What is spXX.sys (XX - random characters) driver? Rootkit or not?
Recently we got a lot of questions regarding the strange drivers
with file names similar to
C:\WINDOWS\system32\DRIVERS\spoh.sys
The pair characters after "
sp" in the filename are automatically
changed at every Windows boot.
It′s very annoying problem for users because
RegRun Security Suite,
UnHackMe
detects the driver as
suspicious.
The file doesn′t exist on the disk.
Very strange!
May it is a rootkit?
We discover the problem and found that the problem is related to well
known issue
SPTD.
Take a look at our article "
What is SPTD####.sys?"
We made the xpbootlog.txt using our
Bootlog XP
software and found that there is no "
spoh.sys" loaded
during Windows boot-up process.
But we see the "
SPTD.SYS".
But we could not see "
sptd.sys" in the Drivers list.
What′s happened?
The
SPTD driver changed its name in the Kernel Drivers table to
the "
spXX.sys".
SPTD is not a rootkit.
"SPTD is a new method of access to storage devices that was developed
by Duplex Secure Ltd."
SPTD driver is used by Daemon Tools software to copy/mount the
protected CD/DVD disks.
The authors of the CD/DVD protection software do not like SPTD and try
to prevent using of this software.
SPTD tries to deceive the protection. The war will not be finished.
Look at the
SPDT Frequently Asked Questions
how to uninstall SPTD software.
We suggest to download the last version of
RegRun Security Suite or
UnHackMe
to resolve the issue.
We added the code for detecting SPTD version 1.55.