What is A#######.sys (A+7 random characters) driver? Rootkit or not?
Recently we received some requests from our users about mysterious driver on their computers.
Each time the driver name begins with "A" character and the other 7 characters are randomly changed at reboot.
RegRun notifies a user that the driver is located in the %SysDir%\Drivers folder.
But this file doesn't exist on the hard drive.
We supposed the rootkit behaviour.
The strange drivers were not found on a hard drive even if a user boot from Bart PE CD-ROM.
Take a look at the Bootlog XP diagram:
We always see that the "A#######.sys" is loaded immediately after SCSIPORT.SYS.
The driver is a loaded by Windows kernel on the early stage of Windows boot process.
If we look for the driver in the registry we found that it's a part of "SCSI miniport group".
We opened "Enum" subkey and found that this is PNP device:
After that we checked the "Device Manager" for a SCSI devices.
Not a mystery. It has the name: "SCSI/RAID host controller".
It has the same ID code:
If there is a legitimate driver, why it changes his name every boot?
The answer is simple. The driver is related to the Daemon Tools software.
This software is often used for copying protected CD/DVD-ROM.
The authors of the CD/DVD protection are not happy that the Daemon software works.
They fight against the daemons. And the war still continues...
Virus or not? SPTD####.sys
The A#######.sys hidden driver is not a rootkit if you use Daemon Tools software version 4.08 with SPTD 1.37.
But the installation offers you to use WhenUSave toolbar.
It is known adware.
In addition some users reports about problems with Windows shutdown.
Use or do not use it? This is your choice :-).
Thank you Rajgopal Nayak for his help!