| View previous topic :: View next topic |
| Author |
Message |
fiepluqoufri
Cadet
Joined: Jun 11, 2008
Posts: 3
Location: EU
|
 Posted: Wed Jun 11, 2008 3:47 pm Post subject: spyr.sys - 4th on loadorder and nowhere to be found |
|
|
Having a driver with 'spy' in its name that loads so early kinda creeps me out ... Can someone have a look please ? Full gmer log attached, below i'm pasting only the lines containing spyr.sys
| Code: | ---------- GMER.LOG
SSDT spyr.sys ZwEnumerateKey [0xF8434CA2]
SSDT spyr.sys ZwEnumerateValueKey [0xF8435030]
? spyr.sys The system cannot find the file specified. !
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8447C4C] spyr.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8447CA0] spyr.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8417040] spyr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841713C] spyr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84170BE] spyr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84177FC] spyr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84176D2] spyr.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR][F8427048] spyr.sys
Device \Driver\sptd \Device\4274730890 spyr.sys
Device \Driver\PCI_PNP9640 \Device\0000004f spyr.sys |
icesword shows it as loading 4th after ntoskrnl.exe
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
spyr.sys
xp sp2, nod32, outpost firewall, sandboxie and pgp installed ... i don't think the driver belongs to any of them.
| Description: |
|
Download |
| Filename: |
gmer.txt |
| Filesize: |
72.96 KB |
| Downloaded: |
280 Time(s) |
|
|
| Back to top |
|
 |
fiepluqoufri
Cadet
Joined: Jun 11, 2008
Posts: 3
Location: EU
|
| Posted: Wed Jun 11, 2008 5:15 pm Post subject: |
|
|
Update.
Played a bit with sysinternals' procexp to see if i could find out anything about the driver ...
It seems it changes its name at every reboot, but always starts with letter s.
Also, when pressing the "Module" button in the "threads" section of the "system" process in procexp i get the properties window of the documents and settings folder instead of the driver file.
screenshot http://img389.imageshack.us/img389/7203/procexpdm5.jpg
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Thu Jun 12, 2008 2:25 am Post subject: |
|
|
Do you use Daemon Tools?
| Gmer Log wrote: | | Device \Driver\sptd \Device\4274730890 spyr.sys |
It always launches a randomly named driver but the naming convention it uses varies depending on the version that is being used A lot of DT users are puzzled by this.
FYI:
http://www.greatis.com/security/random_spXX.sys_drivers.htm
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
fiepluqoufri
Cadet
Joined: Jun 11, 2008
Posts: 3
Location: EU
|
| Posted: Thu Jun 12, 2008 4:04 am Post subject: |
|
|
Ok now I feel silly 
Thanks for answering!
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Fri Jun 13, 2008 2:57 am Post subject: |
|
|
You're wlecome, and there's no need to feel silly, fiepluqoufri.
It's wise to question why a randomly named driver keeps regenerating after every reboot. You are in good company because many people are baffled by that same issue. I'd say questions about the Daemon Tools driver and red SSDT hooks in IceSword probably top the list of concerns here.
Since this issue is resolved, I will now mark this topic as "Done".
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
