Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: temp4746 on May 31, 2011, 11:15:27 AM

Title: sptd.sys likely a false positive
Post by: temp4746 on May 31, 2011, 11:15:27 AM
Avast! today mysteriously popped up a message saying that sptd.sys is a rootkit and after ignoring it, it popped another one which sayed the heuriestics identified it and then I saw it upload the file to Avast! during an update.

I think this is a false positive, sptd is a driver used by DuplexSecure used by some cd/dvd emulation software like Daemon Tools and Alcohol for a deeper emulation.
Title: Re: sptd.sys likely a false positive
Post by: Pondus on May 31, 2011, 11:27:49 AM
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti  http://virusscan.jotti.org/
VirSCAN  http://virscan.org/
Title: Re: sptd.sys likely a false positive
Post by: Micky86 on May 31, 2011, 11:54:03 AM
i have same problem this  :o

See screenshot:
(http://i51.tinypic.com/j65004.jpg)
Title: Re: sptd.sys likely a false positive
Post by: temp4746 on May 31, 2011, 12:24:17 PM
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti  http://virusscan.jotti.org/
VirSCAN  http://virscan.org/

Here you go: http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223

Had to use safe mode as it seems to be protected like a rootkit altough it isn't harmful or just loaded in the background so you can't touch it.
Title: Re: sptd.sys likely a false positive
Post by: Pondus on May 31, 2011, 12:33:11 PM
jepp, looks like a FP to me



sigcheck:
publisher....: Duplex Secure Ltd.
copyright....: Copyright (C) 2004
product......: SCSI Pass Through Direct
description..: SCSI Pass Through Direct Host
original name: sptd.sys
internal name: SPTD.SYS
file version.: 1.76.0.0 built by: WinDDK
comments.....: n/a
signers......: Duplex Secure Ltd
 VeriSign Class 3 Code Signing 2009-2 CA
 Class 3 Public Primary Certification Authority
signing date.: 12:47 PM 11/23/2010
verified.....: -
Title: Re: sptd.sys likely a false positive
Post by: Asyn on May 31, 2011, 12:57:25 PM
Here you go: http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223

avast! isn't listed..! ;)
Title: Re: sptd.sys likely a false positive
Post by: Lisandro on May 31, 2011, 01:22:35 PM
Strange... you've got an alert while virus total shows nothing ???
Title: Re: sptd.sys likely a false positive
Post by: Asyn on May 31, 2011, 01:26:06 PM
Strange... you've got an alert while virus total shows nothing ???

Yep, it is strange...
Which VPS are you guys on..??
Try to update manually.
Solved..?
Title: Re: sptd.sys likely a false positive
Post by: temp4746 on May 31, 2011, 01:29:03 PM
Strange... you've got an alert while virus total shows nothing ???

Yep, it is strange...
Which VPS are you guys on..??
Try to update manually.
Solved..?


VPS: 110531-0 latest (ATM)
Manual update doesn't help.

The funny thing is scanning that file manually with Avast! shows it's not a virus it's only some monitor heuristic/rootkit heuristic that seems to not like that file.
Title: Re: sptd.sys likely a false positive
Post by: Asyn on May 31, 2011, 01:36:30 PM
Interesting...
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
Title: Re: sptd.sys likely a false positive
Post by: cadremis on May 31, 2011, 02:43:36 PM
It happened to me today, I installed Alchohol 3 days ago and this morning Avast said I had a rootkit and recommended to delete it and recommended a boot scan too, so I did it and nothing was found, but then I came here to see if someone else is having the same problem and I found this thread.

Is it a FP or not?

Title: Re: sptd.sys likely a false positive
Post by: vordme34 on May 31, 2011, 02:45:08 PM
Avast deleted it though I specifically ordered it to ignore it and to just send it to avast labs!! Wasn't able to upload to virustotal (don't know if avast was the reason for that or the file was self-protected). Way to go.. I guess my Alcohol and Daemon tools might not be working now, because this surely is a legitimate file of those programs. There has to be something wrong with the new sigs (mine were updated just a few minutes ago, before avast came up with the pop-up other users have posted).
Title: Re: sptd.sys likely a false positive
Post by: cadremis on May 31, 2011, 02:50:43 PM
Guys,
What do I do? Avast is giving me pop ups everytime I re-start my computer with the same alert.

Title: Re: sptd.sys likely a false positive
Post by: cadremis on May 31, 2011, 02:54:46 PM
Now another different pop up with the same alert

Title: Re: sptd.sys likely a false positive
Post by: vordme34 on May 31, 2011, 02:55:05 PM
@cadremis: Don't do anything until they fix their sigs!
I just told it to ignore it and it deleted the damned file. I now have to reinstall daemon tools and/or Alcohol 52..
Title: Re: sptd.sys likely a false positive
Post by: cadremis on May 31, 2011, 02:58:45 PM
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.

But I would like to know by a tech if this is a real root kit or not and if they will correct it today...

I did a scan with malwarebytes and detected nothing.
Title: Re: sptd.sys likely a false positive
Post by: vordme34 on May 31, 2011, 03:11:59 PM
@cadremis: SPTD.SYS comes with Alcohol 52 etc and Demon tools.. If you use these programes that's why you had the file in \system32\ (though I guess it could be delivered with other progs as well). There's no chance that we're all infected with a tampered SPTD.SYS. It's avast's fault and they should fix it asap.. As they should fix their silly interface which gives the option to ignore and it then deletes the file without your permission.. This is pathetic!
Title: Re: sptd.sys likely a false positive
Post by: hectic-mmv on May 31, 2011, 04:01:43 PM
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.

But I would like to know by a tech if this is a real root kit or not and if they will correct it today...

I did a scan with malwarebytes and detected nothing.

Hola Cadremis,

please what version of Alcohol do you have installed? Is this happening only on Win XP?

Title: Re: sptd.sys likely a false positive
Post by: Rassilon on May 31, 2011, 04:57:25 PM
@cadremis: Don't do anything until they fix their sigs!
I just told it to ignore it and it deleted the damned file. I now have to reinstall daemon tools and/or Alcohol 52..

you don't have to reinstall Daemon or Alcohol, just the SPTD driver:

http://www.duplexsecure.com/en/downloads

on the bonus side, the latest version of SPTD (currently v1.78) linked above fixes some blue screen issues that version 1.76 has (v1.76 being the one that triggers the avast response)

P.S.(edit) i had v1.75 of sptd (and a similar older daemontools) but didn't have any bluescreen issues with it.
I also got the avast warning but this issue with avast finally got me to upgrade to sptd 1.78 and latest daemon tools lite. :P
Title: Re: sptd.sys likely a false positive
Post by: cadremis on May 31, 2011, 11:29:26 PM
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.

But I would like to know by a tech if this is a real root kit or not and if they will correct it today...

I did a scan with malwarebytes and detected nothing.

Hola Cadremis,

please what version of Alcohol do you have installed? Is this happening only on Win XP?



It is happening to me in Windows 7 even with the latest update of Avast...rm
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 12:57:36 AM
I ended up uninstalling Alchohol trial version today but same alert is coming everytime I re-start the computer... now what? this is really anoying! I asked Avast to delete the file but every time I re-start the computer it comes back.

Guys,
I need help here!  what do I do?
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 01:53:59 AM
False positive with certainty, and so searched the forum Daemon T. this file
is used to secure the registration of the program, and also connected to this virtual drive.

I'll stick with the option to ignore until the next update...
Title: Re: sptd.sys likely a false positive
Post by: Nesivos on June 01, 2011, 01:54:54 AM
Quote
  Search Results for "sptd.sys"
 
   Rootkit.Agent/Gen-Haxdoor.Process
Rookit that may log user information and possibly block access to certain security related sites.

Category : TROJAN

http://www.fileresearchcenter.com/search.html?searchitem=sptd.sys&search=Search... (http://www.fileresearchcenter.com/search.html?searchitem=sptd.sys&search=Search...)
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 02:25:08 AM
If it is a real Trojan why Avast doesn't do anything about it, I have deleted the file and made 4 boot scans according Avast recomendations but still there.

Mbmam does not detect it, Superantispyware is not detecting it either.

Please let me know the real way to get rid of this thing that it is really anoying me...rm
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 02:36:45 AM
The most effective way of removing the file would be at SPTD.SYS DuplexSecure uninstaller.

That usually is at: start / all programs / DAEMON tools lite / SPTDSetup

Of course, if your case is linked to Daemon T.
-
I'll still wait for an update in avast because I have no intention of removing the SPTD and Daemon from my system.
Title: Re: sptd.sys likely a false positive
Post by: Nesivos on June 01, 2011, 02:52:40 AM
You can upload the file on this link and see what it says about your specific sptd.sys file.

http://www.virustotal.com/index.html (http://www.virustotal.com/index.html)
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 02:54:48 AM
Someone did it before...

http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223
 (http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223)
Title: Re: sptd.sys likely a false positive
Post by: DavidR on June 01, 2011, 03:48:06 AM
Which was a bit of a pointless exercise as this is the anti-rootkit scan that is flagging this, something which can't be run from VT. So I wouldn't expect it to find anything and that is the same reason why the standard scans of avast don't detect anything.

What is considered suspicious I don't completely know, but most certainly it must be a hidden process/driver, why it needs to be run hidden is beyond me.

As for why after asking avast to delete it and it coming back, well I don't know if avast is only removing the hidden driver and not the actual file from the system32\drivers folder. So there is some program which uses this driver and is reloading it. Finding what that might be is going to be the hard part.

I don't have the sptd.sys file on my XP Pro SP3 system, is your alert on the XP or win7 system ?
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 03:58:07 AM
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.

For now I'm still cranking mode''ignore'' when I get the message.

I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 03:58:35 AM
The alert is only in Windows 7 for the moment, in that computer I installed Alchohol 3 days ago, Now as I said I uninstalled it but the alert is still driving me crazy..rm
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 03:59:52 AM
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.

For now I'm still cranking mode''ignore'' when I get the message.

I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.


And do you have Alchohol or Daemon tools in that PC?
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 04:09:46 AM
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.

For now I'm still cranking mode''ignore'' when I get the message.

I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.


And do you have Alchohol or Daemon tools in that PC?

Yes, I have only Daemon tools lite (installed about 2 years without changing anything in)
together and installed the driver (SPTD).
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 04:39:07 AM
Let's wait an answer for Avast tomorrow, I will ignore the alert and will ask my friends in the forum in Spanish (forospyware) to wait, since there are several threads there waiting for an answer on this..rm
Title: Re: sptd.sys likely a false positive
Post by: DanDare on June 01, 2011, 04:47:04 AM
It may be a false positive, accordingly Alcohol support.
See here: http://forum.avast.com/index.php?topic=77651.0

Salute.
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 07:41:18 AM
Position or any information someone from support?

On the situation of the SPTD driver listed in this topic ...
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 01, 2011, 07:20:08 PM
Avast has released 2 updates and the problem still here with 110601-1.... and I still don't know if it is a FP or is it a real virus? anyone from Avast to answer the question and what is being done?

Title: Re: sptd.sys likely a false positive
Post by: essexboy on June 01, 2011, 09:06:27 PM
You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit.  aswMBR was the only programme that flagged it.  After I removed the file I was then able to cure the TDL4.  So it might be worth while checking it with aswMBR 
Title: Re: sptd.sys likely a false positive
Post by: DavidR on June 01, 2011, 09:19:48 PM
Interesting, thanks for the input.
Title: Re: sptd.sys likely a false positive
Post by: JoeMat on June 01, 2011, 10:24:54 PM
Hi guys; I've had the same problem and solved it by uninstalling Daemon tools (i didn't almost use it) and then deleting the sptd.sys file, since this one didn't dissapear after the uninstallation.
Do you know if Avast is already aware of this problem...?
Title: Re: sptd.sys likely a false positive
Post by: kvra_ on June 01, 2011, 11:48:27 PM
I got tired of waiting, the two new update did not work, so I decided to uninstall the SPTD driver normally my system (do not delete the Avast does not exclude manually, does not exclude Daemon tools) excludes only the driver for your uninstaller.

After it rebooted my system and voila, I was no longer with the driver but with this action the program Daemon T. would not work more then I discovered that searching the Daemon T. provides a driver similar to SPTD.SYS authored DTSOFTBUS01.SYS own driver who once again did not run the Daemon and not found the driver SPTD.SYS, it offers the driver DTSOFTBUS01.SYS.

Then there is tip for those who want to solve your problem without uninstalling the program Daemon.
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 02, 2011, 02:26:04 AM
You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit.  aswMBR was the only programme that flagged it.  After I removed the file I was then able to cure the TDL4.  So it might be worth while checking it with aswMBR  

Essexboy,
I know your en expert in ths kind of things and you make me think about it, but is it possible that we all using Alchohol and Deamon tools could be infected with a real rootkit? My computer does not have any problems and I don't see anything bad after I put ignore to that alert.

Can you help me using aswMBR? just to check if I'm infected or not?

The other thing is that many people is waiting in another Latin froum that I work with for an answer if this is a real rootkit or not and nobody answers the question.

rm
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 02, 2011, 02:33:43 AM
I did the scan with the aswMBR and this is what was found:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799    OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799    Number of processors: 2 586 0xF06
19:29:57.799    ComputerName: HP5-PC  UserName: HP5
19:30:05.190    Initialize success
19:30:25.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190    Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206    Disk 0 MBR read successfully
19:30:25.206    Disk 0 MBR scan
19:30:25.206    Disk 0 Windows 7 default MBR code
19:30:25.206    Disk 0 scanning sectors +312578048
19:30:25.237    Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799    Service scanning
19:30:29.909    Disk 0 trace - called modules:
19:30:29.909    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924    3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924    \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940    Scan finished successfully
19:31:03.206    Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206    The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"


Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 02, 2011, 02:34:12 AM
I did the scan with the aswMBR and this is what was found:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799    OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799    Number of processors: 2 586 0xF06
19:29:57.799    ComputerName: HP5-PC  UserName: HP5
19:30:05.190    Initialize success
19:30:25.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190    Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206    Disk 0 MBR read successfully
19:30:25.206    Disk 0 MBR scan
19:30:25.206    Disk 0 Windows 7 default MBR code
19:30:25.206    Disk 0 scanning sectors +312578048
19:30:25.237    Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799    Service scanning
19:30:29.909    Disk 0 trace - called modules:
19:30:29.909    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924    3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924    \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940    Scan finished successfully
19:31:03.206    Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206    The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"




Can you help?
Title: Re: sptd.sys likely a false positive
Post by: Nesivos on June 02, 2011, 03:34:34 AM
When you Google for ntkrnlpa.exe you get nothing but bad news

https://encrypted.google.com/search?q=ntkrnlpa.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a (https://encrypted.google.com/search?q=ntkrnlpa.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a)
Title: Re: sptd.sys likely a false positive
Post by: JoeMat on June 02, 2011, 05:10:27 AM
Well, it looks "sptd.sys" is a real rootkit. But used only for copyright matters and not to harm the computer, at least that's what they say at Daemon tools forum:

http://forum.daemon-tools.cc/f23/daemon-tools-rootkit-9581/
Title: Re: sptd.sys likely a false positive
Post by: cadremis on June 02, 2011, 06:59:18 AM
Since I never received and answer form Avast and since I do not use Alchohol and Deamon Tools I decided to use killbox to get rid of that file on re-boot, now my sistem is clean again and not receiving such alerts.

Thanks..rm

See attached picture
Title: Re: sptd.sys likely a false positive
Post by: essexboy on June 02, 2011, 07:44:33 PM
No that looks OK - when I had the case aswMBR put rootkit in big bright red letters next to it
Title: Re: sptd.sys likely a false positive
Post by: MeDIeVaL on June 10, 2011, 11:13:19 AM
I do not use either Alchohol nor Deamon Tools but still got the sptd.sys warning today. Scanned with aswMBR and I got this...

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-10 17:08:16
-----------------------------
17:08:16.417    OS Version: Windows 6.0.6002 Service Pack 2
17:08:16.417    Number of processors: 2 586 0x170A
17:08:16.418    ComputerName: LOGAM-PC  UserName: Logam
17:08:19.521    Initialize success
17:08:33.442    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:08:33.444    Disk 0 Vendor: WDC_WD3200BEVT-75ZCT2 11.01A11 Size: 305245MB BusType: 3
17:08:35.504    Disk 0 MBR read successfully
17:08:35.508    Disk 0 MBR scan
17:08:35.511    Disk 0 unknown MBR code
17:08:37.515    Disk 0 scanning sectors +625137345
17:08:37.614    Disk 0 scanning C:\Windows\system32\drivers
17:08:44.481    Service scanning
17:08:46.514    Disk 0 trace - called modules:
17:08:46.555    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864341f8]<<
17:08:46.556    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866141c8]
17:08:46.556    3 CLASSPNP.SYS[8c3a28b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8647e8a0]
17:08:46.556    \Driver\atapi[0x85ab86e8] -> IRP_MJ_CREATE -> 0x864341f8
17:08:46.557    Scan finished successfully
17:12:01.940    Disk 0 MBR has been saved successfully to "C:\Users\Logam\Documents\MBR.dat"
17:12:01.945    The log file has been saved successfully to "C:\Users\Logam\Documents\aswMBR.txt"

What should I do next?
Title: Re: sptd.sys likely a false positive
Post by: Pondus on June 10, 2011, 11:33:02 AM
Try this

kaspersky TDSSKiller  http://support.kaspersky.com/faq/?qid=208283363

if still problems, starte a new topic in the "virus an worms" section  http://forum.avast.com/index.php?board=4.0

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs in the new topic you start )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive later today...

Title: Re: sptd.sys likely a false positive
Post by: essexboy on June 10, 2011, 12:53:46 PM
Good call that suggest a TDLO3 infection