Jump to content

Roaming\sp_data.sys ?


Recommended Posts

You could always upload the file for analysis to see if its malicious.....

5KB3EXa.pngUpload the file to VirusTotal
  • Open your favorite web browser, and go on virustotal.com;
  • From there, click on the Choose file button and wait for the Windows Explorer to open;
  • Browse to the file below, select it and click on Open;

     \AppData\Roaming\sp_data.sys
     
  • Once done, click on the Analyze button;
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
  • At the end of the analysis, copy and paste the VirusTotal report URL in your next reply;

Link to post
Share on other sites

11 hours ago, Firefox said:

You could always upload the file for analysis to see if its malicious.....

5KB3EXa.pngUpload the file to VirusTotal
  • Open your favorite web browser, and go on virustotal.com;
     
  • From there, click on the Choose file button and wait for the Windows Explorer to open;
     
  • Browse to the file below, select it and click on Open;

     \AppData\Roaming\sp_data.sys
     
     
  • Once done, click on the Analyze button;
     
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
     
  • At the end of the analysis, copy and paste the VirusTotal report URL in your next reply;
     

 

https://www.virustotal.com/en/file/d1ec75516ae4f8d478b483f635e8f7f323ccb429a6a8be4aeac4280c02982fc9/analysis/1470322406/

Link to post
Share on other sites

Download Process Explorer from Microsoft's Sysinternals

Go to;  Find --> Find Handle or DLL

Enter;  sp_data.sys

Then choose;  Search

It will tell you what is using that file if it is open by a program.

For example:

I have ~DF375AD743804B0B26.TMP in my %TEMP% folder and I want to know what is the program that is using it.

Image1.jpg

 

Now I know it is Pegasus Mail ( aka; PMail ) that has created it and has its File Handle Open.

 

Link to post
Share on other sites

OK.  That means the File Handle isn't held open.

It is created, modified and read on-the-fly.

There is another Microsoft Sysinternals utility called Process Monitor.

The objective is to clear ALL filters. ( "CTRL + L"  or from Pulldown menu;  Filter --> Filter ) by highlighting them and chossoing "Remove"

Then a create a "Path" filter that "contains" the text "sp_data.sys".

Then delete the file "%APPDATA%\sp_data.sys while running Process Monitor and hopefully it will log what recreates it.

** NOTE:   I must admit I haven't used Process Monitor in quite a while so I am "rusty" and have forgotten the best practices in using it.

Link to post
Share on other sites

[Main]
Mode=1
ColorTemperature=50
IsSupportEyeCare=YES
DefaultEyeCareMode=2
DisplayVersion=3.13.0004
GradualInterval=250
GradualLevel=240
IsSupportedMode=1

They are innocuous INI directives and unfortunately they don't shed light on what is creating and using those directives.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.