GETPADD.sys is newly reported as a rootkit

[djeanprost]

Avast is reporting that c:\windows\system32\drivers\GETPADD.sys is a rootkit. It suggest to delete or ignore.
As this file has always been in my laptop, can I delete it without problem ?
regards,
dom

[Lisandro]

If you Google GETPADD.sys you'll find more info about it.
It won't be bad if you submit this file to www.virustotal.com

[djeanprost]

Of course I tried to google it, but I didn't find any good answers. I'll upload it ASAP.
Anyway, I don't have answer to my question. Did someone meet it ?

[psw]

Google shows not so much info. But it is curious that in all cases when GETPADD.SYS file info is shown creation datetime and modification datetime are the same and are different in diffrent cases
2008-03-25 16:09 . 2008-03-25 16:09
2008-02-02 12:16 . 2008-02-02 12:16
2008-01-29 14:07 . 2008-01-29 14:07

This behaviour is quite unusual for ordinary programs. It looks like malware.

[polonus]

Hi djeanprost,

Here it is not clear: http://www.spywaredata.com/spyware/malware/getpadd.sys.php

Then I found the following: fixy na trudne przypadki: Vista -
problemem wydaje sie byc getpadd.sys - czy wczesniej przy instalacji jakiegos programu nie byles pytany o pozwolenie na zamiane pliku c:\windows\system32\drivers\getpadd.sys ? Jesli tak, to spróbuj go przywrócic z folderu i386 na dysku lub z CD/DVD z systemem.
I will translate this for you: The problem seems to be getpadd.sys - when earlier on installing of some program you were asked to allow to change file c:\windows\system32\drivers\getpadd.sys ? If so, try to put it back from folder i386 or from the system CD/DVD. source: Instalki.PL
Problems with this seems to concentrate mainly in Italy, France and Poland,

polonus

[ACCPresident]

Hello Gentlemen,
I came across the same “getpadd.sys” file on my 2 month old ASUS notebook. I discovered that the file didn’t reside in the path the antivirus told me, and was actually in a folder named ABLKSR, with an .exe by the same name. I started researching both files and the folder, and found very little about “getpadd.sys” file, basically the same as you all have. However, the folder and the .exe file was part of my power management software for my ASUS notebook. After running a boot-time scan, nothing was found. I then thought maybe the file may have been deleted, as I told it to. When my system came back up, I found the file was still there. Thinking on this for a little bit, I remembered that at the time that I got this alert, I had reconnected my AC power to my notebook in order to recharge my battery, and since I was coming up from a reboot, this would explain why it was running at that current time. After running a scan with SUPERAntiSpyware, I found no spyware on my system except for tracking cookies, which isn’t uncommon. Once that was done, I ran another anti-virus scan to determine if this file was still running, getting negative results. I concluded that the reason it was running at that time of the alert was due to a change in my power management settings being activated during the reboot.

This file may be a rootkit, as Avast has suggested, I’m not posting to dispute that. I would suggest trying to recall if it is possible that the file is part of power management software or other system software that may have been running when you got the alert. Whether or not you should delete this file, I would suggest consider what was happening that may have cause this file to be activated in the first place. In my case, I found enough evidence to tell me I didn’t need to delete this file, so ignoring the alert would be acceptable. Being a freelance computer consultant with high security standards, I would recommend taking any antivirus' advice, but continue to investigate your situation until you feel safe in your conclusions.

[polonus]

Hi ACCPresident,

This seems to support this that it is an ASUS related file:
http://www.spywaredata.com/spyware/malware/getpadd.sys.php
And according to the info on the link above, it is safe, did you admit yours to virustotal, and what were the results, which scanners flagged it if at all? I lean towards a False Positive in mentioned cases,

polonus

[ACCPresident]

Polonus,
Yes I did submit it as advise via other posts on here, however, being new to that site, I really wasn't sure of how it worked, and didnt see where I got any results from it. I believe it was a False Positive as well, however, that doesn't mean this file couldn't be exploited and altered to do as Avast! advised. It does have the possiblities and system controls that could be corrupted to harm a system. What really bugs me is Microsoft. Considering how long it took them to release Vista, only for it to be almost, if not more buggy than most of thier other versions, it is so mind-boggling. Best out of box version of Windows I've seen so far was XP Professional (32-bit), my opinion.

Anyways, hope the info was helpful... and shed some light on the problem for you. Considering so little that has been posted on this file, I figure that my post may hold some value to future people coming across the same issue.