sptd.sys likely a false positive

[cadremis]

I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.

For now I'm still cranking mode''ignore'' when I get the message.

I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.

And do you have Alchohol or Daemon tools in that PC?

[kvra_]

I'm using Windows Vista Ultimate SP1/Avast v.6.0.1125/110531-1 free and am getting the same message mentioned by other users in Avast.

For now I'm still cranking mode''ignore'' when I get the message.

I will remain so until he had more details, or perhaps the ''problem'' solved in a next update.

And do you have Alchohol or Daemon tools in that PC?

Yes, I have only Daemon tools lite (installed about 2 years without changing anything in)
together and installed the driver (SPTD).

[cadremis]

Let's wait an answer for Avast tomorrow, I will ignore the alert and will ask my friends in the forum in Spanish (forospyware) to wait, since there are several threads there waiting for an answer on this..rm

[DanDare]

It may be a false positive, accordingly Alcohol support.
See here: http://forum.avast.com/index.php?topic=77651.0

Salute.

[kvra_]

Position or any information someone from support?

On the situation of the SPTD driver listed in this topic ...

[cadremis]

Avast has released 2 updates and the problem still here with 110601-1.... and I still don't know if it is a FP or is it a real virus? anyone from Avast to answer the question and what is being done?

[essexboy]

You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit.  aswMBR was the only programme that flagged it.  After I removed the file I was then able to cure the TDL4.  So it might be worth while checking it with aswMBR 

[DavidR]

Interesting, thanks for the input.

[JoeMat]

Hi guys; I've had the same problem and solved it by uninstalling Daemon tools (i didn't almost use it) and then deleting the sptd.sys file, since this one didn't dissapear after the uninstallation.
Do you know if Avast is already aware of this problem...?

[kvra_]

I got tired of waiting, the two new update did not work, so I decided to uninstall the SPTD driver normally my system (do not delete the Avast does not exclude manually, does not exclude Daemon tools) excludes only the driver for your uninstaller.

After it rebooted my system and voila, I was no longer with the driver but with this action the program Daemon T. would not work more then I discovered that searching the Daemon T. provides a driver similar to SPTD.SYS authored DTSOFTBUS01.SYS own driver who once again did not run the Daemon and not found the driver SPTD.SYS, it offers the driver DTSOFTBUS01.SYS.

Then there is tip for those who want to solve your problem without uninstalling the program Daemon.

[cadremis]

You need to be cautious I have just cleaned a system with an infected sptd.sys that was masking a TDL4 bootkit.  aswMBR was the only programme that flagged it.  After I removed the file I was then able to cure the TDL4.  So it might be worth while checking it with aswMBR  

Essexboy,
I know your en expert in ths kind of things and you make me think about it, but is it possible that we all using Alchohol and Deamon tools could be infected with a real rootkit? My computer does not have any problems and I don't see anything bad after I put ignore to that alert.

Can you help me using aswMBR? just to check if I'm infected or not?

The other thing is that many people is waiting in another Latin froum that I work with for an answer if this is a real rootkit or not and nobody answers the question.

rm

[cadremis]

I did the scan with the aswMBR and this is what was found:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799    OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799    Number of processors: 2 586 0xF06
19:29:57.799    ComputerName: HP5-PC  UserName: HP5
19:30:05.190    Initialize success
19:30:25.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190    Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206    Disk 0 MBR read successfully
19:30:25.206    Disk 0 MBR scan
19:30:25.206    Disk 0 Windows 7 default MBR code
19:30:25.206    Disk 0 scanning sectors +312578048
19:30:25.237    Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799    Service scanning
19:30:29.909    Disk 0 trace - called modules:
19:30:29.909    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924    3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924    \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940    Scan finished successfully
19:31:03.206    Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206    The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"

[cadremis]

I did the scan with the aswMBR and this is what was found:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 19:29:57
-----------------------------
19:29:57.799    OS Version: Windows 6.1.7601 Service Pack 1
19:29:57.799    Number of processors: 2 586 0xF06
19:29:57.799    ComputerName: HP5-PC  UserName: HP5
19:30:05.190    Initialize success
19:30:25.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:30:25.190    Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 8
19:30:25.206    Disk 0 MBR read successfully
19:30:25.206    Disk 0 MBR scan
19:30:25.206    Disk 0 Windows 7 default MBR code
19:30:25.206    Disk 0 scanning sectors +312578048
19:30:25.237    Disk 0 scanning C:\Windows\system32\drivers
19:30:28.799    Service scanning
19:30:29.909    Disk 0 trace - called modules:
19:30:29.909    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84a541f8]<<
19:30:29.924    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861a67b8]
19:30:29.924    3 CLASSPNP.SYS[891a359e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84a8a028]
19:30:29.924    \Driver\iaStorV[0x8573d718] -> IRP_MJ_CREATE -> 0x84a541f8
19:30:29.940    Scan finished successfully
19:31:03.206    Disk 0 MBR has been saved successfully to "C:\Users\HP5\Documents\MBR.dat"
19:31:03.206    The log file has been saved successfully to "C:\Users\HP5\Documents\aswMBR.txt"

Can you help?

[Nesivos]

When you Google for ntkrnlpa.exe you get nothing but bad news

https://encrypted.google.com/search?q=ntkrnlpa.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

[JoeMat]

Well, it looks "sptd.sys" is a real rootkit. But used only for copyright matters and not to harm the computer, at least that's what they say at Daemon tools forum:

http://forum.daemon-tools.cc/f23/daemon-tools-rootkit-9581/