Are these registry entries genuine?

Hello, a Spybot rootkit scan on my PC has revealed the following:

[quote]:: RootAlyzer Results
File:"Unknown ADS","C:\Users\All Users\sdpsenv.dat:naughtypirates:$DATA"
File:"Unknown ADS","C:\Users\All Users\TEMP:B0D4D817:$DATA"
File:"Unknown ADS","C:\Users\All Users\GPSoftware\Directory Opus\dopus.cert:naughtypirates:$DATA"
File:"Unknown ADS","C:\ProgramData\sdpsenv.dat:naughtypirates:$DATA"
File:"Unknown ADS","C:\ProgramData\GPSoftware\Directory Opus\dopus.cert:naughtypirates:$DATA"[/quote]

All but one appears to be to do with Directory Opus.

Are these genuine Dopus hidden files (presumably to leave an invisible footprint on a pirate's PC even if they uninstall) or are they something dodgy pretending to be Dopus?

Thanks

I canĀ“t imagine GPSoft to call any part of their registry entries "naughtypirates". It looks more than suspicious to me.

They're genuine and are nothing to worry about.

Oh, sorry.

Thanks Leo

Does that include this one too:

File:"Unknown ADS","C:\Users\All Users\TEMP:B0D4D817:$DATA"

Off the top of my head, I'm not sure. If you link your account I will check.

Is there anything actually suspicious about the contents of the data, or are you just worried because it exists at all? I expect if the data were suspicious then your antivirus tool would warn you about a specific threat.

Thank you Leo, account now linked. I never realised that was an option!

Yesterday I ran an .exe from a source that I thought I could trust, but my sandbox failed, and my AV flagged it as malware. I think it was probably a false positive (it's a very niche DVR app) but just to be on the safe side I've done a complete security scan.

I simply want to tick off everything the rootkit scanner found. The scanner doesn't really give any specific threat, just that these are the superhidden files it's found.

Ah, I've just run a scan on my laptop (that has my +1 installation under the same licence) and the same item was flagged there:
File:"Unknown ADS","C:\Users\All Users\TEMP:B0D4D817:$DATA"

So I guess that's a genuine Dopus entry too.

Half of me is thinking: perfectly understandable that Dopus wants to fight piracy this way. The other half is thinking 'Will I be more likely to ignore possible malware in the future if it looks a bit Dopusish?' I really think Dopus should investigate alternative anti-piracy options.

If you don't really want possible pirates getting hints from this thread I'm happy for you to delete it now.

I've checked and the TEMP:B0D4D817 entry isn't related to Opus.

You could have a look at the data inside it in case it gives some indication of what it is for, perhaps.

It's not normal to have a C:\Users\All Users\Temp directory at all, at least not on Windows 7.

Using ADS isn't as rare as some people say it is. Having done a scan of my own system I see it being used by Microsoft themselves for several different things (most commonly the IE zone information but also email index metadata and, as with Opus, DRM, plus a couple of other things).

I am not sure why some spyware tools treat ADS as so suspicious given that everything worth its salt scans those streams these days and it would be a poor place to try to hide something malicious.

Easy, they make their money by instilling fear in people.

Well, I've used the guide here to expose hidden files:
en.kioskea.net/faq/14094-windows ... dden-files

And although I do have a C:\Users\All Users\Temp folder it's empty, so whatever it was it's gone now. And that's good enough for me :slight_smile:

Thanks for all your help, especially since it turned into anti-spyware help rather than Dopus help :slight_smile:

I have these two:

Type: File
Object: Directory Opus:stockcert12:$DATA
Location: C:\Program Files\GPSoftware
Details: Unknown ADS

Type: File
Object: dopus.cert:naughtypirates:$DATA
Location: C:\ProgramData\GPSoftware\Directory Opus
Details: Unknown ADS

I understand the latter is genuine; can I assume the former is too?

Regards,

Hans L

Yes, and there is nothing particularly scary about ADS. It is just file data. No need to be paranoid of it at all. If there is anything dangerous in it, your antivirus should have no problems detecting it the same as it would any other file on your system. This is like worrying that there is a file with name you do not recognise within the 30,000 files on your C:\ drive.

Spybot discovered it in a rottkit search, and it warned that the files might be quite okay. But I could not scan the two files directly (and they were hidden, and I was too lazy to unhide them, since I have not yet learned how to do it in Dopus after Dopus changed the method; there seems to be so many Show and Hide in Dopus today; I have lost track; will try to get back on track).

Thanks for the info!

Hans L

The old methods you are used to still work and are unchanged by the addition of "Show Everything" option in Opus 12, which just adds a new, easier way to disable all hiding with one click. If you're confused by the new method, the old ones still work fine.

If you need help with that please start a new thread.

Okay, I will look at the various ways, and start a new thread if need be. Thanks for your help!

Hans L