Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: temp4746 on May 31, 2011, 11:15:27 AM
-
Avast! today mysteriously popped up a message saying that sptd.sys is a rootkit and after ignoring it, it popped another one which sayed the heuriestics identified it and then I saw it upload the file to Avast! during an update.
I think this is a false positive, sptd is a driver used by DuplexSecure used by some cd/dvd emulation software like Daemon Tools and Alcohol for a deeper emulation.
-
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/
VirSCAN http://virscan.org/
-
i have same problem this :o
See screenshot:
(http://i51.tinypic.com/j65004.jpg)
-
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/
VirSCAN http://virscan.org/
Here you go: http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223
Had to use safe mode as it seems to be protected like a rootkit altough it isn't harmful or just loaded in the background so you can't touch it.
-
jepp, looks like a FP to me
sigcheck:
publisher....: Duplex Secure Ltd.
copyright....: Copyright (C) 2004
product......: SCSI Pass Through Direct
description..: SCSI Pass Through Direct Host
original name: sptd.sys
internal name: SPTD.SYS
file version.: 1.76.0.0 built by: WinDDK
comments.....: n/a
signers......: Duplex Secure Ltd
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 12:47 PM 11/23/2010
verified.....: -
-
Here you go: http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223
avast! isn't listed..! ;)
-
Strange... you've got an alert while virus total shows nothing ???
-
Strange... you've got an alert while virus total shows nothing ???
Yep, it is strange...
Which VPS are you guys on..??
Try to update manually.
Solved..?
-
Strange... you've got an alert while virus total shows nothing ???
Yep, it is strange...
Which VPS are you guys on..??
Try to update manually.
Solved..?
VPS: 110531-0 latest (ATM)
Manual update doesn't help.
The funny thing is scanning that file manually with Avast! shows it's not a virus it's only some monitor heuristic/rootkit heuristic that seems to not like that file.
-
Interesting...
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
-
It happened to me today, I installed Alchohol 3 days ago and this morning Avast said I had a rootkit and recommended to delete it and recommended a boot scan too, so I did it and nothing was found, but then I came here to see if someone else is having the same problem and I found this thread.
Is it a FP or not?
-
Avast deleted it though I specifically ordered it to ignore it and to just send it to avast labs!! Wasn't able to upload to virustotal (don't know if avast was the reason for that or the file was self-protected). Way to go.. I guess my Alcohol and Daemon tools might not be working now, because this surely is a legitimate file of those programs. There has to be something wrong with the new sigs (mine were updated just a few minutes ago, before avast came up with the pop-up other users have posted).
-
Guys,
What do I do? Avast is giving me pop ups everytime I re-start my computer with the same alert.
-
Now another different pop up with the same alert
-
@cadremis: Don't do anything until they fix their sigs!
I just told it to ignore it and it deleted the damned file. I now have to reinstall daemon tools and/or Alcohol 52..
-
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.
But I would like to know by a tech if this is a real root kit or not and if they will correct it today...
I did a scan with malwarebytes and detected nothing.
-
@cadremis: SPTD.SYS comes with Alcohol 52 etc and Demon tools.. If you use these programes that's why you had the file in \system32\ (though I guess it could be delivered with other progs as well). There's no chance that we're all infected with a tampered SPTD.SYS. It's avast's fault and they should fix it asap.. As they should fix their silly interface which gives the option to ignore and it then deletes the file without your permission.. This is pathetic!
-
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.
But I would like to know by a tech if this is a real root kit or not and if they will correct it today...
I did a scan with malwarebytes and detected nothing.
Hola Cadremis,
please what version of Alcohol do you have installed? Is this happening only on Win XP?
-
@cadremis: Don't do anything until they fix their sigs!
I just told it to ignore it and it deleted the damned file. I now have to reinstall daemon tools and/or Alcohol 52..
you don't have to reinstall Daemon or Alcohol, just the SPTD driver:
http://www.duplexsecure.com/en/downloads
on the bonus side, the latest version of SPTD (currently v1.78) linked above fixes some blue screen issues that version 1.76 has (v1.76 being the one that triggers the avast response)
P.S.(edit) i had v1.75 of sptd (and a similar older daemontools) but didn't have any bluescreen issues with it.
I also got the avast warning but this issue with avast finally got me to upgrade to sptd 1.78 and latest daemon tools lite. :P
-
Avast deleted the file, I guess I have to do the same thing than you...pufff... let's wait for Avast to correct this if this is a really FP.
But I would like to know by a tech if this is a real root kit or not and if they will correct it today...
I did a scan with malwarebytes and detected nothing.
Hola Cadremis,
please what version of Alcohol do you have installed? Is this happening only on Win XP?
It is happening to me in Windows 7 even with the latest update of Avast...rm
-
I ended up uninstalling Alchohol trial version today but same alert is coming everytime I re-start the computer... now what? this is really anoying! I asked Avast to delete the file but every time I re-start the computer it comes back.
Guys,
I need help here! what do I do?
-
False positive with certainty, and so searched the forum Daemon T. this file
is used to secure the registration of the program, and also connected to this virtual drive.
I'll stick with the option to ignore until the next update...
-
Search Results for "sptd.sys"
Rootkit.Agent/Gen-Haxdoor.Process
Rookit that may log user information and possibly block access to certain security related sites.
Category : TROJAN
http://www.fileresearchcenter.com/search.html?searchitem=sptd.sys&search=Search... (http://www.fileresearchcenter.com/search.html?searchitem=sptd.sys&search=Search...)
-
If it is a real Trojan why Avast doesn't do anything about it, I have deleted the file and made 4 boot scans according Avast recomendations but still there.
Mbmam does not detect it, Superantispyware is not detecting it either.
Please let me know the real way to get rid of this thing that it is really anoying me...rm
-
The most effective way of removing the file would be at SPTD.SYS DuplexSecure uninstaller.
That usually is at: start / all programs / DAEMON tools lite / SPTDSetup
Of course, if your case is linked to Daemon T.
-
I'll still wait for an update in avast because I have no intention of removing the SPTD and Daemon from my system.
-
You can upload the file on this link and see what it says about your specific sptd.sys file.
http://www.virustotal.com/index.html (http://www.virustotal.com/index.html)
-
Someone did it before...
http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223
(http://www.virustotal.com/file-scan/report.html?id=ccac2cc44f90001da973d2b6e644ff37fa6c31c7a3abd936645382537fa63edd-1306837223)
-
Which was a bit of a pointless exercise as this is the anti-rootkit scan that is flagging this, something which can't be run from VT. So I wouldn't expect it to find anything and that is the same reason why the standard scans of avast don't detect anything.
What is considered suspicious I don't completely know, but most certainly it must be a hidden process/driver, why it needs to be run hidden is beyond me.
As for why after asking avast to delete it and it coming back, well I don't know if avast is only removing the hidden driver and not the actual file from the system32\drivers folder. So there is some program which uses this driver and is reloading it. Finding what that might be is going to be the hard part.
I don't have the sptd.sys file on my XP Pro SP3 system, is your alert on the XP or win7 system ?
-
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.
For now I'm still cranking mode''ignore'' when I get the message.
I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.
-
The alert is only in Windows 7 for the moment, in that computer I installed Alchohol 3 days ago, Now as I said I uninstalled it but the alert is still driving me crazy..rm
-
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.
For now I'm still cranking mode''ignore'' when I get the message.
I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.
And do you have Alchohol or Daemon tools in that PC?
-
I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.
For now I'm still cranking mode''ignore'' when I get the message.
I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.
And do you have Alchohol or Daemon tools in that PC?
Yes, I have only Daemon tools lite (installed about 2 years without changing anything in)
together and installed the driver (SPTD).
-
Let's wait an answer for Avast tomorrow, I will ignore the alert and will ask my friends in the forum in Spanish (forospyware) to wait, since there are several threads there waiting for an answer on this..rm
-
It may be a false positive, accordingly Alcohol support.
See here: http://forum.avast.com/index.php?topic=77651.0
Salute.
-
Position or any information someone from support?
On the situation of the SPTD driver listed in this topic ...
-
Avast has released 2 updates and the problem still here with 110601-1.... and I still don't know if it is a FP or is it a real virus? anyone from Avast to answer the question and what is being done?
-
You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit. aswMBR was the only programme that flagged it. After I removed the file I was then able to cure the TDL4. So it might be worth while checking it with aswMBR
-
Interesting, thanks for the input.
-
Hi guys; I've had the same problem and solved it by uninstalling Daemon tools (i didn't almost use it) and then deleting the sptd.sys file, since this one didn't dissapear after the uninstallation.
Do you know if Avast is already aware of this problem...?
-
I got tired of waiting, the two new update did not work, so I decided to uninstall the SPTD driver normally my system (do not delete the Avast does not exclude manually, does not exclude Daemon tools) excludes only the driver for your uninstaller.
After it rebooted my system and voila, I was no longer with the driver but with this action the program Daemon T. would not work more then I discovered that searching the Daemon T. provides a driver similar to SPTD.SYS authored DTSOFTBUS01.SYS own driver who once again did not run the Daemon and not found the driver SPTD.SYS, it offers the driver DTSOFTBUS01.SYS.
Then there is tip for those who want to solve your problem without uninstalling the program Daemon.
-
You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit. aswMBR was the only programme that flagged it. After I removed the file I was then able to cure the TDL4. So it might be worth while checking it with aswMBR
Essexboy,
I know your en expert in ths kind of things and you make me think about it, but is it possible that we all using Alchohol and Deamon tools could be infected with a real rootkit? My computer does not have any problems and I don't see anything bad after I put ignore to that alert.
Can you help me using aswMBR? just to check if I'm infected or not?
The other thing is that many people is waiting in another Latin froum that I work with for an answer if this is a real rootkit or not and nobody answers the question.
rm
-
I did the scan with the aswMBR and this is what was found:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799 OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799 Number of processors: 2 586 0xF06
19:29:57.799 ComputerName: HP5-PC UserName: HP5
19:30:05.190 Initialize success
19:30:25.190 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190 Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206 Disk 0 MBR read successfully
19:30:25.206 Disk 0 MBR scan
19:30:25.206 Disk 0 Windows 7 default MBR code
19:30:25.206 Disk 0 scanning sectors +312578048
19:30:25.237 Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799 Service scanning
19:30:29.909 Disk 0 trace - called modules:
19:30:29.909 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924 3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924 \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940 Scan finished successfully
19:31:03.206 Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206 The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"
-
I did the scan with the aswMBR and this is what was found:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799 OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799 Number of processors: 2 586 0xF06
19:29:57.799 ComputerName: HP5-PC UserName: HP5
19:30:05.190 Initialize success
19:30:25.190 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190 Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206 Disk 0 MBR read successfully
19:30:25.206 Disk 0 MBR scan
19:30:25.206 Disk 0 Windows 7 default MBR code
19:30:25.206 Disk 0 scanning sectors +312578048
19:30:25.237 Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799 Service scanning
19:30:29.909 Disk 0 trace - called modules:
19:30:29.909 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924 3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924 \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940 Scan finished successfully
19:31:03.206 Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206 The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"
Can you help?
-
When you Google for ntkrnlpa.exe you get nothing but bad news
https://encrypted.google.com/search?q=ntkrnlpa.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a (https://encrypted.google.com/search?q=ntkrnlpa.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a)
-
Well, it looks "sptd.sys" is a real rootkit. But used only for copyright matters and not to harm the computer, at least that's what they say at Daemon tools forum:
http://forum.daemon-tools.cc/f23/daemon-tools-rootkit-9581/
-
Since I never received and answer form Avast and since I do not use Alchohol and Deamon Tools I decided to use killbox to get rid of that file on re-boot, now my sistem is clean again and not receiving such alerts.
Thanks..rm
See attached picture
-
No that looks OK - when I had the case aswMBR put rootkit in big bright red letters next to it
-
I do not use either Alchohol nor Deamon Tools but still got the sptd.sys warning today. Scanned with aswMBR and I got this...
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-10 17:08:16
-----------------------------
17:08:16.417 OS Version: Windows 6.0.6002 Service Pack 2
17:08:16.417 Number of processors: 2 586 0x170A
17:08:16.418 ComputerName: LOGAM-PC UserName: Logam
17:08:19.521 Initialize success
17:08:33.442 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:08:33.444 Disk 0 Vendor: WDC_WD3200BEVT-75ZCT2 11.01A11 Size: 305245MB BusType: 3
17:08:35.504 Disk 0 MBR read successfully
17:08:35.508 Disk 0 MBR scan
17:08:35.511 Disk 0 unknown MBR code
17:08:37.515 Disk 0 scanning sectors +625137345
17:08:37.614 Disk 0 scanning C:\Windows\system32\drivers
17:08:44.481 Service scanning
17:08:46.514 Disk 0 trace - called modules:
17:08:46.555 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864341f8]<<
17:08:46.556 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866141c8]
17:08:46.556 3 CLASSPNP.SYS[8c3a28b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8647e8a0]
17:08:46.556 \Driver\atapi[0x85ab86e8] -> IRP_MJ_CREATE -> 0x864341f8
17:08:46.557 Scan finished successfully
17:12:01.940 Disk 0 MBR has been saved successfully to "C:\Users\Logam\Documents\MBR.dat"
17:12:01.945 The log file has been saved successfully to "C:\Users\Logam\Documents\aswMBR.txt"
What should I do next?
-
Try this
kaspersky TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
if still problems, starte a new topic in the "virus an worms" section http://forum.avast.com/index.php?board=4.0
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs in the new topic you start )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will look at the logs when he arrive later today...
-
Good call that suggest a TDLO3 infection