Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions regarding: C:\Windows\System32\Drivers\splf.sys


  • This topic is locked This topic is locked
7 replies to this topic

#1 ammobake

ammobake

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 30 May 2014 - 03:26 AM

Hello all!  I have a couple questions.  I'm hoping someone might be able to help identify what these detections might be.

 

First off, my info...

 

dell dimension "XPS 410" Model DXP061

Windows Vista Home Premium SP2

Intel Core 2 Quad CPU (Q6600 @ 2.40GHz, 2.39GHz)

4.00 GB RAM

 

I run a very clean PC running regular scheduled scans with AVG Antivirus and I also run Microsoft Security Essentials with active real-time protection (automatically updating).

 

I keep Spybot S&D and Malwarebytes current and run regular scans with both.

 

Tonite I opened AVG Antivirus and started going through the scan detections from Scheduled Scans from previous weeks.

 

When I got to the detections from October 2013 I noticed an anomaly..

 

Scheduled Scan 9/25/2013 Infections: 0

Scheduled Scan 10/2/2013 Infections: 61

Scheduled Scan 10/9/2013 Infections: 56

Scheduled Scan 10/16/2013 Infections: 50

Scheduled Scan 10/23/2013 Infections: 0

 

All of these were classified "Medium" Security risks by AVG Antivirus.

 

Every single one of these detections were identified in AVG by "Anti-Rootkit" and all point to object..

 

C:\Windows\System32\Drivers\splf.sys

 

The threat names vary widely.  Below are some examples...

 

"";"atapi.sys, hooked import ataport.SYS AtaPortWritePortUchar -> splf.sys +0x26D6, C:\Windows\System32\Drivers\splf.sys";"Infected"
 

"";"IRP hook, \Driver\volmgr IRP_MJ_INTERNAL_DEVICE_CONTROL -> splf.sys +0x12CD8, C:\Windows\System32\Drivers\splf.sys";"Infected"
 

"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_INFORMATION -> splf.sys +0x1204C, C:\Windows\System32\Drivers\splf.sys";"Infected"
 

"";"IRP hook, \FileSystem\Ntfs IRP_MJ_DIRECTORY_CONTROL -> splf.sys +0x1204C, C:\Windows\System32\Drivers\splf.sys";"Infected"

 

This is the only detection anomaly I've ever documented in two years of weekly logs.

Nothing has been detected by AVG since this anomaly back in October.

 

NONE of the detections were removed by AVG (All were categorized as "Not removed")

 

These detections simply ceased after the scan on 10/16/2013.  They have not come back since.

 

My questions...

 

Why would all detections be involving object name:

"C:\Windows\System32\Drivers\splf.sys"? 

 

Could this have been an organized attack or attempt?

 

Thanks in advance!

 

-ChriS

 

 

 

 

 



BC AdBot (Login to Remove)

 


m

#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 PM

Posted 30 May 2014 - 04:33 AM

Hello,

 

Do you have Daemon Tools installed. The file is a part of the emulation driver used by Daemon Tools and it is harmless.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 30 May 2014 - 11:56 PM

Hello,

 

Do you have Daemon Tools installed. The file is a part of the emulation driver used by Daemon Tools and it is harmless.

 

 

Regards,

Georgi

 

First, Thanks for responding!

 

I do have "Daemon Tools Pro" which I installed July 9th, 2009.  I used the program briefly right after I installed it to see what it did.

 

I don't even remember what it does, really.

 

I tried to run Daemon tools tonite but I get an error..

 

"License Verification Failed" (that's it).

 

Going to uninstall it.  Not sure how it could have been involved because I haven't used it since 2009!

 

The detections from October 2013 is the only time this "rush" of detections has occurred on my computer.

 

-ChriS



#4 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 31 May 2014 - 12:03 AM

Something else odd..

I don't have any file named "splf.sys"

 

edited to add: I have not attempted to uninstall "Daemon Tools Pro" yet either.

 

I browsed to the file location on my computer but it is not there.

 

Very strange!  AVG didn't remove it and I didn't remove it.

 

Not sure why anything else would have if the file is indeed nothing to worry about.

 

Anyone with knowledge about this file or why it might be missing would definately peak my curiosity...

 

edited to add: I ran a full search on all drives for the file "splf.sys" but no results came back.

 

-ChriS


Edited by ammobake, 31 May 2014 - 12:11 AM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 PM

Posted 31 May 2014 - 01:01 AM

Hello,

 

You can't find it that way because Daemon Tools uses rootkit like technique to bypass copy protection schemes.....You can do a small test:

 

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

Run a new scan with AVG and check back the results. :)

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 31 May 2014 - 01:01 AM.

cXfZ4wS.png


#6 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 31 May 2014 - 04:16 AM

I ran the defogger.  It prompted me to reboot so I did.

 

This was the log file created on my desktop...

 

-------------------

 

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 23:50 on 30/05/2014 (ChriS)

 

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

 

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 PM

Posted 01 June 2014 - 04:23 AM

Did AVG detect anything now? :)

 

 

Regards,

Georgi


cXfZ4wS.png


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 PM

Posted 08 June 2014 - 08:43 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users