its legitimate purpose, but am wondering how to know the difference between the valid file and a bogus one -- or might some malware merely install your file and then hijack the file for its own ends? The timestamps are obviously suspicious (I have disabled persistent timestamps in the registry), and for what it's worth I've not installed any application which generates virtual drives since I did a clean install of my genuine Windows 7 OS a few months ago. I'm particularly curious, if/when it actually is a malicious file, what sort of functions is it capable of offering the would-be hacker? Some sites describe it as a keylogger, though if it is in fact your original file gone bad I'm not sure that I see the connection. The crashes which I've been getting are annoying enough, but of course any sort of info retrieval and reporting would be much worse! I'd be glad to know that I've discovered the source of my computer troubles -- as I mentioned, other scans have not picked anything up. Your advice?
Thanks!
Michael
This has surely been asked plenty of times on the forum, but I was unable to locate any directly relevant threads in the search which I just ran. I've been having quite a few crashes lately, installing or loading problems, sometimes the PC itself, as well as a hijacking of Avast (gone after each re-installaion of a fresh download, but always appearing once again). I'd been using Malwarebytes and Avast, both of which scan for rootkits, but always came up clean. Last night I downloaded Sophos, and it made one detection, hidden file: "C:\Windows\System32\Drivers\sptd.sys". Possibly it was detected simply due to the fact that its cfg registry key is locked while it's running (access denied when I tried to open the key in Regedit) -- but then again why should it be running? I find conflicting descriptions online, from it being harmless, one of your drivers, to being a rootkit which must be removed immediately. Superantispyware, a source I'm inclined to trust, advises removal. The file sizes shown by them, which I assume to be those of the "rootkit version" are a bit larger than what I found, ~800,000 bytes vs ~700,000 for this one.
DOS/Windows executable (application/x-ms-dos-executable)
675.5 KB (691696 bytes)
Windows/System32/drivers
Accessed: Sun 27 Jun 2010 11:57:06 PM CDT
Modified: Sun 27 Jun 2010 11:57:06 PM CDT
Created: Sun 27 Jun 2010 11:57:06 PM CDT
I understand what your driver does, and its legitimate purpose, but am wondering how to know the difference between the valid file and a bogus one -- or might some malware merely install your file and then hijack the file for its own ends? The timestamps are obviously suspicious (I have disabled persistent timestamps in the registry), and for what it's worth I've not installed any application which generates virtual drives since I did a clean install of my genuine Windows 7 OS a few months ago. I'm particularly curious, if/when it actually is a malicious file, what sort of functions is it capable of offering the would-be hacker? Some sites describe it as a keylogger, though if it is in fact your original file gone bad I'm not sure that I see the connection. The crashes which I've been getting are annoying enough, but of course any sort of info retrieval and reporting would be much worse! I'd be glad to know that I've discovered the source of my computer troubles -- as I mentioned, other scans have not picked anything up. Your advice?
Thanks!
Michael
Comment