Home

Download

Order

Support

?

Each time the driver name begins with "A" character and the other 7 characters are randomly changed at reboot.

RegRun notifies a user that the driver is located in the %SysDir%\Drivers folder. But this file doesn't exist on the hard drive.

What's this?

We supposed the rootkit behaviour. The strange drivers were not found on a hard drive even if a user boot from Bart PE CD-ROM.

Take a look at the Bootlog XP diagram:

We always see that the "A#######.sys" is loaded immediately after SCSIPORT.SYS. The driver is a loaded by Windows kernel on the early stage of Windows boot process.

If we look for the driver in the registry we found that it's a part of "SCSI miniport group".

We opened "Enum" subkey and found that this is PNP device:

After that we checked the "Device Manager" for a SCSI devices.

Not a mystery. It has the name: "SCSI/RAID host controller".

It has the same ID code:

If there is a legitimate driver, why it changes his name every boot?

The answer is simple. The driver is related to the Daemon Tools software. This software is often used for copying protected CD/DVD-ROM. The authors of the CD/DVD protection are not happy that the Daemon software works. They fight against the daemons. And the war still continues...

See also:
Virus or not? SPTD####.sys

The A#######.sys hidden driver is not a rootkit if you use Daemon Tools software version 4.08 with SPTD 1.37.

But the installation offers you to use WhenUSave toolbar. It is known adware.

In addition some users reports about problems with Windows shutdown.

Use or do not use it? This is your choice :-).

Dmitry Sokolov

Thank you Rajgopal Nayak for his help!

Would you like to add your opinion?