Showing results 1 to 2 of 2

Thread: is this daemon tools or a rootkit?

  1. #1
    New User
    Join Date
    31.07.2008
    Posts
    1

    Default is this daemon tools or a rootkit?

    I have some suspicion my laptop has been hacked and a keylogger installed, with possible financial losses .

    Malware detectors have been unsuccessful, except IceSword, which reported System Service Descriptor Table entries for NtCreateKey and similar being "hijacked" by sphn.sys. I use DT 4.12.3.

    This file is allegedly in system32/drivers folder, except it cannot be seen there from the file system.

    On another computer I use (has DT 4.08) the same entries are "hijacked" by sptd.sys.

    Is this normal that DT links those entries to itself for the fake SCSI driver? Why is it called sphn.sys on my laptop while called sptd.sys on the other computer?

    Do any of you have the same entries linked to such .sys files?

    Any help will be much appreciated in trying to investigate this.


  2. #2

    Default

    DAEMON Tools hooks the kernel. This is normal behavior for DAEMON Tools. If you want to run scanners to detect this, sure you can scan for it. DAEMON Tools protects its own registry key and thus the NTQuery, NTset, etc hooks. sphn.sys is a valid name for a scsiport attachment thing DAEMON Tools does.

    You may find this forum sticky useful: As secure as it was tested?

    If you think your laptop has been infected with keyloggers just uninstall DAEMON Tools and SPTD and proceed with your malware scans.
    the modern world:
    net helpmsg 4006

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •