View Full Version : is this daemon tools or a rootkit?

31.07.2008, 12:32
I have some suspicion my laptop has been hacked and a keylogger installed, with possible financial losses :(.

Malware detectors have been unsuccessful, except IceSword (http://majorgeeks.com/Icesword_d5199.html), which reported System Service Descriptor Table entries for NtCreateKey and similar being "hijacked" by sphn.sys. I use DT 4.12.3.

This file is allegedly in system32/drivers folder, except it cannot be seen there from the file system.

On another computer I use (has DT 4.08) the same entries are "hijacked" by sptd.sys.

Is this normal that DT links those entries to itself for the fake SCSI driver? Why is it called sphn.sys on my laptop while called sptd.sys on the other computer?

Do any of you have the same entries linked to such .sys files?

Any help will be much appreciated in trying to investigate this.


01.08.2008, 01:21
DAEMON Tools hooks the kernel. This is normal behavior for DAEMON Tools. If you want to run scanners to detect this, sure you can scan for it. DAEMON Tools protects its own registry key and thus the NTQuery, NTset, etc hooks. sphn.sys is a valid name for a scsiport attachment thing DAEMON Tools does.

You may find this forum sticky useful: As secure as it was tested?

If you think your laptop has been infected with keyloggers just uninstall DAEMON Tools and SPTD and proceed with your malware scans.