Anyone know what this SVKP.SYS module is which runs as a service? It looks to be some sort of legacy driver. It has a description of SVKP driver for NT. Although it is marked copyright Microsoft, what bothers me a lot is in the company name field inside the properties, it has the string "AntiCracking" . Huh? I stopped this service and just checked. It is still stopped. I'd like to know what this is before I rename it and maybe find that I can't boot or something. I Googled it and found it mentioned obliquely by a number of people, but only Mcafee calls it a trojan. However, I don't find any of the symptoms that are described in this McAfee writeup - http://vil.nai.com/vil/content/v_101134.htm The above port 6667 is not open. I don't have a file named NTDSAPI.EXE on my system. So I did a text dump the module and this is what I see: Code: File pos Mem pos ID Text ======== ======= == ==== 0000004D 0001004D 0 !This program cannot be run in DOS mode. 000000B0 000100B0 0 Richg 000001C8 000101C8 0 .text 000001EF 000101EF 0 h.data 00000240 00010240 0 .rsrc 00000267 00010267 0 B.reloc 00000459 00010459 0 QPPj"WPV 000004FE 000104FE 0 IoCompleteRequest 00000512 00010512 0 IoCreateDevice 00000524 00010524 0 IoCreateSymbolicLink 0000053C 0001053C 0 IoDeleteDevice 0000054E 0001054E 0 IoDeleteSymbolicLink 00000566 00010566 0 RtlInitUnicodeString 0000057C 0001057C 0 ntoskrnl.exe 00000925 00010925 0 3I4r4y4 00000400 00010400 0 \Device\SVKP 0000041A 0001041A 0 \DosDevices\SVKP 00000606 00010606 0 VS_VERSION_INFO 00000662 00010662 0 StringFileInfo 00000686 00010686 0 040904B0 0000069E 0001069E 0 CompanyName 000006B8 000106B8 0 AntiCracking 000006DA 000106DA 0 FileDescription 000006FC 000106FC 0 SVKP driver for NT 0000072A 0001072A 0 FileVersion 00000756 00010756 0 InternalName 00000770 00010770 0 SVKP.sys 0000078A 0001078A 0 LegalCopyright 000007A8 000107A8 0 Copyright (C) Microsoft Corp. 1981-1999 000007FE 000107FE 0 OriginalFilename 00000820 00010820 0 SVKP.sys 0000083A 0001083A 0 ProductName 00000854 00010854 0 SVKP driver for NT 00000882 00010882 0 ProductVersion 000008B2 000108B2 0 VarFileInfo 000008D2 000108D2 0 Translation Note there is a Microsoft copyright but this could just be a fake. So then I ran a trojan scan with TDS-3. It found no problems and ignored this supposed trojan file (SKVP.SYS) Anyone know what this SVKP.SYS thing is and what it does? What does it come from? Is it a trojan as McAfee says? If so, why doesn't TDS-3 find it?
Hi ibeme99, It may be a false positive or a corrupted download. Did you have all the scan control options enabled when you did the scan? Please zip the file and send it to support@diamondcs.com.au for analysis. HTH Pilli
SVK Protector is a commercial protector which shall (but does not) prevent software piracy. In principle, this program is harmless although it's really annoying that it installs a driver (svkp.sys) on your computer. SVK Protect *may* also be used to camouflage malware. Most scanners cannot detect malware which is protected with SVKP (see, for instance, the recent scan logs which I have posted in the Scheinsicherheit Forum). I do not believe that many attackers use SVKP but maybe the trojan described by NAI does. Moreover, malware can be called "svkp.sys" and installed as a driver so that a user may think that it's just SVK Protector running on the computer. Therefore, I would also recommend to do what Pilli said: ask Gavin to analyse the file. I would be great if he could post the results of his analysis.
If it was me I would email mcafee to. They are the ones saying its a trojan. I looked on google to and there isnt much about it and mcafee is the only one that says this from a google search with that name. From the google groups from what I seen, people didnt know it was installed and didnt install it and didnt like it being installed without them knowing it and removed it.
Thanks. TDS didn't flag it as a trojan and someone else in another forum pointed me to http://www.anticracking.sk/ which looked like a fit, so I just deleted the file and rebooted. Everything seems to be working OK as of now. If this file is tied to some program that requires it to run, I guess I'll get some sort of message down the line. I really think it is a big security hole in Windows to allow any program to install drivers and files into system libraries. And even if Windows has not way to prevent a driver file from being installed, it should mark it somehow to not allow it to run until the user gives full and explicit permission to do so.
http://vil.nai.com/vil/content/v_101134.htm this you mean? Hope you did submit the file to Gavin before deleting it. When i find something suspicious i either rename the extension or zip it so in case any legal program seems to need it it is still there to be placed back.
I found this same file in my driver folder a while back and have been wondering about it ever since(TaskInfo2003 is good for this kind of detection). My question(besides those already asked) is where does SVKP.SYS come from? Is it part of the original installation of the os? Ibeme -many here will be anxious to what your experience is after getting rid of the file. Will you still be able to update your os using msupdate? Does anything down the road fail to run? etc
Its probally something that installs silently without telling you. That is what I have fount anyway, like games or music. The new beastie boys cd are suppose to install software like that, http://clearstatic.org:2396/node/view/512 I am not saying Beastie Boys are using that protection but just a example. I figure games and music cd's are most likely doing it. Might want to check the files and dirs on any new software you have installed or any music cd you have listened to. Might be able to find even though it installs silently. I am sure the dir or file is on the cd and visible hopefully.
I tried to locate this driver and couldn't. Taskinfo shows it in the expected place C:\WINDOWS\system32\drivers. But when I look in that directory SVKP is no where to be found. Strange. Maybe Jooske or Pilli knows how to locate this driver? Thanks.
Hi Bluekey23, Have you set windows explorer options using Tools - Folder options - View and enabled the "Show didden files and folders" then unticked "Hide protected operating sytem files" Doing this should allow you to see all the files on your PC.
Pilli, Thanks. yes, I did that. Also I've disabled SVKP and so far haven't noticed any problems. If anyone learns more about this driver, I'd be interested. For example, it would be nice to know its origin.
@bluekey "My question(besides those already asked) is where does SVKP.SYS come from?" "If anyone learns more about this driver, I'd be interested." I am slightly puzzled. I have already explained this stuff. Why are you still asking? ;-) Again: The driver usually comes from SVK Protect. The driver is a part of this commercial protection system. Unless you send this driver to Gavin, to me or to someone else nobody can tell you whether it is really the original SVK Protect driver or - let's say - a renamed rootkit driver.