No announcement yet.

SPTD safe or not?

  • Filter
  • Time
  • Show
Clear All
new posts

  • SPTD safe or not?


    This has surely been asked plenty of times on the forum, but I was unable to locate any directly relevant threads in the search which I just ran. I've been having quite a few crashes lately, installing or loading problems, sometimes the PC itself, as well as a hijacking of Avast (gone after each re-installaion of a fresh download, but always appearing once again). I'd been using Malwarebytes and Avast, both of which scan for rootkits, but always came up clean. Last night I downloaded Sophos, and it made one detection, hidden file: "C:\Windows\System32\Drivers\sptd.sys". Possibly it was detected simply due to the fact that its cfg registry key is locked while it's running (access denied when I tried to open the key in Regedit) -- but then again why should it be running? I find conflicting descriptions online, from it being harmless, one of your drivers, to being a rootkit which must be removed immediately. Superantispyware, a source I'm inclined to trust, advises removal. The file sizes shown by them, which I assume to be those of the "rootkit version" are a bit larger than what I found, ~800,000 bytes vs ~700,000 for this one.

    DOS/Windows executable (application/x-ms-dos-executable)
    675.5 KB (691696 bytes)

    Accessed: Sun 27 Jun 2010 11:57:06 PM CDT
    Modified: Sun 27 Jun 2010 11:57:06 PM CDT
    Created: Sun 27 Jun 2010 11:57:06 PM CDT

    I understand what your driver does, and its legitimate purpose, but am wondering how to know the difference between the valid file and a bogus one -- or might some malware merely install your file and then hijack the file for its own ends? The timestamps are obviously suspicious (I have disabled persistent timestamps in the registry), and for what it's worth I've not installed any application which generates virtual drives since I did a clean install of my genuine Windows 7 OS a few months ago. I'm particularly curious, if/when it actually is a malicious file, what sort of functions is it capable of offering the would-be hacker? Some sites describe it as a keylogger, though if it is in fact your original file gone bad I'm not sure that I see the connection. The crashes which I've been getting are annoying enough, but of course any sort of info retrieval and reporting would be much worse! I'd be glad to know that I've discovered the source of my computer troubles -- as I mentioned, other scans have not picked anything up. Your advice?

    Last edited by papilio; 07-11-2010, 05:01 PM.

  • #2
    Download SPTD installer:
    execute it, it should detect SPTD installation (installed version), if you don't need SPTD layer select uninstall and reboot, SPTD will be disabled then.
    If you get error message of software using SPTD layer, re-install with SPTD installer.


    • #3
      Thanks a lot Digger! I'll give it a whirl and let you know.


      • #4
        Hi Digger,

        I wanted to wait a few days to post the results so I'd have a better idea of the results of the actions. I ran the installer, it did not indicate that SPTD had been installed, by which I assume it had been a silent install by malware or whatever since it was still in the filepath and registry. I also discovered another reference to SPTD.sys in the registry, but this one with a legacy ROOT enumerator. I un-installed the /sustem32/drivers/SPTD.sys, but the legacy ROOT file (which of course I'm unable to locate in my filesystem) remained.

        Anyway, after I had uninstalled /sustem32/drivers/SPTD.sys, I began having frequent crashes of explorer, usually just after I've navigated to the second partition of the HD, and so re-installed the file, stopped those crashes.

        But ... I'm wondering what you might think of this -- perhaps just a coincidence in the extreme, literally seconds after I had finished re-installing it, Microsoft (presumably Microsoft) installed another update. (The log of that mentioned nothing about SPTD.sys.)

        And one more thing which may be related to all of this, entries in WU logs make frequent mentions of "side by side" files, files being copied to what appears to be a virtual drive [/BTFolderPath:C:\$WINDOWS.~BT]. I'm wondering whether this may explain the need for SPTD.sys? And many services and drivers in the registry having dual entries, the first (if I'm correctly interpreting the regkey values) redirecting to the second. Also successful "migrations" having been carried out. /sustem32/drivers/SPDT does not show that it's ever been accessed, yet SPTD.sys is constantly shown as a running process.