A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32211  by myodyne
 Mon Oct 29, 2018 3:42 pm
Hello there kernel brothers and sisters.

Running an old pc with WinXP SP3 with Daemon Tools v4.10 and VMWare v6.5.2 installed.

Having noticed this strange behaviour. A driver that doesn't exist in disk, but appears in Process Explorer and in AutoRuns.
The funny thing is that it changes its name after reboot. Or is something else?
1.png
2.png
Kaspersky TDSKiller didn't find any problem.

GMER showed sptd.sys some hooks but I think they are coming from Daemon Tools.
3.png
Didn't run the above in Safe Mode. But before searching deeper, would you mind helping me with this ? Any good suggestions?

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 #32212  by EP_X0FF
 Mon Oct 29, 2018 4:22 pm
sptd.sys (Alcohol/Daemon tools) uses rootkit techniques to hide itself from DRM. It is known behavior.
 #32213  by myodyne
 Mon Oct 29, 2018 9:23 pm
Thanks a lot master EP_X0FF.

Being away for a while, I thought of first being sure by asking the best , before being scared to death.

;-)